Cybersecurity Bills Could Reshape GPS Anti-Interference Efforts

Legislation moving through Congress could reshape efforts to counter GPS interference as the government steps up its efforts to fight cybercrime and protect critical systems like the power grid and communications networks.

Though cybersecurity generally focuses on protecting information systems the broad definitions in some legislation now on the Hill appear to encompass GPS support systems, some user communities, and even the constellation itself.

Legislation moving through Congress could reshape efforts to counter GPS interference as the government steps up its efforts to fight cybercrime and protect critical systems like the power grid and communications networks.

Though cybersecurity generally focuses on protecting information systems the broad definitions in some legislation now on the Hill appear to encompass GPS support systems, some user communities, and even the constellation itself.

The Promoting and Enhancing Cybersecurity and Information Sharing Effectiveness Act of 2011, or PRECISE (H.R. 3674) addresses “critical infrastructure information systems” which are defined as “any physical or virtual information system that controls, processes, transmits, receives, or stores electronic information in any form, including data, voice, or video, that is . . . vital to the functioning of critical infrastructure.”

The bill further defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

DHS Role
If passed, PRECISE would set the responsibility for cybersecurity squarely within the Department of Homeland Security (DHS). The agency would assess risks, coordinate mitigation, and set new cybersecurity regulations for “covered critical infrastructure” which, again, could encompass GPS.

Interestingly, DHS already has GPS protection within its portfolio under the terms of a 2004 National Security Presidential Directive, although it is for all purposes a largely unfunded mandaate. The federal department has been working for more than a year on an extensive assessment of how disruptions to satellite navigation signals would affect five key sectors: banking and finance, communications, emergency services, energy, and transportation systems.

DHS considers GPS an enabler to 14 of
the 18 identified U.S. critical infrastructures and key resource sectors
that cybersecurity addresses and "essential" to 11 of those.
However, the GPS technology and system infrastructure itself apparently
has not been officially accepted as a critical infrastructure itself.
Though the GPS system itself has yet to be designated a critical
infrastructure — it arguably fits within PRECISE’s definitions and
supports sectors such as banking, energy, and communications that are
officially deemed critical infrastructures.

The department is also laying the groundwork for a GPS interference monitoring system called Patriot Watch, which would tap information from sources like cell phone and fleet management systems to locate jamming sources. There is even a DHS employee detailed fulltime to the National Coordination Office for Space-Based Positioning, Navigation, and Timing.

PRECISE, however, could expand DHS’s role. Greater resources would likely become available along with reporting requirements, and the department could have greater involvement in international discussions. There could also be changes to how, and how openly, GPS interference incidents are reported.

“There is a possibility that when we are talking about how you report (interference) events,” explained a source who asked to remain anonymous, “. . . you may have another chain that you have to report to if it is ruled a cybersecurity incident.”

Distinctions could start to be made, for example, between reporting interference to personal services such as OnStar and interference with GPS signals used by systems like the power grid or stock exchange where disruptions have broader consequences.

“Right now we treat any GPS interference as the same kind of thing. We have an established procedure for how you report a GPS interference event,” the expert explained. “You make a formal incident report (to the U.S. Coast Guard Navigation Center) and then it goes out to certain agencies.”

New legislation could also put interference reporting more under the purview of law enforcement, said the source, where incidents generally are not made public because exposing the details could compromise an investigation.

“This is something that has to be looked at, because right now we try to get situational awareness out to as many people as we can, as quickly as we can on any GPS-related interference — except for [those involving defense systems],” said the source. “If you are talking about a different kind of reporting chain that goes through the cybersecurity division in the FBI or maybe in Homeland Security, then it may not be open. So we have to work that out.”

Such a change could require exercises to test different scenarios, more resources, and even new hardware or software, the source said.

Fortunately new resources are one step closer to being available. The House passed H.R. 2096, the Cybersecurity Enhancement Act of 2011 which mandates that nine different agencies — including the Departments of Defense and Commerce — come up with cybersecurity research plans and report regularly to Congress on the funding designated for those plans and on their progress. In June 2009, DoD set up the U.S. Cyber Command (USCYBERCOM) based at Fort Meade, Maryland, under the authority of the U.S. Strategic Command.
The bill covers federal “information assurance” and “critical infrastructures” including electric power, banking, telecommunications and emergency services. It also appropriates money to the National Science Foundation for cybersecurity research.

However, even within DoD, GPS has apparently not yet made the cut for cyber security status — and associated funding, although GPS data is a key resource within the "netcentric" operational paradigm toward which the U.S. military is moving, and the need to apply information assurance to the distribution of GPS data is well accepted within defense circles.

The House also passed the Advancing America’s Networking and Information Technology Research and Development Act of 2012 (H.R.3834), which requires agencies to support long-term, interdisciplinary research and regularly assess the funding they are supplying for that purpose.

PRECISE Effect Still Uncertain
As for the PRECISE Act — it has 10 Republican sponsors and is similar to the plan favored by the White House. Even so, the measure is reportedly bogged down — held up by election-sensitive Republican leaders who are worried about imposing new regulations right before voters head to the polls.

What did pass the House is the highly controversial Intelligence Sharing and Protection Act or CISPA (H.R. 3523). Its main thrust is encouraging the reporting and sharing of cyber-threat information between the private sector and the intelligence community. Given that GPS and its control segments are run by the U.S. Department of Defense, at least some such sharing is likely already in place when it comes to protecting the constellation and its support systems.

However, the GPS-derived location information in the hands of service providers such as phone companies, delivery services, or car navigation could conceivably fall under CISPA and be caught up in the privacy fight surrounding that legislation.

“It is certainly easy to come up with a scenario where somebody’s location data could become implicated in a CISPA investigation,” said Rebecca Jeschke, media relations director and digital rights analyst for the Electronic Frontier Foundation (EFF). “Any provider only need come up with a plausible scenario regarding national security.”

EFF and a phalanx of other privacy organizations oppose CISPA, which would shield companies from liability if they share data with the government “in good faith.” Opponents say language in the bill is so broad and vague that it threatens to shred consumer privacy.  

Whether any of the pending legislation will affect GPS users ultimately depends on how Congress makes the fine distinctions between what is, and is, not, covered under “cybersecurity,” said Tony Russo, director of the PNT National Coordination Office. Some bills, for example, “refer to radio frequencies, which I would say we fall under. If it refers only to mobile communications I would say we do not fall under that.” It all depends on the final wording, he added.

IGM_e-news_subscribe