The new Cybersecurity Solarium Commission should consider addressing GPS vulnerabilities as it develops a strategy to protect the U.S. against attacks on its computer systems and infrastructure, experts agreed.
Inspired by an analysis that guided officials during the Cold War, the U.S. is about to launch a yearlong assessment of its cybersecurity situation with the goal of devising a long-term strategy
Sixty-five years ago Project Solariumrecommended containment as the best game plan for dealing with the Soviet Union. It’s newly approved namesake, the Cybersecurity Solarium Commission, will soon gather top federal officials, members of Congress and subject matter experts to determine how best to protect “the crucial advantages of the United States in cyberspace against the attempts of adversaries to erode such advantages.”
“Eisenhower in the early 1950s recognized that we were well into the nuclear era and yet we didn’t have an offensive strategy or a defensive strategy,” said Sen. Ben Sasse, R-Nebraska, who authored the Solarium measure. “We didn’t have a long-term human capital strategy. We’re in the same place, actually (a) worse position, in cyber now—26 years into the cyber era and no definable doctrine.”
The question now is how the Cybersecurity Solarium will approach its task and what it might take on. Though the new Solarium was approved as part of the fiscal year 2019 National Defense Authorization Act (NDAA) it’s mandate is not strictly military. The fact sheet issued by Sasse’s office says the group will work to protect the U.S. political system and innovation base as well as its national security industrial sector. Those sectors depend directly or indirectly on the timing data supplied by the GPS signal.
Though not itself considered critical infrastructure the GPS system was deemed by the Department of Homeland Security to be a “cross-sector dependency” for 13 of the nation’s 16 critical infrastructure sectors. The three remaining sectors also had some dependence.
For a long time, however, folks did not did not agree that GPS vulnerabilities should be addressed as a cyber issue, said Dana Goward, president and executive director, Resilient Navigation & Timing Foundation. “However in the past several years the people that we’ve been talking to in the government, especially in the Department of Defense, have agreed that rather than being considered electronic warfare—or in addition to being considered electronic warfare—GPS disruption should also be considered a cyber issue.”
That shift may be due to the growing realization that GPS provides more than just location and navigation capability. It also provides consistent, global, extremely accurate time.
Timing Is Everything
A lot of the U.S. security industrial sector and the American innovation base rely on data centers, many of them in disparate parts of the world but networked together and synchronized by GPS-supplied time.
“Most of these systems—I’d say 99.9 percent of them, use the network time protocol,” said Paul Skoog, senior product marketing manager at Microsemi, a leading provider of time servers and atomic clocks. “I bring that up because the network time protocol uses UTC, universal time coordinated, so it’s not time zone dependent.”
The systems use GPS to derive UTC time, he said, and UTC is what goes, for example, into the time logs with which data center managers can map and trouble shoot activity across an entire network.
“If you’re an IT (information technology) guy and you’re in the data center, you may have racks of equipment running hundreds or thousands of virtual machines. If anything goes wrong really the only place you have to turn to, to help start sorting out the problem, are the log files,” Skoog said.
If the times in those logs are off it can create “tons of issues,” said Casey Hill, data center manager at Digital Realty in San Francisco. “Just trying to get a correct timeline on, for instance, a certain event that takes place in the data center. You can get, definitely, some misleading information.”
And the logs are about more than trouble shooting server problems. Though it will not ultimately prevent an IT team from tracking the path of a hacker in their system, spoofing the GPS signal at a location being used to access or transit the network “certainly would impact the real-time ability to properly diagnose it,” Skoog said.
“You are globally vulnerable from the time perspective—because you’re using time to diagnose what happened,” said Skoog, whose firm sells a firewall that specifically monitors the GPS signal for anomalies that are the telltale signs of spoofing.
Timing is also used, Skoog said, to protect a system from unauthorized users by, for example, only allowing access in narrow windows of time. Users would have to know the time of the access widow in advance. Also, having narrow windows reduces the chance of a replay attack where a legitimate packet of information is captured, altered and resubmitted.
Throwing the time off would most likely be the result of GPS spoofing. While jamming actually blocks the signal altogether it could cause time log problems indirectly.
Most systems will have a timing backup of some kind, likely some kind of clock. With the exception of the very expensive cesium clocks these backups drift and must be reset at some point using the GPS signal to maintain sufficient accuracy. Without a reset the communications between the data centers can be impaired or cut when the synchronization drifts too far off, those who spoke to Inside GNSS agreed.
“If you have two data centers, for example, one for primary use and the second one for back up. All that information would be synchronized,” said Stephan Gerling, a cybersecurity expert and self-described security evangelist. If the time of both data centers drifts too far apart the backup function “will not work any more.”
Even legacy centers—that is data centers with older systems that do not use GPS because retrofitting does not make business sense—can fall prey to GPS problems.
“We have it (GPS) in our access readers for getting in and out of the data center,” said Hill. “…If those got messed up all our time stamps would be off. So if we’re trying to pull a report to see the last time you were in the building, and we didn’t have the appropriate time clocks or time stamps for it, it would be misleading. It would affect whatever type of report we’re doing—audits, things like that.”
Beyond undermining data center operations jamming, spoofing or the loss of the GPS service though, say, a solar flare have the potential to bollox a wide range of systems including communication networks. Should addressing these GPS vulnerabilities therefore be a cybersecurity issue for the Solarium? All experts who spoke to Inside GNSS, from both the GPS and cybersecurity communities, said ‘Yes.’
“So (GPS is) one of the things you have to take into the cyber threat as part of it when you look at total risk assessment,” said Andrew Bach, a global financial technologies consultant specializing in network services, telecommunications and security. “Given how dependent we, not only as a nation but as a world, have become on GPS it’s one of those things we really need to maintain and make sure it’s up and running and correct and in tip top shape—and not have someone tampering with it regardless of how they choose to do it whether it’s throwing rocks at satellites or whether it’s sitting in a dark corner with a terminal hacking away.”
“The Readers Digest version is that GPS/GNSS disruption disrupts communications pathways because it can mess up networks,” said Goward. “It impacts end-use devices like cellphones and navigation devices and timing receivers. And if it’s spoofing, or if it’s just jamming … it can put bad data in databases. So 1, 2, 3—that sounds like a cyber security issue for me.”
Cybersecurity Solarium Commission
Created as part of the John S. McCain National Defense Authorization Act for Fiscal Year 2019, the Commission will have 13 members including the principal deputy director of national intelligence, the deputy secretary of homeland security and the deputy secretary of defense.
Three members will be appointed by the majority leader of the Senate and two will be appointed by the minority leader of the Senate. Of these each leader gets to pick one member of the Senate with the others being experts. The speaker and the minority leader of the House of Representatives get a similar allotment of five with two being members of the House.
Despite signs of support for the measure, congressional conferees working through House and Senate differences in the defense appropriations bill allocated no dedicated funding for the Commission in their September 13 conference report. They did “encourage the Secretary of Defense to provide the resources necessary to support this effort.”
The Commission, which will have subpoena power, must submit its findings by Sept 1, 2019.
The cybersecurity of the GPS satellite system and its ground stations has long been a top priority.
Raytheon, the prime contractor for the new GPS next-generation operational control system or GPS OCX has been working to incorporateinformation assurance standard DODI 8500.2, without waivers, giving the system “the highest level of cybersecurity protections of any DOD space system,” Raytheon said in a March statement.Though that effort has thrown the program seriously off schedule and over budget the Air Force has stuck with it due, in part, to the importance of those tighter standards.
Satellite contractor Lockheed Martin is taking an equally serious approach.
“Lockheed Martin bakes full-spectrum cyber security into the design of every one of its products from the start, including our GPS III satellites,” said Lockheed spokesman Chip Eschenfelder. “On the GPS groundside, Lockheed Martin has spent the last five years modernizing the GPS Operational Control Segment (OCS) hardware and software to address today’s cyber threats. We have also added resiliency features to the system, allowing GPS to operate through a variety of threat scenarios.”