CYBERSECURITY The battle to secure autonomous vehicles under the sea
There’s plenty of focus given to the challenges of securing autonomous vehicles on land and in the air but an arguably great risk exists to ensure the military secures its underwater vessels which arguably, face a far greater risk from cyberattackers than physical threats.
Innovations in robotics, engineering, IoT, and data science have hugely disrupted mobility as we know it as we prepare for a future that includes autonomous vehicles and flying taxis. But the innovation has also shaped industries such as Military Defence with the development of autonomous vessels such as submarines.
However, while the military may have the technology chops with agencies such as the Defence Advanced Research Projects Agency (DARPA) years ahead of companies such as Google, Soft Robotics, and Tesla, they’re failing to keep up with the challenges of cybersecurity. What happens when a mobility apparatus operates largely in stealth mode (such as a submarine) and can be used to not only carry out cyberattacks, but is also at risk itself of being attacked by state agents or other nefarious operators? The depths of the ocean are awash with security risks including insurgency, terrorism, international crime and hacking by state-based influences. And one of the biggest challenges is securing unmanned water vehicles.
What are unmanned underwater vehicles?
Unmanned underwater vehicles (UUV) aka underwater drones, describe vehicles able to operate underwater without a human occupant. They may be autonomous or remotely operated. Their tasks include:
- In-shore and offshore surveillance
- Anti-submarine warfare
- Ship inspection
- Scientific research and exploration
- Mine countermeasures
- Search and salvage operations
- Port and harbor security
- Intelligence, surveillance, and reconnaissance
The vehicles range from mini underwater drones to missiles and Extra Large Unmanned Undersea Vehicles (XLUUV).
Their owners of such vehicles are not limited to the military. They also include research organisations and large companies who work under the sea (mining companies and those laying fibre optic cables for example.) The collection of images and data can be used to locate missing planes, map the ocean floor or locate military underwater apparatus such as underwater military bases, from political opponents. As with most industries much of the work that goes into making UUVs is contracted out to a massive plethora of enterprises ranging from Camera makers, undersea networking providers, and R&D.
What are the cybersecurity risks?
While an autonomous underwater submarine, missile, or drone could be attacked with a missile, it would be far easier to attack the software which includes R&D, mapping and military tactics. Research in 2018 by the British American Security Information Council (BASIC) asserts that “a successful attack could neutralise operations, lead to loss of life, defeat or perhaps even the catastrophic exchange of nuclear warheads (directly or indirectly).” They also assert the very possibility of cyber-attack and the growing capability to launch an attack against ballistic missile submarines (SSBNs) “could have a severe impact upon the confidence of maintaining an assured second-strike capability and therefore on strategic stability between state
In 2019, Chinese hackers focused on underwater warfare technology, targeted 27 US universities around the world in a bid to steal naval secrets including the University of Hawaii, the University of Washington and the Massachusetts Institute of Technology. In 2018, Chinese government hackers compromised the computers of a Navy contractor and harvested sensitive data dealing with undersea warfare, including plans for a supersonic anti-ship missile. In May this year, Britain's Ministry of Defence contractor Interserve was hacked, reportedly leaking the details of up to 100,000 of past and current employees. The seizure of a US UUV by China in 2016 further highlights the importance of securing sensor data.
Why and how are UUVs vulnerable to hacking?
Most people with an interest in IoT will recall the Wanna cry ransomware attack in 2017 which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency which affected software across the world in organisations such as the NHS, Deutsche Bahn, Maersk shipping, and Telefonica. Bizarrely at the time the UK Military of Defence asserted that their submarines were not prone to cyber attacks such as Wanna cry ransomware because they are not connected to the internet at that point. BASIC remains critical of this belief as even if attacks were achievable while the vessels are at sea, their presence at th Scottish naval base provides an opportunity and the authors assert: “Advanced nano and bionic technologies such as implantable and subdermal data storage and communication devices may be smuggled into the vessel and activated autonomously, manually, or remotely.”
They further note that regular radio-transmissions from ashore could be used for limited bandwidth cyber-attacks, spoofing or activating pre-installed malware programmes. Such highly covert, adaptive and targeted programmes could be designed to trigger in response to particular events such as the Stuxnet attack of 2005 against the nuclear program of Iran.
However the challenge is not limited to the UK. A recent internal Navy review provided to the Wall Street Journal in 2019 paints a dire picture pitting hackers against the Navy. The review includes 85 interviews and 31 site visits, examining various aspects of cybersecurity. It’s admittedly heavy on the hyperbole but painfully honest and offers an extensive review of the problem and a detailed plan for remediation. It contents that “our global rivals, differently organized, have enterprises that have demonstrated the capability to adapt and incorporate these new technologies at a much faster rate than the Department of Defence.”
The problems are a combination of culture and technology. The review describes an internal culture “characterized by a lack of understanding and appreciation of the threats, and inability to anticipate them, and a responsive checklist behavior that values compliance over outcomes, antiquated processes and governance structures that are late to respond to dynamic threats, and an enterprise whose resources are consumed by force structure and platforms that deprive the information systems and capabilities required for warfighting and defense in this environment.”
Even worse, only a very small subset of security incidents are “known” and of those known, an even smaller set are fully investigated. Then, there’s key examples of an inability to stay ahead of cyberthreats including:
- Navy secretariat installing four-year-old Windows 10 in February 2019.
- USS Gerald R. Ford being commissioned and delivered with Windows XP.
- LCS and DDG-1000 class ships are being developed with excepted IT networks CYBERSMART buildings constructed without cybersecurity built-in.
- Legacy warfare systems kept in service with no plan to update or add cybersecurity.
What’s clear is that mass surveillance and data sharing, and rapid development and spread of technology and processing power across civil and military sectors offers advancements in innovation. However, it’s equally high risk as creators of UUV’s and their infrastructure play a cat and mouse game with state agents who are all too commonly ahead of the game when it comes to cybersecurity. Legacy Institutions such as defence have no choice but to not only keep up but surpass the competitive advantage currently posed by those who elicit today’s cyber threats.