How not to do security, Drone Video Edition
This is probably considered to be “old news” by many, but I’m high-latency in my news at the moment.
Much was made of the fact that the US Military’s enemies are now eavesdropping on the video feeds from US Drones on the battlefield using cheaply available commercial technology. But it’s OK, because according to the Military, there was a Good Reason why it wasn’t encrypted [link to http://www.networkworld.com/news/2009/121809-drone-video-traffic-intentionally-unencrypted.html?source=NWWNLE_nlt_daily_am_2009-12-21 no longer works]:
The reason the U.S. military didn’t encrypt video streams from drone aircraft [link to http://www.networkworld.com/news/2009/121709-drone-intercept-encryption.html no longer works] flying over war zones is that soldiers without security clearances needed access to the video, and if it were encrypted, anyone using it would require security clearance, a military security expert says.
I can only hope that this is not really what passes for logic among the security decision-makers in the U.S. Military and their contractors. There is additional information in the article which tells us that they at least performed a risk assessment, but the assessment seems to have been flawed.
It’s always easy to second-guess decisions in hindsight, but if the rationale given is even minimally truthful, then what they have essentially said is, The video feed was not encrypted because the policies which would have then applied would have been too onerous.
That’s not to say that my summary of the rationale is not sound in certain cases–after all, the processes necessary to comply are part of the cost of a countermeasure. But in this case, the policy was clearly flawed Who wants to bet that the same un-cleared soldiers never have access to encrypted radio links, or that they use military Web sites encrypted with SSL?
Access to (shared or symetrical) encryption keys probably does (and probably should) require a clearance, but claiming that requirement would extend to utilizing the encrypted link as rationalization for not doing so strikes me as a bit absurd.
Similarly, this justification:
…the video information loses its value so rapidly that the military may have decided it wasn’t worth the effort to encrypt it. “Even if it were a feed off a drone with attack capabilities, and even if the bad guys saw that the drone was flying over where they were at that moment, they wouldn’t have the chance to respond before the missile was fired,”
also fails to pass muster.
A key element of insurgency and counter-insurgency is the hide-and-seek aspect of it. The initial value of drones was their ability to monitor large areas in real time and loiter on-scene for much longer (and more cheaply) than conventional aircraft. As a result, drones are a huge force multiplier for the US and its allies in counter-insurgency operations. If the insurgents are able to determine where the US forces are looking for them, that is extremely valuable intelligence to the insurgents, since they can then identify which logistical routes or encampments are potentially compromised and re-route forces accordingly.
Using drones as a delivery platform for munitions, on the other hand, is relatively rare and was not, in fact, even in-scope for the drones when initially deployed.
As a general rule, justifications for risk acceptance based on exceptional cases should be taken as evidence that the decision was bad. This is not an exception to that rule.
Field units in Iraq sometimes used ICOM handhelds, which were required to have voice scrambling (at minimum) or full encryption. So the argument that troops need clearance to use encrypted and decrypted signals is completely bogus.
Hence, sending the drone video feed in the clear sounds more like an accommodation to older field-level equipment (without encryption capabilty) and outdated acquisition contracts.
I’m guessing the argument that the soldiers need a clearance to access encryption is incorrect. Military expert or not, the quote given by Kahn isn’t from the military itself.
On the other hand, the Air Force did give an answer recently, which I’ll link here:
http://www.flightglobal.com/blogs/the-dewline/2009/12/deptula-whacks-predator-hack-w.html [link no longer works]
While I agree that there’s a certain usefulness to knowing if you’re being watched or not, the Air Force seems to weigh this in-line with other costs/benefits:
1. As Gary pointed out, encryption of these signals can result in outdated equipment being unable to receive the feeds. It’s something anyone has run into in a mixed computing environment, one OS supports a better security profile than an older one, yet the system is forced to the lowest common denominator for compatibility. It’s not pretty, but it takes time and testing to get newer equipment in the field.
2. Key management is a pain in the ass even stateside. I can only imagine what it’s like in the field.
http://www.schneier.com/blog/archives/2009/12/intercepting_pr.html
Broadcasting in the clear is certainly not an idea solution, but it seems to me that while there’s a potential downside here, the drawbacks to encrypting the transmissions are numerous.
@Chris:
I don’t disagree with your comments at all. I think, however, that you need to re-read my commentary.
My argument was that while someone seems to have assessed and accepted the risk at some point in the past, now that their decision has come under fire, their attempts to defend and rationalize the past decisions are laughably bad and easily disproved by various other examples.