Image: Wikimedia Commons
Blog Editor’s Note: Mr. Dana A. Goward interviewed in the story below is the President of the RNT Foundation.
June 18, 2019 |
Observers see an opportunity to incorporate cybersecurity considerations – including on interagency coordination – into an update of the administration’s policy on space-based Position, Navigation and Timing technology, which was identified as a “systemic risk” in the early days of DHS’ National Risk Management Center.
With a calculated distribution of atomic clocks and satellites, PNT technology enables the Global Positioning System in the U.S., but also applications for everything from microsurgery to sensitive financial transactions, as former DHS Secretary Kirstjen Nielsen explained last November in describing the department’s plans.
“It could well be that cybersecurity considerations and a more coherent government structure will be incorporated into that revision of the policy,” said Dana Goward, president of the Resilient Navigation and Timing Foundation and a member of the Position Navigation and Timing advisory board to the National Executive Committee on the issue.
Goward spoke to Inside Cybersecurity following a recent meeting of the advisory board where Curtis Hernandez, director of national security space policy at the National Space Council, announced the coming policy update. Goward said Hernandez did not provide a timeline for the update or avenues for stakeholders to weigh in, and White House officials did not respond to a request for comment.
But especially as DHS’ Cybersecurity and Infrastructure Security Agency narrows its focus to the secure development of fifth generation – 5G – networks, Goward said it’s crucial CISA push ahead with work on standards development and coordinate specifically with the Federal Communications Commission and the Department of Transportation, which have important roles in enforcement and providing infrastructure for resilience.
“PNT is very important for 5G because the cellular networks need to be synchronized and the timing required for synchronizing 5G is going to be significantly more precise than it is right now,” Goward said. “We understand that the timing synchronization for 4G is somewhere between a microsecond and 1.5 microseconds. The early information we’ve seen [on 5G specifications] suggests that it’s going to be somewhere between 250 nanoseconds, so significantly tighter.”
Goward said the Department of Transportation’s work to establish terrestrial backups under legislation passed at the end of last year, to “ensure the availability of uncorrupted and non-degraded timing signals for military and civilian users if GPS timing signals are corrupted or otherwise unavailable,” should help with this.
Charles Palmer, a senior researcher for IBM, has noted timing can be a “fun” element hackers can exploit to yield a “spectacular result.”
Goward said while DHS has offered best practices for operators of GPS receivers to mitigate the threat of cyber attacks, more specific work being done by SAE International – an engineering standards body – could help with the development of procurement guidelines.
“The challenge that we’ve had to date is that there’s lots of anti-jamming and anti-spoofing hardware and software out there, but folks don’t seem to be willing to devote the extra dollars to acquire and use it,” Goward said, adding “part of that is because there’s no standard. There’s no consistent way to describe what a resilient receiver is.”
“The only standards that exist are for aviation and maritime,” Goward said. “But for all these other things, like the electrical power industry, telecommunications, there’s really no standards,” he said.
Goward said that while the DHS guide advises receiver operators to have multiple antennae for resilience, “there’s no Consumer Reports to say ‘here’s the rating across various factors’ for receivers.”
There’s also no procurement language, he said, so that officers can “put on their purchase order that we want to acquire a [Global Navigation Satellite System] receiver that is compliant with SAE,” for example.
During the advisory board meeting, DHS’ James Platt gave a presentation where he flagged the department’s work developing “conformance standards” for the industry with the National Institute of Standards and Technology.
Goward said the voluntary nature of the conformance program suggests neither conformance nor standards would be involved.
But he was hopeful about the possibility of DHS gaining insight from the SAE’s work to provide more certainty.
“I think most people want to do the right thing,” he said “It’s just a matter of having the tools to do that. And right now, there’s sufficient ambiguity that nobody’s sure, there’s no authoritative description.”
DHS has listed PNT technology under the “connect” category in its list of critical functions, which is meant to inform support for infrastructure prioritization; conducting subordinate analysis; informing intelligence collection requirements; setting incident management priorities, supporting investments in security and resilience; and countering foreign influence.
But as things stand, with significantly diminished enforcement capabilities at the FCC, Goward said “Really, there’s very little to prevent [a malicious actor] from going out and broadcasting a jamming signal on GPS frequencies for their own purposes.”
The FCC is supposed to enforce rules against illegal transmissions and disturbing frequencies by finding and punishing perpetrators. But the challenge has gotten a lot more sophisticated since the days of tracking down people setting up AM transmitters wherever they wanted to broadcast their own music without a license, Goward said, and “The FCC’s enforcement abilities have fallen off.”
But he added, “Even if they were doing it, the three organizations [DHS, DOT and FCC] really aren’t working in concert. I’m sure they’re trying to move along as best they can, but there’s no overall real coordination or federal official that you could say is responsible for PNT cybersecurity.” – Mariam Baksh (firstname.lastname@example.org)
Editorial note: Mr. Goward very strongly believes that individuals within DHS, DOT, and FCC are working with each other to protect the nation. There is no concerted or cohesive effort between the three organizations to protect PNT delivery or cyber security, nor is there a responsible federal official that we know of.