Image: DoD photo, PHC C.M. Fitzpatrick
Blog Editor’s Note: While it is always good to highlight the importance of PNT resilience, yesterday’s Executive Order did little else. Almost all the mandated actions are studies, though we have had enough studies and know enough now to make real and important improvements.
The one thing that looks like it might be an action item is the mandate for Department of Commerce to within 180 days “…make available a GNSS-independent source of Coordinated Universal Time, to support the needs of critical infrastructure owners and operators, for the public and private sectors to access.” Commerce has this already at its master clock in Boulder, Colorado.
The real challenge, which this order does not address, is getting that time distributed at the right level of accuracy to those who need it. This is the job of the Department of Transportation per the National Timing Resilience and Security Act of 2018. A task with a December 2020 deadline which will not be met.
We have a copy of the Executive Order here.
Key stakeholder says the president’s edict is insufficient and likely to cause confusion over the role of various departments.
An executive order aimed at securing services such as the Global Positioning System continues the administration’s trend of relying on procurement as the main lever in its toolbox for making cybersecurity policy.
GPS, typically associated with popular mapping tools, is an example of Position Navigation and Timing, or PNT, services used in a broad range of applications including precision banking and microsurgery. It is based on the extraordinary coordination of a constellation of clocks and satellites and is vulnerable to hackers perpetrating “jamming” and “spoofing” attacks that interfere with the receipt of relevant signals.
In November 2018, then-Secretary of Homeland Security Kirstjen Nielsen identified PNT as the primary “systemic risk” to the cybersecurity of critical infrastructure.
The executive order announced today would put the Homeland Security Secretary in charge of overseeing the development of language to include “requirements for federal contracts for products, systems, and services that integrate or utilize PNT services, with the goal of encouraging the private sector to use additional PNT services and develop new robust and secure PNT services.”
Homeland Security has been issuing best practices for adoption by industry to protect itself from cyberattacks targeting GPS over the past several years.
But coordination and education of industry have “often been a challenge for government agencies,” said Dana Goward, president of the Resilient Navigation and Timing Foundation, “especially when the goal is to get industry to spend their own time and money without a mandating regulation or law.”
Particularly at Homeland Security’s Cybersecurity and Infrastructure Security Agency, the focus has been on working collaboratively with the private sector rather than on establishing a foundation for punitive enforcement.
Goward, a member of the National Space-Based Positioning, Navigation, and Timing Advisory Board told Nextgov leveraging the federal government’s market power is something the foundation has been advocating.
But he stressed that “we would like to see something more concrete, such as the government specifying performance requirements for the receivers it purchases.”