The internet of defence – cybersecurity strategies and solutions11 July 2016
Applications for the internet of things are growing in prevalence across the defence landscape, with far-reaching implications for the future of armed forces, but these sensors and systems are vulnerable to attack, creating troubling cybersecurity challenges. Colin Castle explores the potential of these kinds of technologies and investigates how defence departments are addressing such issues.
Over the past few years, we have seen a growing buzz around the so-called ‘internet of things’ (IoT). Once the province of maverick visionaries, the idea has now gone mainstream, with its associated technologies permeating
many spheres of everday life.
From wearable fitness trackers and pet-location monitors to home-surveillance devices, the range of applications for the IoT is steadily expanding as the dream of a hyperconnected world becomes a reality. According to some estimates, 50 billion objects worldwide will be connected to the internet by 2020.
The implications for defence are far-reaching. Always a tech-friendly industry – quick to embrace the cutting edge – defence could clearly benefit from some of the new competencies on offer. Theoretically, IoT technologies could be used to improve battlefield situational awareness, monitor soldiers’ health, provide real-time proactive equipment maintenance and track military vehicles, just as a few examples.
We are already seeing some adoption of these technologies. An increasing number of weapons are being fitted with online-connectivity features, allowing them to be operated via a computer or tablet. The first ever precision-guided firearm – a smart rifle by TrackingPoint – hit the market in 2011, for instance. With this instrument, the user selects a target, inputs a number of variables like wind speed, and the gun then orients itself to the target and chooses exactly the right moment to fire.
Even more prevalent are Wi-Fi-connected drones, which are used to perform surveillance tasks and execute highly targeted attacks. Drones of this kind could ultimately be attached to a larger government network, such as the integrated force of unmanned vehicles currently being planned by the Pentagon. Described in the US Department of Defense’s (DoD’s) 2013 report, ‘Unmanned Systems Integrated Roadmap’, this would be a semi-autonomous network of systems and sensors, designed to augment the traditional manned forces.
More speculatively, some thinkers in the field have suggested a future for ‘sentient data’. In April 2015, speakers at a US Army Training and Doctrine Command conference claimed soldiers might one day be implanted with sensors. These could transmit data to other people and systems in a kind of man-machine partnership, without requiring the soldiers’ conscious involvement. In essence, the soldiers themselves would become part of the IoT.
Despite the breadth of possibilities, industry adoption has been slower than hoped. According to a 2015 assessment by IHS, the market is seeing a relatively subdued growth curve, climbing a projected 17.7% each year up to 2025 – considerably slower than sectors such as medicine and automotives.
“In the grand scheme of things, when you are looking at many of the other market segments, military and aerospace are fairly limited,” said Mike Morelli, IHS IoT research director, upon the release of the report.
“Historically, what has made this sector unique is the demand for specific manufacturing processes.
These demands can be physical, with specifications requiring components to provide greater tolerances to extreme temperature, radiation, magnetic fields and other conditions that pose a special environmental challenge.”
The main stumbling block today, however, is security. In order to meet the safety standards required for military applications, software developers and device manufacturers need to be hyperaware of any potential cyber-vulnerabilities. After all, if systems are exposed to hackers, the security breaches could be catastrophic – data could be stolen and smart weapons reconfigured.
As the US Defense Science Board remarked in a 2013 report, if DoD networks are compromised, “US guns, missiles and bombs may not fire, or may be directed against our own troops. Resupply, including food, water, ammunition, and fuel may not arrive when or where needed.”
At the 2015 Black Hat ethical hacker conference, security researchers Runa Sandvik and Michael Auger demonstrated the techniques they had developed to compromise the TrackingPoint smart rifle. They showed that when the gun’s Wi-Fi was enabled, anyone within range could connect using the default password, and then hack the aiming mechanism to divert ammunition or prevent the gun from firing. TrackingPoint said it would work to address these flaws.
A multidisciplinary approach
There are also fears that hackers might target military healthcare systems and medical monitoring equipment, jeopardise supply chains or disrupt the flow of battlefield information. Moreover, as IoT technologies grow more sophisticated, the security threat may actually be increasing. In a 2015 survey conducted by Cisco, 28% of enterprise organisations said that network security had become more difficult over the past two years.
There is obviously a pressing need for further research – a need that has been flagged up by many leaders in the field. Earlier this year, Lt Gen Edward Cardon, commanding general of US Army Cyber Command, remarked that the recent explosion of connectivity was profoundly affecting the defence sector. Speaking at the Institute of World Politics in Washington, he warned that military applications were not impervious to attack simply due to their military status.
“What we’re starting to realise,” he said, “is that an event that happens in the commercial space could be happening in the government space and could be happening in the military space. So it’s not like it’s all compartmentalised,” he said.
What can be done is an open question, although it’s clear that a challenge of this magnitude will require a multidisciplinary approach. Governments will need to invest heavily in cybersecurity while leveraging the wisdom of academia and the private sector.
The UK Ministry of Defence (MoD) sees industry engagement as critical. Between June and December 2015, the security and intelligence agencies ran a public competition on the theme of IoT security, offering £1 million of phase-one research funding to the companies that brought forward the most innovative proposals.
“The objective was to increase commercial access to the security and intelligence agencies, and to identify the most current ideas to support the government’s drive for the UK industry and general public to benefit from safe working on the internet,” a UK Government Communications Headquarters spokesperson tells Defence & Security Systems International.
This competition, run by the Centre for Defence Enterprise (CDE), posed several questions to industry. It asked companies to identify key IoT technologies that are most likely to affect everyday life in the years to come, and where and how they will be used; what security and privacy concerns will matter most with each application; and what technologies, protocols and standards are best placed to support these sectors.
It also asked entrants to consider what security and privacy principles should be enshrined for IoT devices and their vendors. At present, there is no global security standard in place for military IoT applications and, in many cases, suitable protocols have yet to be determined. Finally, they were finally asked to suggest alternatives to the emerging virtual and physical hub-based architectures.
There was an encouraging response. Following the assessment period, 13 proposals were accepted and received a chunk of the research funding. Each ran for three months earlier this year.
“We aim to increase the security and intelligence agencies’ knowledge of the technologies supporting IoT,” adds the spokesperson. “From this, the security and intelligence agencies will be able to inform the government, industry and the public of security risks, develop security policies and offer such guidance as is within their remit for safeguarding the public use of internet-based capabilities.”
The competition came at a time of transition for UK defence agencies, which are placing a growing focus on IoT, big data and cloud computing. Last year, MoD chief information officer Mike Stone outlined IT transformation plans designed to deliver “the modern, open and flexible IT we need to support defence activity”, while, in 2014, the MoD procured a top-of-the-range new data centre using the G-Cloud framework.
Invest in the future
Speaking at TechUK’s Public Services 2030 Conference in March, Air Vice-Marshal Mark Neal stated that IoT cybersecurity remained firmly at the top of the agenda.
“Things like the IoT may not be prevalent in the UK and public at large, but they are very much part of the agenda within defence,” he told the TechUK audience. “We need to be smarter about the manipulation of data and information than the other side. For me, this is not an optional exercise – [the enemy is] doing this anyway, and we need to able to respond like for like.”
His attitude is not uncommon in a sector that increasingly sees the IoT as non-negotiable. Connected devices hold enormous transformative potential: they could enable more complex operations and analyses while reducing human error, improving survivability and cutting costs. As adversaries grow more sophisticated, defence departments need to make smart use of shrinking budgets.
Over the next few years, we can expect to see a wave of investment in these technologies, as well as a heightened focus on cybersecurity. Retaining agility while ensuring security is no simple task, but armies that can do both will have a clear operational advantage on the battlefield.