“Smartphones (and tablets, WdN) are invading the battlefield” , reports the Economist in an article on its website of 8 October 2011. On the same day the hacking of U.S. drones is reported on by several news sites. Coincidence?
Because we can
Yes, of course it is, but still. This hack is one in a long row of reports on hacking or vulnerabilities in the past year. Whether at private companies, security certificates, the EU Commission, smart phones, the list is endless. And here comes this highly optimistic article on the way the Internet will make the lives of our young soldiers safer. Some quotes. GPS will show their position and that of friendlies as well, so friendly fire will become less of a risk. Through an app, information from drones and reconnaissance balloons can be shown on the screen in real time. The handheld devices will be made more robust and battery life can be enhanced. Apps can be downloaded in seconds and, if need be, adjusted within hours. This good stuff will come from consumer companies as they have a vast budget to do research and development, much larger than the military. And, hang on here, soldiers will bring their own devices to the battlefield.
I already was getting a bit perplexed reading this article, but reading that last line, made me drop out of my chair. Again, it seems people are lured by the technical possibilities, in combination with stringent budget cuts. But also war as a computer game sprang to mind, with real kids.
What are potential risks?
Let’s look at this from a very basic level. The U.S. military is going to make use of smartphones and tablets on the battlefield. Just a few thoughts.
a) Let’s start with where almost all devices are made nowadays. China? If I remember correctly Misha Glenny already wrote about unsolicited software inserted on devices in factories China in his book McMafia (2008). b) The software mentioned in the article is Android. As far as I am aware, which comes from reports I read, Android is the most unsafe operating system, because it offers an open platform. c) The first malware hosting apps, keyloggers and autodialers for smartphones have already been reported on. d) AV security is not a standard product delivered on smartphones. Remember the I-bring-my-own sentence? e) If I can think up the possibility of a GPS hack, probably some smart hacker will eventually figure out how to do it. What a soldier is shown on the screen of his smartphone after this, is anybody’s guess. And, who else can read the location of this soldier? f) What is the security level of the private companies involved, who checks these levels and where is their software made? g) What does a young soldier, bored out of his mind, deep in the desert, do with smart devices in his spare time? Especially when it’s his own? Let’s guess. The truth is, that the chances of a hack through unsafe, or worse just plain use are not imaginary, they are a potential threat to every soldier, army, battle. The Internet was never created for this sort of use. And still people continue forward in this unchartered cyber environment. They boldly go, because they can.
Cyber awareness seems fundamentally lacking
Cyber awareness is at present one of the most underestimated measures in the world. It is time that people responsible for strategic choices, whether in the military, government, industry, etc., start to become aware of the issues at stake and the risks involved and stop being mesmerized by possibilities. (The same goes for everyone else for that matter.) Not everything that is technically possible is also smart to follow up on. When something cyber is involved for one reason or another people tend to stop thinking clear. I am not in a position to judge whether the security level of all that was mentioned in this article is adequate or not. For now I do say, that I will not be surprised when something goes horribly wrong. Not even when the rest of the world says its usual line: “Now how was that possible? We never foresaw that this could happen”.
The match between possible and careful
Sometimes it seems to me as if the people defending their systems from the Internet and the people inventing and adapting new tools live on a different planet, with the first group always losing. Or is it that the knowledge of decision makers and their team is not profound enough? There needs to be a match between these two groups. I can’t remember who told me “think before you act” for the first time. It was a long, long time ago. Take the lesson to heed I’d say and get the right people in before you decide on your next Internet steps.
Wout de Natris, De Natris Consult
Prinsenbeek, 8 October 2011