In September 2015, in an appearance before the U.S. House Intelligence Committee, then-Director of National Intelligence James Clapper warned that the next “push of the envelope” in cyber might be attacks that change or manipulate electronic information in order to compromise its accuracy or reliability, instead of the more easily detected deletion or disruption of access to information. With data integrity in question, he explained, decision-making by senior government officials (both civilian and military), corporate executives, investors or others could be “impaired.” Two and a half years later, we may now be seeing the beginning of such insidious attacks, in the context of GPS spoofing — a technique that sends false signals to systems that use GPS signals for navigation.
On Sept. 1, the U.S. government released U.S. Maritime Advisory 2017-006, alerting the shipping industry to multiple instances of GPS interference experienced during the week of June 19 by more than 20 vessels operating in the northeastern part of the Black Sea. News of this incident had spread earlier, with many ships in waters near the Russian port of Novorossiysk complaining that over the course of several days their GPS systems showed their location to be at Gelendshik Airport, more than 19 miles inland.
This incident in the Black Sea demonstrates an increase in reported occurrences of GPS spoofing, and represents one of the first iterations of what may be among the most pernicious forms of cyberattack: data manipulation. In 2016, an incidence of signal interference with the navigational systems of more than 70 fishing boats off the coast of South Korea was reported; this incident was significant enough that it caused the fishing fleet to return to port. The U.S. Coast Guard also has reported that in the summer of 2015, multiple outbound vessels from a non-U.S. port suddenly lost GPS signal reception, disrupting port operations. In addition, although there are many additional contributing circumstances to be considered, some industry analysts also question whether GPS interference played a role in the recent collisions between U.S. naval ships and commercial vessels off the coast of Japan and in the Strait of Malacca.
One reason that data manipulation like GPS spoofing is so insidious is that it can be hard to detect, unless or until an incident results — like a collision. If a GPS system is blocked or jammed, it will be detected immediately either by the operator or by an alarm built in to the system. Subtle manipulation, on the other hand, may trigger no warnings until it is too late.
GPS spoofing, while a subset of data manipulation, can affect all industries and mechanisms that rely, in whole or in part, on GPS. This includes large industries like shipping and airlines, and ranges all the way down to individual users of vehicle navigation systems and smartphones. In addition, data manipulation attacks against large industries like shipping will almost certainly have ripple effects that impact businesses dependent on such industries. As was seen last summer with the spate of ransomware attacks that struck a global shipping giant, interfering with shipping can cause shipments to be unexpectedly delayed, which can trigger a cascade of business disruptions globally.
Furthermore, GPS spoofing can have unanticipated or unintended consequences, in that it can affect all users of a particular GPS signal, not just the primary target of the spoofing attack. For example, the loss of accurate GPS signals noted previously that caused a South Korean fishing fleet to return to port is alleged to be the result of the government of North Korea intentionally interfering with GPS signals in the region. In that case, the interference was alleged to be a security measure to divert navigation signals near the border between the two countries; the fishing fleet was, presumably, an unintended casualty. The recent incident in the Black Sea also may be an instance of unintended consequences. It is speculated that the Russian government intentionally interfered with navigational signals in the region to prevent drones from performing aerial reconnaissance near an estate that belongs to Vladimir Putin. These same signals would affect all GPS navigation systems in the area, including those of commercial vessels out to sea, even though they were not the intended target.
Finally, undermining trust in GPS can cause a crisis of confidence in this technology. A lack of trust can have impacts that range from the willingness of individuals to use location-based smartphone applications to the development of more GPS-dependent products, such as autonomous transportation alternatives.
The increase in the incidence of reported spoofing events may be because spoofing is becoming increasingly easier to do. While jamming a GPS signal requires a powerful transmitter, a large antenna and a significant amount of power, in contrast a spoofing device does not require much power and can be built using hardware and software that is becoming increasingly available worldwide. It is therefore relatively easy to construct, and difficult to trace.
Furthermore, GPS spoofing is a tool that can be used by a wide range of actors, from large governments, which might use it (and some believe already are) as a means of electronic warfare, to criminals and other bad actors, who might use it for piracy, ransom or other illegitimate purposes.
What can be done against data manipulation?
Increasingly, companies and governments may want to strongly consider incorporating data manipulation considerations in their proactive cyberplans and policies. Cybersecurity is not just about protecting data from exfiltration, it is also about protecting data integrity.
One approach could be employing greater redundancy and checks in critical systems. In the GPS context, for example, some governments and private companies are developing new positioning, navigation and timing (PNT) networks, which are intended to complement or supplement the GPS systems currently in use.
One of these systems is an Earth-based long-range navigation system (eLoran), which is based on the long-range radio navigation service (Loran) developed during World War II. In order to provide “a complement to, and backup for” GPS to “ensure the availability of uncorrupted and nondegraded positioning, navigation and timing signals for military and civilian users in the event that GPS signals are corrupted, degraded, unreliable, or otherwise unavailable,” the U.S. House has passed a provision in the Department of Homeland Security (DHS) Authorization Act of 2017 (H.R. 2825), to require eLoran use. South Korea and Russia also are developing similar technology.
Another approach can be better education and training. Both commercial and passenger shipping companies, for example, may want to consider regularized training to help crews recognize when GPS interference may be occurring, and what the appropriate steps are to remediate and report such an incident.
Finally, shipping companies — indeed all companies — may want to be asking what’s next. For example, if GPS systems are being manipulated, could the next target be the automatic identification system (AIS) or satellite AIS (S-AIS), which are used by most commercial and passenger ships as a means of ascertaining the position of other ships in the vicinity? As the attacks grow in complexity and severity, the companies that succeed the most will be those that systematically anticipate the coming risks and take risk-based measures to mitigate them.
Ultimately, this early GPS spoofing is data manipulation’s shot across the bow. More is likely coming, and the shipping industry and all industries must take action before the next attack proves a direct hit.
Michael Bahar, a partner at Eversheds Sutherland (U.S.) LLP, is co-leader of the global cybersecurity and data privacy team. He was previously staff director and general counsel for the minority staff of the U.S. House Intelligence Committee, and former deputy legal adviser to the National Security Council. Bronwyn McNeill McDermott, a special counsel working with Eversheds Sutherland (U.S.) LLP, advises national and international insurance companies on a broad range of regulatory, corporate and transactional matters. Trevor J. Satnick is an attorney at Eversheds Sutherland in the New York office, where he focuses on data issues including data privacy and security, cyberrisk and cyberbreach responses, e-discovery and information governance. Reprinted with permission from ALM Media Properties LLC. All rights reserved. Further duplication without permission is prohibited. Contact (877) 257-3382 or reprints@alm.com.
