Decoding what happened to the USS John McCain in the age of information warfare

On August 21st, 2017, in the early morning hours of local Japanese Standard Time, the Arleigh-Burke class destroyer USS John McCain collided with the Alnic MC, a huge 30,000 ton tanker, off the coast of Singapore.  This latest mishap was an embarrassing continuation of a series of at-sea collisions between commercial shipping vessels and U.S. warships leading many to suspect that something more was happening with ship navigation in the crowded shipping lanes of the South China Sea.

In the aftermath of the collision, several news outlets openly speculated that there may have been some sabotage of GPS or other navigation systems to have caused such a preventable accident.  In the information age, the first thing people began to suspect was that their tools were faulty.

It’s relatively new ground for us. This is the first time we have sent a team from our cyber command here in Washington, Commander of 10th Fleet. Sent a team over there to pull as much data from that ship as possible that records data, to see if there were any interruptions or disruptions that were abnormal. I would also offer to you that just about every three-letter agency in Washington, D.C., has looked to see if there were indications of an intent or a potential acknowledgement of a cyber attack. We have seen — I have personally not seen any evidence of that. But we are not stopping there.”  –VADM Bill Moran to Congress

The thing is, this shouldn’t be new ground to anyone in the military.

Spoofing of GPS signals has been a demonstrated capability for quite some time.  In mid-2013, Professor Todd Humphreys from the University of Texas conducted a live test in the Ionian Sea against an $80M target, the “White Rose of Drachs” superyacht.  During the spoofing attack, Humphreys was able to convince the yacht to change course to correct course.  The problem was that the information is was acting on was fake.

That’s what’s so sinister about the attack that we did. There were no alarms on the bridge.” –Prof. Todd Humphreys

What’s more troubling is that there has been little movement to address this glaring vulnerability until newer GPS satellites with authenticated transmissions can be brought online.  And the problems do not end there.  In 2012, researchers at Carnegie Mellon University were able to show that attacks against GPS receivers can further compromise not just the calculation of position, but can corrupt the proper software functioning on the device:

Our findings suggest despite the fact that GPS is an unauthenticated broadcast protocol, current receivers treat any incoming signal as guaranteed correct. Worse, receivers often run full OSes with network services. Together, the possibility of RF and ethernet attacks creates a large attack surface.” –Tyler Nighswander et al., GPS Software Attacks

Of course, the problems don’t end there.  GPS isn’t the only unauthenticated electronic signal regularly relied upon by both commercial and military ships at sea.

The Automatic Identification System (AIS) also is intended to provide information to a vessel’s bridge watch-standers and maritime authorities to track and monitor vessels.  Some of the information provided by AIS includes position, course, and speed.  It’s also been used by the U.S. warships to monitor ships nearby but only in a passive listen-only mode.

That’s going to change.  The Navy announced recently that warships will start transmitting AIS messages to indicate position in shipping lanes.  It’s also because U.S. warships are specifically designed to present a lower radar cross-section, making something like a large destroyer appear to be a much smaller vessel on a ship’s radar.

There’s just one hitch: AIS messages are also unauthenticated and vulnerable to spoofing.

In 2014, at the BlackHat ASIA conference, an Italian security researcher with Trend Micro Dr. Marco Balduzzi showed that is was possible to transmit fake AIS position messages for ships at sea.

So the Navy finds itself in a difficult position.  The two most common radio navigation aid systems are vulnerable to spoofing because the original system designs never imagined a world where even a non-state actor can disrupt their command and control networks with a laptop and $2000 of software-defined radio hardware.

Maybe they should have imagined it.  In 1992,  the new then-Director of the National Security Agency, Mike McConnell, was intrigued by a movie titled Sneakers.  As told in the book Dark Territory: The Secret History of the Cyber War, McConnell recommended the film to many he talked to at NSA and was particularly captivated by this line from the movie:

It’s run by ones and zeroes, little bits of data. It’s all just electrons. . . . There’s a war out there, old friend, a world war. And it’s not about who’s got the most bullets. It’s about who controls the information: what we see and hear, how we work, what we think. It’s all about the information.” –Kaplan, Fred. Dark Territory: The Secret History of Cyber War

According to Kaplan, McConnell was so influenced by this revelation that he asked NSA rising-star Rich Wilhelm to assume the role of the first-ever NSA Director of Information Warfare.

It should come as no surprise that in the world of counter command-and-control (also called counter-C2) the NSA is top-dog.  Early on in the information age, the NSA discovered that it was far more effective to compromise an adversary command and control network by inserting false messages and commands rather than merely disrupting the system en masse.  False messages impacted coordination between units trying to mount an effective defense.  If you could disrupt this coordination, you could make it impossible to defend against an attack from a sophisticated foe.

In the meantime, the Navy is back to teaching ancient methods of ship steering like manual calculation of running-fixes and celestial navigation.

Everything old is new again.

Featured image courtesy of DVIDSHub