The Cyber Shot Across the Bow: Data Manipulation and GPS Spoofing

This incident in the Black Sea demonstrates an increase in reported occurrences of GPS spoofing, and represents one of the first iterations of what may be among the most pernicious forms of cyber attacks: data manipulation. Last year, an incidence of signal interference with the navigational systems of more than 70 fishing boats off the coast of South Korea was reported; this incident was significant enough that it caused the fishing fleet to return to port. The U.S. Coast Guard has also reported that in the summer of 2015, multiple outbound vessels from a non-U.S. port suddenly lost GPS signal reception, disrupting port operations. In addition, although there are many additional contributing circumstances to be considered, some industry analysts also question whether GPS interference played a role in the recent collisions between U.S. naval ships and commercial vessels off the coast of Japan and in the Strait of Malacca.

One reason that data manipulation such as GPS spoofing is so insidious is that it can be hard to detect, unless or until an incident results, like a collision. If a GPS system is blocked or jammed, it will be detected immediately, either by the operator or by an alarm built in to the system. Subtle manipulation, on the other hand, may trigger no warnings — until it is too late.

GPS spoofing, while a subset of data manipulation, can affect all industries and mechanisms that rely, in whole or in part, on GPS. This includes large industries like shipping and airlines, and ranges all the way down to individual users of vehicle navigation systems and smart phones. In addition, data manipulation attacks against large industries like shipping will almost certainly have ripple effects that impact businesses dependent on such industries. As was seen earlier this summer with the spate of ransomware attacks that struck a global shipping giant, interfering with shipping can cause shipments to be unexpectedly delayed, which can trigger a cascade of business disruptions globally.

Furthermore, GPS spoofing can have unanticipated or unintended consequences, in that it can affect all users of a particular GPS signal, not just the primary target of the spoofing attack. For example, the loss of accurate GPS signals noted above that caused a South Korean fishing fleet to return to port is alleged to be the result of the government of North Korea intentionally interfering with GPS signals in the region of the border between North Korea and South Korea. In that case, the interference was alleged to be a security measure to divert navigation signals near the border between the two countries; the fishing fleet was, presumably, an unintended casualty.

The recent incident in the Black Sea may also be an instance of unintended consequences. It is speculated that the Russian government intentionally interfered with navigational signals in the region to prevent drones from performing aerial reconnaissance near an estate belonging to Vladimir Putin. Commercial drones are programmed to avoid airports by use of a technique called geofencing; by sending false GPS signals to navigation systems that then showed the location of anyone using a GPS signal to be at or near an airport, any drones in the area would be automatically directed to fly away, thus preserving the privacy of the estate. These same signals would affect all GPS navigation systems in the area, including those of commercial shipping vessels out to sea, even though they were not the intended target.

Finally, undermining trust in GPS can cause a crisis of confidence in this technology. A lack of trust can have impacts that range from the willingness of individuals to use location-based smart phone applications to the development of more GPS-dependent products, such as autonomous transportation alternatives.

The increase in the incidence of reported spoofing events may be because spoofing is becoming increasingly easier to do. While jamming a GPS signal requires a powerful transmitter, a large antenna and a significant amount of power, in contrast a spoofing device does not require much power and can be built using hardware and software that is becoming increasingly available worldwide. It is therefore relatively easy to construct, and difficult to trace.

Furthermore, GPS spoofing is a tool that can be used by a wide range of actors, from large governments, which might use it (and some believe already are) as a means of electronic warfare, to criminals and other bad actors, who might use it for piracy, ransom or other illegitimate purposes.

What Can Be Done Against Data Manipulation?

Increasingly, companies and governments may want to strongly consider incorporating data manipulation considerations in their proactive cyber plans and policies. Cybersecurity is not just about protecting data from exfiltration, but it is also about protecting data integrity.

One approach could be employing greater redundancy and checks in critical systems. In the GPS context, for example, some governments and private companies are developing new positioning, navigation and timing (PNT) networks, which are intended to compliment or supplement the GPS systems currently in use. One of these systems is an Earth-based long-range navigation system (eLoran), which is based on the long-range radio navigation service (Loran) developed during World War II.

In order to provide “a complement to, and backup for,” GPS to “ensure the availability of uncorrupted and nondegraded positioning, navigation, and timing signals for military and civilian users in the event that GPS signals are corrupted, degraded, unreliable, or otherwise unavailable,” the U.S. House has passed a provision in the Department of Homeland Security (DHS) Authorization Act of 2017 (H.R. 2825), to require eLORAN use. South Korea and Russia are also both developing similar technology.

Another approach can be better education and training. Both commercial and passenger shipping companies, for example, may want to consider regularized training to help crews recognize when GPS interference may be occurring, and what the appropriate steps are to remediate and report such an incident.

Finally, shipping companies — indeed all companies — may want to be asking: what's next? For example, if GPS systems are being manipulated, could the next target be the Automatic Identification System (AIS) or Satellite-AIS (S-AIS), which are used by most commercial and passenger ships as a means of ascertaining the position of other ships in the vicinity? As the attacks grow in complexity and severity, those that succeed the most, will be those that systematically anticipate the coming risks and take the risk-based measures to mitigate them.

Ultimately, this early GPS spoofing is data manipulation's shot across the bow. More is likely coming, and both the shipping industry and all industries must take action before the next attack proves a direct hit.

*****
Michael Bahar, a partner at Eversheds Sutherland (US) LLP, is the co-lead of the Global Cybersecurity and Data Privacy team. He was previously Staff Director and General Counsel for the Minority Staff of the U.S. House Intelligence Committee, and prior Deputy Legal Advisor to the National Security Council. Bronwyn McDermott, a special counsel working with Eversheds Sutherland (US) LLP, advises national and international insurance companies on a broad range of regulatory, corporate and transactional matters, including business regulation, demutualizations, redomestications, Holding Company Act transactions, mergers and acquisitions credit for reinsurance, investment law compliance, company governance and general corporate matters. Trevor J. Satnick is an attorney at Eversheds Sutherland in the New York office where he focuses on the full range of data issues, including data privacy and security, cyber risk and cyber breach responses, e-discovery and information governance. He can be reached at [email protected].

In September 2015, in an appearance before the U.S. House Intelligence Committee, then-Director of National Intelligence James Clapper warned that the next “push of the envelope” in cybersecurity might be attacks that change or manipulate electronic information in order to compromise its accuracy or reliability, instead of the more easily detected deletion or disruption of access to information. With data integrity in question, he explained, decision making by senior government officials (both civilian and military), corporate executives, investors or others could be “impaired.” Two years later, we may now be seeing the beginning of such insidious attacks, in the context of GPS spoofing — a technique that sends false signals to systems that use GPS signals for navigation.

On Sept. 1, 2017, the U.S. Government released U.S. Maritime Advisory 2017-006, alerting the shipping industry to multiple instances of GPS interference experienced during the week of June 19, 2017 by more than 20 vessels operating in the northeastern part of the Black Sea. News of this incident had spread earlier, with many ships in waters near the Russian port of Novorossiysk complaining that over the course of several days their GPS systems showed their location to be at Gelendshik Airport, more than 32 kilometers inland.

Data Manipulation

This incident in the Black Sea demonstrates an increase in reported occurrences of GPS spoofing, and represents one of the first iterations of what may be among the most pernicious forms of cyber attacks: data manipulation. Last year, an incidence of signal interference with the navigational systems of more than 70 fishing boats off the coast of South Korea was reported; this incident was significant enough that it caused the fishing fleet to return to port. The U.S. Coast Guard has also reported that in the summer of 2015, multiple outbound vessels from a non-U.S. port suddenly lost GPS signal reception, disrupting port operations. In addition, although there are many additional contributing circumstances to be considered, some industry analysts also question whether GPS interference played a role in the recent collisions between U.S. naval ships and commercial vessels off the coast of Japan and in the Strait of Malacca.

One reason that data manipulation such as GPS spoofing is so insidious is that it can be hard to detect, unless or until an incident results, like a collision. If a GPS system is blocked or jammed, it will be detected immediately, either by the operator or by an alarm built in to the system. Subtle manipulation, on the other hand, may trigger no warnings — until it is too late.

GPS spoofing, while a subset of data manipulation, can affect all industries and mechanisms that rely, in whole or in part, on GPS. This includes large industries like shipping and airlines, and ranges all the way down to individual users of vehicle navigation systems and smart phones. In addition, data manipulation attacks against large industries like shipping will almost certainly have ripple effects that impact businesses dependent on such industries. As was seen earlier this summer with the spate of ransomware attacks that struck a global shipping giant, interfering with shipping can cause shipments to be unexpectedly delayed, which can trigger a cascade of business disruptions globally.

Furthermore, GPS spoofing can have unanticipated or unintended consequences, in that it can affect all users of a particular GPS signal, not just the primary target of the spoofing attack. For example, the loss of accurate GPS signals noted above that caused a South Korean fishing fleet to return to port is alleged to be the result of the government of North Korea intentionally interfering with GPS signals in the region of the border between North Korea and South Korea. In that case, the interference was alleged to be a security measure to divert navigation signals near the border between the two countries; the fishing fleet was, presumably, an unintended casualty.

The recent incident in the Black Sea may also be an instance of unintended consequences. It is speculated that the Russian government intentionally interfered with navigational signals in the region to prevent drones from performing aerial reconnaissance near an estate belonging to Vladimir Putin. Commercial drones are programmed to avoid airports by use of a technique called geofencing; by sending false GPS signals to navigation systems that then showed the location of anyone using a GPS signal to be at or near an airport, any drones in the area would be automatically directed to fly away, thus preserving the privacy of the estate. These same signals would affect all GPS navigation systems in the area, including those of commercial shipping vessels out to sea, even though they were not the intended target.

Finally, undermining trust in GPS can cause a crisis of confidence in this technology. A lack of trust can have impacts that range from the willingness of individuals to use location-based smart phone applications to the development of more GPS-dependent products, such as autonomous transportation alternatives.

The increase in the incidence of reported spoofing events may be because spoofing is becoming increasingly easier to do. While jamming a GPS signal requires a powerful transmitter, a large antenna and a significant amount of power, in contrast a spoofing device does not require much power and can be built using hardware and software that is becoming increasingly available worldwide. It is therefore relatively easy to construct, and difficult to trace.

Furthermore, GPS spoofing is a tool that can be used by a wide range of actors, from large governments, which might use it (and some believe already are) as a means of electronic warfare, to criminals and other bad actors, who might use it for piracy, ransom or other illegitimate purposes.

What Can Be Done Against Data Manipulation?

Increasingly, companies and governments may want to strongly consider incorporating data manipulation considerations in their proactive cyber plans and policies. Cybersecurity is not just about protecting data from exfiltration, but it is also about protecting data integrity.

One approach could be employing greater redundancy and checks in critical systems. In the GPS context, for example, some governments and private companies are developing new positioning, navigation and timing (PNT) networks, which are intended to compliment or supplement the GPS systems currently in use. One of these systems is an Earth-based long-range navigation system (eLoran), which is based on the long-range radio navigation service (Loran) developed during World War II.

In order to provide “a complement to, and backup for,” GPS to “ensure the availability of uncorrupted and nondegraded positioning, navigation, and timing signals for military and civilian users in the event that GPS signals are corrupted, degraded, unreliable, or otherwise unavailable,” the U.S. House has passed a provision in the Department of Homeland Security (DHS) Authorization Act of 2017 (H.R. 2825), to require eLORAN use. South Korea and Russia are also both developing similar technology.

Another approach can be better education and training. Both commercial and passenger shipping companies, for example, may want to consider regularized training to help crews recognize when GPS interference may be occurring, and what the appropriate steps are to remediate and report such an incident.

Finally, shipping companies — indeed all companies — may want to be asking: what's next? For example, if GPS systems are being manipulated, could the next target be the Automatic Identification System (AIS) or Satellite-AIS (S-AIS), which are used by most commercial and passenger ships as a means of ascertaining the position of other ships in the vicinity? As the attacks grow in complexity and severity, those that succeed the most, will be those that systematically anticipate the coming risks and take the risk-based measures to mitigate them.

Ultimately, this early GPS spoofing is data manipulation's shot across the bow. More is likely coming, and both the shipping industry and all industries must take action before the next attack proves a direct hit.

*****
Michael Bahar, a partner at Eversheds Sutherland (US) LLP, is the co-lead of the Global Cybersecurity and Data Privacy team. He was previously Staff Director and General Counsel for the Minority Staff of the U.S. House Intelligence Committee, and prior Deputy Legal Advisor to the National Security Council. Bronwyn McDermott, a special counsel working with Eversheds Sutherland (US) LLP, advises national and international insurance companies on a broad range of regulatory, corporate and transactional matters, including business regulation, demutualizations, redomestications, Holding Company Act transactions, mergers and acquisitions credit for reinsurance, investment law compliance, company governance and general corporate matters. Trevor J. Satnick is an attorney at Eversheds Sutherland in the New York office where he focuses on the full range of data issues, including data privacy and security, cyber risk and cyber breach responses, e-discovery and information governance. He can be reached at [email protected].