August 30, 2018 |
By: Kelsey Atherton
In the late 1980s and early 1990s, the Air Force’s Global Positioning System was a continuous target.
“Every year [as] we went through the budget cycle the United States Air Force ... tried to kill the GPS program,” Gen. John Hyten, now head of U.S. Strategic Command, said during a 2015 speech.
“Why would they kill the GPS program? It’s really very simple: ‘Why would we need a satellite navigation system when we have perfectly good [inertial navigation system, or] INS for airplanes? Why would we do it?’ Nobody could see the future of what GPS was going to bring to the world.”
First developed and launched late in the Cold War, GPS made its combat debut in Operations Desert Shield and Desert Storm and ever since has informed the movements and targeting capabilities of the Department of Defense. More than that, since GPS signals were opened to the commercial world, everything from road trips to finding new restaurants to the entire development of self-driving cars has hinged around accessing the reliable signals, that let machines and people know exactly where they are in time and space.
The whole architecture is simultaneously vital and vulnerable and, in the era of a pending Space Force, an unspoken mandate is that it has never been more important that the United States ensure the signal endures.
It is the potential risk of losing GPS, and everything else supported by the satellite network, that serves as the foundation for much of the discussion around a new Space Force. For as long as humans have put objects into orbit, space has been a military domain, but one with a curious distinction from other fighting theaters: while land, sea and air have all seen direct armed confrontation, space is instead a storehouse for sensors, where weapons are vanishingly rare and have yet to be used in anger.
“Capabilities that we have built that we now take for granted in the Air Force, the whole [remotely piloted aircraft, or RPA] fleet that we fly, is impossible without space,” Hyten said at another speech in 2015.
“You cannot have Creech Air Force Base without space because the operators at Creech reach out and talk to their RPAs via satellite links. Those aircraft are guided by GPS. You take away GPS, you take away SATCOM, you take away RPAs. They don’t exist anymore. All those things are fundamentally changed in the Air Force.”
Looking over the horizon
Missiles remain the most effective way for nations to reach out and mess with something in orbit, and so long as GPS satellites cost around $500 million to build and launch, the cost of destroying a satellite will remain cheaper than fielding satellites. There is a double asymmetry here: not only are the satellites that power the GPS network expensive to build and launch, but the United States relies on this network to a far greater extent than any adversary that might decide to shoot those satellites down.
This vulnerability is one reason that the Defense Advanced Research Projects Agency is funding development of networks of smaller satellites, which are individually less capable than existing models but are cheaper to field and replace and will deploy in greater numbers, making destruction by missile a much more expensive proposition. Blackjack, the DARPA program that aims to do this, is focused on military communications satellites first, though the approach may have lessons for other satellite functions.
“Better distribution, disaggregation and diversity of space capabilities can make them more resilient against attacks,” said Brian Weeden, director of program planning for the Secure World Foundation.
“But the specific answer of how best to do that might be different for each capability. The specific techniques to make [position, navigation and timing, or] PNT more resilient may be different than the techniques needed to make satellite communications more resilient.”
Missiles are not the only threat faced by satellites in orbit. An April 2018 report by the Secure World Foundation on Global Counterspace Capabilities details the full spectrum of weapons and tools for disrupting objects in orbit, and also the nations and, in some instances, nonstate actors that can field those tools.
The nations with counterspace programs highlighted in the report include China, Russia, the United States, Iran, North Korea and India, all of which (barring Iran) are also nuclear-armed nations. Beyond anti-satellite missiles, which only China, Russia and the United States have demonstrated, the other means of messing up a satellite are the familiar bugaboos of modern machines: electronic warfare, jamming and cyberattacks.
“The most important thing is that it’s not always about the satellites in space. Space capabilities include the satellites, the user terminal/receivers, and the signals being broadcast between them. Disrupting any one of those segments could lead to loss of the capability,” Weeden said.
“In many cases, it’s far easier to jam a satellite capability rather than destroy the satellite. And, from a military perspective, the end effect is what’s important.”
A satellite that cannot broadcast or whose signal cannot overcome the strength of a jammer is a satellite that is functionally offline, and the means to disable satellites extend beyond the traditional strengths of near-peer competitors to the United States and down even to nonstate actors.
In 2007, the Tamil Tigers reportedly hacked the ground nodes for a commercial satellite and were able to gain control of its broadcasting capabilities, and in 2008 a set of hackers demonstrated they could eavesdrop on supposedly secure Iridium signals. A decade has passed since those demonstrations, but satellite architectures change slowly, in waves of half-a-billion dollar machines launched over time. Should a vulnerability be found on the ground, there’s lag time between how long it can be exploited and how long it can be rendered inert.
What happens if the GPS signal stutters out of sync with time? Everything about how GPS works is bound up in its ability to precisely and consistently track time. Knowing where something is depends on knowing when something was. Without the entire network of automatic navigation aids they’ve built their lives around, people will fumble. Consider what happened for 11 hours on Jan. 26, 2016.
“The root cause was a bug in the GPS network,” wrote Paul Tullis in Bloomberg.
“When the U.S. Air Force, which operates the 31 satellites, decommissioned an older one and zeroed out its database values, it accidentally introduced tiny errors into the database, skewing the numbers. By the time Buckner’s inbox started blowing up, several satellites were transmitting bad timing data, running slow by 13.7 millionths of a second.”
Tullis goes on to detail the possibility and plans for a redundant ground-based navigation system that could let GPS-dependent functions of commercial machines keep working, even if a satellite slips out of sync. There is an international agreement to eventually make all signals across the Global Navigation Satellite System (GPS, Galileo, etc.) broadcast compatible civil signals. This would improve the redundancy among day-to-day civilian applications dependent upon GPS, but it would do very little for the military signals.
“There is no such compatibility between the military signals of the different constellations,” says Weeden.
“In fact, during negotiations with the European Union the U.S. demanded that the Galileo protected/military signal be made separate from the GPS military signal. It is possible to create receivers that can pull in the military signals from both GPS and Galileo, but it’s not easy to do so securely.”
GPS III, which Lockheed Martin is building, will mitigate some of this when those satellites are on orbit: the new hardware is designed with stronger signals that will make them harder to jam, but that will also require new receivers on the ground.
While developers are working on making those new receivers, one way to build in redundancy would be to make GPS receivers that can use both Galileo and GPS military signals, suggests Weeden. That’s a technical solution that requires at least some political finesse to achieve, but it’s one possibility for making existing infrastructure more redundant.
“But there are also other ways to get precision timing and navigation other than from GPS, such as better gyroscopes or even using airborne or terrestrial broadcasts of PNT signals,” says Weeden.
“These alternatives are probably not going to be as easy to use or have other drawbacks compared to GPS, but they’re better than nothing.”
Redundant systems or complementary systems provide a safeguard against spoofing, when a navigation system is fed false GPS coordinates in order to reroute it. Big changes in inputs are easy for humans monitoring the system, say a car’s navigation or a drone flying by GPS coordinates, to spot, but subtle changes can be accepted as normal, lost as noise, and then lead people or cars or drones into places they did not plan on going.
The next generation of threats
Protecting the integrity of satellite communications from malicious interference is the centerpiece of a report from the Belfer Center, entitled “Job One for Space Force: Space Asset Cybersecurity.”
The report’s author, Gregory Falco, outlines broad goals for organizations that manage objects in space, policymakers, as well as a proposed Information Sharing and Analysis Center for space. These include everything from adopting cybersecurity practices like working with security researchers and encrypting communications to setting up a mechanism for organizations to disclose if their satellites suffered interference or hacking. If the security of GPS is suffering from anything, it is less ignorance of the threat and more complacency in the continued durability of the system as currently operating.
“Cybersecurity challenges will only become more substantial as technology continues to evolve and attackers will always find the weakest link to penetrate a target system,” writes Falco.
“Today, space assets are that weakest link. Space asset organizations must not wait for policy-makers to take action on this issue, as there are several steps that could be taken to secure their systems without policy guidance.”
The fourth domain of space is more directly threatened by threats traveling through the fifth domain of cyberspace than anything else.
To the extent that space requires a specialized hand, it is managing from the start to the launch the specific vulnerabilities of orbital assets, and the points at which they are controlled from the ground. Perhaps the way to address that specific problem is a Space Force framed around the physical and cybersecurity needs of satellites.
Raytheon is the contractor tasked with building GPS OCX, the next-generation operational control system for the satellite network.
After years of delay in the program, Block 0 of the OCX deployed in September 2017, putting in place a system that could manage the launch and early orbit management of the new GPS satellites. Besides managing the satellites, the control system has to ensure that only the right people access the controls, and that means extensive cybersecurity.
Raytheon says that, together with the Air Force, the company recently completed two cybersecurity assessments, including a simulated attack by an adversary. While Air Force classification prevents Raytheon from disclosing the results of that test, the company’s president of intelligence, information and services, Dave Wajsgras, offered this:
“We’ve built a layered defense and implemented all information assurance requirements for the program into this system. We’re cognizant that the cyber threat will always change, so we’ve built GPS OCX to evolve and to make sure it’s always operating at this level of protection.”
Ideally, this massive job of protecting GPS will fall to the Space Force.
“One of the big drivers for the Space Force is improving the space acquisitions process, and another is developing better ways to defend U.S. military satellites against attack,” says Weeden.
“So, in that context, the Space Force debate could impact the future of GPS.”
Yet many of the answers to vulnerabilities in space are not found in orbit, and it’s possible that shifting the full responsibility for signal security to a body built around managing satellites would miss the ways greater signal redundancy can be built in atmospheric or terrestrial systems. The Army and Navy are funding GPS alternatives, but that funding is minuscule by Pentagon standards.
“The United States should take smart steps to make its space force more resilient,” writes Paul Scharre of the Center for New American Security, “but the U.S. also needs to be investing in ways to fight without space, given the inherent vulnerabilities in the domain.”