The Navy was so keen on using the software that Navy software developers provided misleading information about the apps.
The US Office of the Special Counsel (OSC) reported that two combat operation mapping applications the US and their allies used were made users vulnerable to hacking and that the Navy likely knew about it but told no one.
A whistleblower reported the use of the mapping applications and their vulnerabilities to the OSC, which the Washington Free Beacon first reported two months ago. The OSC is an internal agency that conducts investigations that are independent of other government agencies.
In the OSC report to Congress and President Trump, the agency warned that the Navy was particularly vulnerable and criticized top Navy leaders for not taking steps to prevent hacking of sensitive data. The report indicated the Navy knew for more than a year about the serious cybersecurity risk the apps posed.
What are the Apps and Vulnerabilities?
The military uses three mapping apps, APASS, KILSWITCH and ATAK for precision targeting. The apps share data between ground forces and nearby aircraft. However, “significant cybersecurity vulnerabilities” were detected in APASS and KILSWITCH. Navy leadership was notified, but it didn’t take sufficient actions to mitigate the threat and protect military personnel and data. The apps were used without proper security measures in place.
Civilian software engineers at California’s China Lake Naval Air Warfare Center Weapons Division developed the KILSWITCH and APASS applications. The developers always intended the apps to be used for research and development only, but Naval military personnel began providing the apps to special operators and other forces.
The apps provide satellite views of a soldier’s surroundings. The apps function much like Google Maps does to pinpoint locations. Soldiers can also talk to each other in real time, much like instant messaging. The apps work well enough to allow airstrikes to be delivered in as little as four minutes. Before these apps were developed, forces relied on paper maps or radio communications.
While the Navy and Marines began using the KILSWITCH/APASS applications, others aware of the cybersecurity risks chose to go with a more trusted geospatial program called Android Tactical Assault Kit (ATAK). This software provided the same real-time situational awareness but has been rigorously tested by the Air Force Research Laboratory (AFRL) and found to have no cybersecurity vulnerabilities. Law enforcement agencies around the country use a non-military version of ATAK with great success.
OSC Special Counsel Henry Kerner said that it took a brave whistleblower to come forward for the Navy to take the threat seriously. Kerner said the Navy was so keen on using the software that Navy software developers provided misleading information about the apps to strongly advocate on behalf of using it, even though its security vulnerabilities were known.
The military essentially has unregulated distribution of the software. It has allowed thousands of copies to be loaded onto both government-issued and personal computers and devices, none of which have the required security protections.
The whistleblower, Major Anthony Kim, is an experienced program analyst who has nearly 30 years of experience as a Joint Terminal Attack Controller (JTAC) specialist. JTAC is charged with ordering airstrikes.
Kim said the OSC report shows he was right to bring this problem forward. Despite the fact that whistleblowers are supposed to have protection and that Kim’s act was lawful, he was suspended from his job, and his superiors even tried to revoke his security clearance.
Kim has urged Congress to pass a bill to penalize people who “misuse the security clearance system as a tool for whistleblower reprisal.” The bill, introduced by Rep. Louie Gohmert (R., Texas), did not come to a vote in the House session that ended Dec. 20.
Soldiers in the field are furious that the Navy top brass did not warn them of the cybersecurity risks of these apps. They say that Russia, China and other bad actors could have easily hacked into the apps and put them in jeopardy. Soldiers in the field trust the Pentagon leadership to fully vet software like KILSWITCH and APASS, and are angered they didn’t do that in this case.