Expert Commentary: The Dark Side of Detect and Avoid

Major General James O. Poss (Ret)

Put yourself in the shoes of General Ma Xiaotian, Commander of the Chinese People’s Liberation Army Air Force. Your task is to penetrate U.S. air surveillance networks, slip drones into American airspace and spy on critical infrastructure like dams, power plants, factories, etc. The only problem is, you’re on a relatively tight budget compared to what you are used to—relative being the key word. How do you do it? You could consider the conventional way. First, you’d get the Third Department of the People’s Liberation Army’s General Staff Department (3PLA or China’s NSA) to spend months hacking into NORAD’s secure servers, hoping to crack into their radar tracking system. If successful, you’d get Chinese Military Intelligence to sift through the data to find any possible gaps in American radar coverage. Then you’d get the Chengdu Aerospace Corporation, designer of China’s J-20 stealth fighter, to make a long range stealthy drone with a SATCOM data link. With an incredible amount of risk—a third world war is possible if you fail—you’d fly the 15,000 mile round trip route carefully avoiding the F-22s in Okinawa, Alaska, and Hawaii to arrive at your target. After a 30 hour mission, a few billion dollars in development, and a very real chance of evoking nuclear war—BAM—you’d have some great imagery of California.

OK—this option is probably a bit too expensive even for the Chinese, but what’s an adversary Air Force commander to do? Well, thankfully the Americans may make it dead easy for you if they don’t apply time-proven, common-sense security precautions to our UAS detect and avoid (DAA) systems.

EASY WAY NO. 1: Simply have 3PLA, the Third Department of the People’s Liberation Army’s General Staff Department—China’s equivalent to the U.S. NSA. hack into the databases of the NASA-designed future Unmanned Traffic Management (UTM) system to get fine-grained ground based DAA (GBDAA) data from the hundreds of radars that will be connected to UTM. Have military intelligence do some data analytics on the tracking data, find out which companies are flying near your targets of interest, wait for them to go where you want them to, and then get 3PLA to hack into the target’s imagery servers. BAM!—you’ll have great imagery of American targets at the bargain cost of a few million bucks to pay for hacking. All of this for just a tiny risk of conflict if 3PLA gets caught (we catch them hacking all the time, but typically don’t do anything about it). You may be able to get away with this because cyber security hasn’t been designed in from the start of our UTM system.

EASY WAY NO. 2: This option is a bit more expensive, but gives you more control over the intelligence gathered. You do all the steps from easy way No. 1, but instead of just waiting, you take over their drone and gather your own imagery. It’s not as hard as it sounds. Remember our discussion about the need to have a cell phone tower data link relay network to enable beyond line of sight (BLOS) operations? Well, a data link relay network without proper cyber security could allow 3PLA to fly drones over San Francisco just as easily as they can fly them over Beijing. Of course, 3PLA would have to make it appear to the legitimate owner that the drone went “lost link” while under Chinese control, but that should be easy to do without proper cyber security. Plus, 3PLA would only need your drone for a few minutes to fly into that Air Force hanger and get their imagery. Remember—they have access to very accurate GBDAA data from their UTM hack, so they can find the drone in just the right position for them to take over.

EASY WAY NO. 3: Put your own data links on buildings near targets and take over drones to do your spying. A drawback to easy way No. 2 is that cell phone company cyber security is actually quite good, making it tough to hack into their network and fly them from China directly. Easy way No. 3 gets around cell phone company security by simply taking direct control of unwitting American drones. Remember how we discussed how difficult it is to make a reliable AND secure drone data link? There’s a chance that upcoming airworthiness standards for beyond line of sight (BLOS) drone operations will err on the side of reliability and toss security out the window. This will make it dead easy to mount drone data links near your target and just take over passing drones to do your spying. Remember how we discussed unbreakable encryption methods won’t work for large numbers of drones because of key management problems and latency? Also, how FAA insistence on ultra-reliable drone links means manufacturers will make it dead easy to reacquire a link once it drops? Well, links that don’t ask too many questions when lost also don’t care if a slightly higher powered antenna takes over from their original ground station and gives their drone orders for a bit. The beauty behind easy way No. 3 is the original owner (and UTM) think the drone has just gone lost link, so they never even know they just contributed to Chinese intelligence.

EASY WAY NO. 4 (THIS SHOULD PROBABLY BE CALLED DEAD EASY WAY NO. 1): Start your own drone critical infrastructure inspection front company and make money while you spy! Simply set up a front company that does critical infrastructure inspection, hire some unwitting remote pilots, buy a UTM license (subscription, access, or whatever it becomes) and get all the imagery you want. Dead easy way No. 1 works because currently, the FAA and Department of Homeland Security (DHS) don’t apply the same background check rules to unmanned aircraft manufacturers and user companies as they do to manned aircraft. Airlines/air freight and manned aircraft manufacturers go through some very stringent FAA, DHS and intelligence community vetting before they’re allowed to fly in U.S. airspace. These vital security processes are in place to stop foreign intelligence services and terrorists from using commercial aircraft to do harm to our country. Notorious arms smuggler Viktor Bout never flew his Antanov’s over the U.S. because the FBI knew the front companies he used and at least kept him out of our skies. Luckily, he’s in jail or he’d probably be starting a drone delivery front company for smuggling because no one is checking drone companies.

Of course, these scenarios don’t HAVE to occur because the FAA and DHS still have time to set standards and procedures. The current Part 107 rule only allows within visual line of sight (VLOS) drone operations and it’s tough to take over a drone that’s being watched. The risk comes when the FAA approves BLOS rules and drones need detect and avoid systems—that’s when we add things like UTM and BLOS data link relays that bring significant cyber risk.

However, done correctly, UTM could and should make BLOS drones more secure than VLOS operations. It’s tough to make a reliable and secure drone data link, but easy to secure a drone ground control station’s connection to UTM because that connection can use ground links with heavy encryption. Geofencing is already a UTM feature and designers can harden and enhance it to stop drones from getting anywhere close to critical infrastructure. Effective ground based detect and avoid systems (radar) connected to UTM should be required to track any drones that go “lost link” and drift near sensitive targets, and be able to instantly alert law enforcement to the remote pilot if the radar track gets near critical infrastructure.

The drone data link relays are tougher to secure. The cell phone companies already have impressive cyber security for the relay portion of the network; your cell phone calls are very secure while they’re being relayed between cell towers. The problem remains with the drone data links themselves. The FAA simply must write drone command and communications standards that give link reliability and security equal footing. That’s the only way to motivate industry to develop the kind of reliable AND secure links needed to stop illicit operators from hi-jacking our drones.

We have decades of experience from vetting manned aircraft companies and related operating companies to apply to drone businesses. The issue will be the sheer volume of vetting required to manage the same level of security screening for the unmanned aviation business community. There are only a handful of manned aircraft manufacturers and airlines/air freight companies compared to the potentially thousands of unmanned companies. It’s also more critical to inspect the software and hardware of foreign made drones because of how easy it is to provide back doors to enable illicit drone control. It’s not a big issue in manned aircraft because there is always a pilot on board to override illicit commands. It could become a huge problem for unmanned aircraft, but one we can solve with more resources for vetting.

Drone security is important to get correct from the start because it’s not JUST about the drones. Unmanned aerial systems are the cutting edge of true consumer-grade robotics in the “Internet of Things” that’s growing around us and infiltrating our lives daily. The same private/public security partnerships that work for drones will work for driverless cars, pilotless air transportation and maybe even personal robots one day. It’s a MUST do!