CyberSecurity Concerns: Hackers, The Seventh Fleet And Human Error
By Saad Gul and Michael E. Slipsky
The USS John S. McCain
collided with the merchant tanker Alnic MC
near Singapore this week. The warship sustained damage at the waterline, flooding a crew sleeping area. Ten sailors remain missing at the time of writing. Such incidents are mercifully rare, but the incident was the fourth
one involving a United States warship this year.
In June, the USS Fitzgerald
suffered a similar collision with the ACX Crystal
near Japan. That tragedy cost the lives of seven sailors. In May, a South Korean trawler hit the cruiser USS Lake Champlain
. And in January, the guided-missile cruiser USS Antietam
suffered damage to its propellers while navigating Tokyo Bay. Initial reports in the wake of the Fitzgerald
human error. The Navy relieved
two senior officers and the ship’s highest ranking enlisted man of command. However, the number of accidents is apparently prompting reconsideration. The Chief of Naval Operations, Admiral John Richardson stated that while he had seen no indications of cyber-sabotage, the Navy’s investigation would “consider all possibilities.”
The incidents occurred on some of the world’s most congested waterways, which carry a third of the planet’s shipping. Ship captains and crews tend
to be alert as a consequence, with computer-aided navigation and radar assisted by manual lookouts. Under these circumstances, the rash of incidents has spawned speculation about the possibility of cyber sabotage. Itay Glick, a former cyber-warfare specialist who went on to found cyber security firm Votiro, explained
that given the numbers, “I don’t believe in coincidence.”
Glick noted that the Seventh Fleet could have suffered a malware attack that would have blinded its ships to other traffic. He also considered a GPS attack to be a possibility, citing reports of similar incidents in the Black Sea. Other experts dismissed
GPS spoofing (misdirection) as a remote possibility, noting that the GPS attack would affect a larger area, rather than a single ship. Civilian crews detected GPS interference in the Black Sea; United States Navy personnel encountering similar interference would certainly have noticed something amiss.
But the possibility of human error does not negate cyber-sabotage. Crew rotations and shift changes necessitate widespread access to a ship’s computers. And opportunities for a viral infiltration have proliferated in recent years, with crews increasingly using ships’ Internet access to download movies, games and books for long deployments at sea. In cybersecurity, the critical (and most vulnerable) link in the chain continues to be the human component. While it is unclear whether the Navy’s recent spate of mishaps contained some element cyber sabotage or was purely down to old-fashioned human error, if cyber sabotage was involved, it’s a good bet that human error played at least a supporting role.
A recent spate of electronic-wallet thefts illustrates
the problem. Hackers were able to drain digital wallets by taking control of the victims’ smartphones. They did so by the relatively simple stratagem of flooding customer support centers with calls asking to transfer control of the victim’s phone to a different device, which then allowed the hackers to reset the victims’ passwords. If the phone company’s customer support refused the request, the hacker simply repeated the process until a more cooperative agent was found. In one case they tried 13 times. In some ways, this was the human equivalent of a “brute force” password attack—the hackers essentially kept pounding on the last line of defense until it gave way. Phone companies and customers ran up against the defender’s eternal challenge: the defense has to run the table each time, but the attacker needs to succeed only once.
The lesson is clear, certainly for phone companies and perhaps also for the United States Navy: training your personnel on cybersecurity is just as important as deploying technological defenses.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or firstname.lastname@example.org
. Mike may be reached at 919.783.2851 or email@example.com