Photo Credit: Military Embedded Systems
At the beginning of the twenty-first century, camera phones were a new commodity – and their effects on battlefield operations were largely unknown. Two decades later, their rapid development and newfound capabilities pose a litany of security concerns for our deployed servicemembers, such as geotagging that enables kinetic targeting and spillage of sensitive information that bolsters adversarial intelligence gathering. Yet, these devices also have added benefits, like the ability to efficiently and securely communicate with our partner forces who might otherwise be unable to do so. Given that the new generation of warfighter is largely dependent upon their smart devices, the critical question arises: are the rewards worth the risk?
Security Risks and Vulnerabilities
Recent incidents highlight the risks that smart devices pose to deployed servicemembers, such as the inadvertent release of sensitive locational data. For example, in 2017, the popular fitness app Strava published a “heat map” that revealed personal data of servicemembers, allowing experts to identify the names, photographs, and fitness routes of its users.[i] While the location of many US military bases is common knowledge, the sensitive data gathered highlighted common times members of the Armed Forces traveled and the typical paths they took. Because this information could prove valuable to adversaries intent on harming our servicemembers, it constitutes a notable security risk.
While the emergence of the cyber domain in warfare is a relatively new concept, our adversaries have been quick to invest heavily in this new domain to enable kinetic effects by utilizing geotagged data or tracking locations in real-time. For instance, Russian hackers were able to identify Ukrainian artillery assets by employing malware on Ukrainian soldiers’ Android devices.[ii] This exploit allegedly reduced target acquisition time for Russian forces, from minutes to just under 15 seconds, which likely meant the difference between life and death for some Ukrainian soldiers.[iii]
Yet, the desired end-state does not need to be achieved through kinetic means to effectively disrupt friendly operations – our adversaries exploit the loneliness of our servicemembers through non-kinetic actions, such as extracting sensitive information regarding military operations. During military exercises in Latvia, NATO conducted information operations against their own soldiers; the intent was to simulate ongoing information operations Russia was conducting against NATO forces along their frontier. NATO’s Center for Strategic Communications successfully deployed operatives disguised as fictious women on Tinder to obtain sensitive operational and strategic information from soldiers.[iv] Although only a training exercise, the extracted information provided opposing forces with key information about friendly force structure and operational timelines.
More so, exploiting cell phones serves additional purposes within our adversaries’ cyber toolboxes, such as enabling powerful information operations. For nearly the entirety of the Ukrainian crisis, Russian-backed separatists have utilized threatening text messages in attempts to inspire fear in Ukrainian troops, such as “Murderer from UAF [Ukrainian Armed Forces]. The East won’t forgive you and the West won’t remember you!”.[v] In addition to intimidation, the separatists have utilized digital communications to sow discord within Ukrainian ranks by sending messages disguised as fellow Ukrainian soldiers, claiming that their commanders have fled the area and they should as well.[vi]
Efficiency Amid Risk
Although cell phones and smart devices present sizeable security risks, their utility for deployed servicemembers must be explored as well. The U.S. works with many partner forces who do not have the same or similar secure communication systems. Oftentimes, these communication systems are too expensive for partner forces to widely field across their formations. Additionally, US forces are reluctant to allow partner forces access to systems containing sensitive or classified information. Therefore, it is often more feasible to utilize commercial off-the-shelf (COTS) products for quick and effective means of communication; these readily-available smart devices also have the ability to download language translation tools, which can prove vital for joint/multinational operations when linguist support may be difficult to obtain for extended periods of time.
Moreover, the role smart devices play in servicemembers’ morale is one that cannot be ignored. Morale has an indisputable effect on the potential level of success a unit can achieve. Regardless of location, deployments prove stressful and isolating to our servicemembers no matter how cohesive their bonds with their brothers- and sisters-in-arms are. Smart devices allow our servicemembers to stay routinely connected with their loved ones back home, provide entertainment and educational opportunities, and can serve as a temporary escape from the stressors they encounter while deployed.
Mitigation Measures
First, the Department of Defense (DoD) should refine their often draconian operations security (OPSEC) measures while deployed. Deployed commanders should be aware of the capabilities their adversaries possess in theater and tailor their OPSEC policies accordingly. As mentioned, there are both risks and benefits to utilizing smart devices while deployed, and operational commanders should implement their OPSEC policies on a case-by-case basis to maximize tactical and operational efficiency while maintaining appropriate security.
Second, the DoD should utilize subject matter experts that can explain the risks that smart devices pose and how our adversaries can exploit them. For instance, deploying units scramble to meet a litany of requirements, namely in regard to OPSEC briefs to the force. Many commanders default to their intelligence officers to give hastily researched briefs regarding OPSEC risks that smart devices pose and downplay it as a peripheral issue. Properly educating our men and women in uniform on adversarial electronic warfare capabilities and the ways in which the enemy can access and exploit our smart devices would encourage servicemembers to employ individual measures to safeguard their personal information, as well as information vital to US national security.
Finally, the DoD should further explore possibilities of working with tech companies in developing secure communication applications. For instance, the DoD demonstrated its willingness to work with Microsoft to mitigate the communication problems that the Covid-19 pandemic presented by rapidly deploying CVR Teams to ensure operational continuity for the force.[vii] The DoD should leverage the intelligence community to work in tandem with tech companies to develop exclusive, secure communication applications, which would mitigate spillage that could jeopardize our service members or national security interests.
Bibliography
[i] Craig Timberg, “Lawmakers Demand Answers about Strava ‘Heat Map’ Revealing Military Sites,” The Washington Post, January 31, 2018, https://www.washingtonpost.com/news/the-switch/wp/2018/01/31/lawmakers-demand-answers-about-strava-heat-map-revealing-military-sites/.
[ii] Dustin Volz, “Russian Hackers Tracked Ukrainian Artillery Units Using Android Implant: Report,” Reuters, December 22, 2016, https://www.reuters.com/article/us-cyber-ukraine/russian-hackers-tracked-ukrainian-artillery-units-using-android-implant-report-idUSKBN14B0CU.
[iii] Adam Meyers, “Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units,” CrowdStrike, December 26, 2016, https://www.crowdstrike.com/blog/danger-close-fancy-bear-tracking-ukrainian-field-artillery-units/.
[iv] “Russian State Media Mocks NATO for ‘Catfishing’ Troops,” Polygraph Info, October 11, 2019, https://www.polygraph.info/a/fatc-check-russia-nato-baltics-cyber/30211882.html.
[v] Daniel Brown, “Russian-Backed Separatists Are Using Terrifying Text Messages to Shock Adversaries – and It’s Changing the Face of Warfare,” Business Insider, August 14, 2018, https://www.businessinsider.com/russians-use-creepy-text-messages-scare-ukrainians-changing-warfare-2018-8.
[vi] Daniel Brown, “Russian-Backed Separatists Using Text Messages.”
[vii] Matthew Finnegan, “Defense Dept. Rolls out Microsoft Teams to Millions of Remote Workers,” Computerworld, April 17, 2020, https://www.computerworld.com/article/3538811/defense-dept-rolls-out-microsoft-teams-to-millions-of-remote-workers.html.