Air Force disputes drone virus reports
In an atypical disclosure, military officials on Wednesday night divulged details of a virus that infected computers supporting drones that fly over battlefields. The announcement came after reports surfaced that malicious software recording the keystrokes of pilots based in Nevada had wreaked havoc on U.S. Predatory and Reaper unmanned aerial vehicles. Wired's Noah Shachtman first reported the breach Friday.
Air Force officials said they departed from standard procedures to explain the situation so people would not be concerned that missions were ever in jeopardy.
Earlier in the day, a security adviser told Nextgov the virus was custom-made to hijack the drones, creating an Achilles' heel for the Defense Department's multibillion-dollar automated weapons program.
"It's standard policy not to discuss the operational status of our forces," Col. Kathleen Cook, spokeswoman for Air Force Space Command, said in Wednesday's press release. "However, we felt it important to declassify portions of the information associated with this event to ensure the public understands that the detected and quarantined virus posed no threat to our operational mission and that control of our remotely piloted aircraft was never in question."
Air Force officials disputed many reports that the virus was a key logger. "The malware in question is a credential stealer, not a key logger, found routinely on computer networks and is considered more of a nuisance than an operational threat," the statement noted.
The service detected the worm on portable hard drives at Creech Air Force Base in Nevada on Sept. 15 and has since isolated the malware, the announcement said. It did not say whether the malicious code has been removed.
The bug was not devised to transfer data or video, nor was it designed to corrupt files on the infected computer, according to the statement.
The ability of ground crew members "to safely fly these aircraft remained secure throughout the incident," officials said. "We continue to strengthen our cyber defenses, using the latest antivirus software and other methods to protect Air Force resources and assure our ability to execute Air Force missions."
Initial descriptions of the exploit differ dramatically from the Air Force's account.
"This was a targeted virus," national security specialist Charles Dodd, who has been advising senior congressional and Defense officials, told Nextgov. "This was just detected three weeks ago. That doesn't mean it hasn't been utilized way beyond this." It is not coincidental that the malware was suited to exploit unmanned aerial systems, he added.
The compromise in some ways sounded reminiscent of the Stuxnet computer attack discovered in the summer of 2010 that programmed the control systems running Iran's nuclear operations to self-destruct. Both viruses were tailored to overtake particular command-and-control systems, but the perpetrators in each incident likely were not the same people and had different motives, Dodd said.
He did not say that intruders had commandeered Air Force crew members' keystrokes to redirect aircraft. "If you're at the level of control where it's recording the keystrokes of the pilots who are operating the aircraft -- at that moment, you then can be in control of that weaponized drone," Dodd said. "I'm not saying that they did it. It is very logical that they did so . . . If you are already at the keyboard of the guy or woman who is controlling it, you do the math."
Neither the Iranian nuclear systems nor the U.S. aircraft were connected to the Internet. In each instance, the worm likely crept in through "air gaps" between classified and public networks that users overcome by inserting jump drives, according to Wired's original report.
"This is the first example of our command-and-control systems being touched," said Alan Paller, research director for the SANS Institute, a security training center. Paller said he has no inside knowledge about the bug, but any infection provides an entry point for other infections.
"Once a machine gets infected, it tends to stay infected," he said. "Even if it was an accident, it has a high probability of being found by other bad guys looking for ways in."
The military had deployed more than 6,000 unmanned aircraft as of 2008. In 2010, the enacted budget for drone systems was $4.5 billion and Defense has requested $4.8 billion for fiscal 2012.
If intentional, the exploit represents a new, low-cost way of crippling U.S. forces that the Pentagon might not have the money to defend against, experts said. "We've had such an economic push to automate systems and make them more digital that we have now created our own Achilles tendon," Dodd said. Paller said, "We're spending a huge amount of our money on kinetic weapons. The other side is spending a small amount on cyber to take over our command and control." The Defense Department is not accustomed to calculating spending for cybersecurity operations, he said.
The head of the U.S. Cyber Command established a year and a half ago, Gen. Keith Alexander, "is desperately trying to put things in order. And you also have people on the Hill who are trying to put things in order. They get it," Dodd said. But the majority of Defense officials are of the old-school mind-set that whoever has the bigger gun wins the battle, he said. "This is sort of getting a taste of your own medicine," by paying billions for a weapon that adversaries can crush with a relatively smaller sum, Dodd said.
On March 21, in response to Nextgov query, Pentagon officials said their $2.3 billion budget request for 2012 to protect networks covered all Defense components. On March 23, officials changed that response and provided a higher total -- $3.2 billion -- to reflect the cost of cyber pieces of larger programs, plus activities typically not defined as information assurance that are critical to the military's overall cyber stance.
Federal auditors this summer found the U.S. military had no methodology for collecting and compiling cyber budget information. "During February and March 2011, DoD provided Congress with three different views of its cybersecurity budget estimates for fiscal year 2012 ($2.3 billion, $2.8 billion, and $3.2 billion, respectively) that included different elements of DoD's cybersecurity efforts," stated a July Government Accountability Office letter to the House Armed Services Committee.
In responding to the findings at the time, Pentagon officials said they would define what activities are considered cyber operations and establish a means of accounting for all such activities.