Special operators and other troops must stop taking their unsecured personal tablets and smart phones into combat after an internal Navy investigation found that mapping applications can be hacked by hostile actors, cybersecurity experts warn.
U.S. special operators and other troops have been using advanced war-fighting mapping applications for the last several years to reduce the time it takes to call in airstrikes and for better situational awareness and communication between ground forces and overhead aircraft.
Recent Stories in National Security
However, a non-public Navy Inspector General investigation earlier this year found that two of these widely used mapping applications produced by the U.S. Navy have serious vulnerabilities, the Washington Free Beacon first reported earlier this week.
The mapping applications in question are known as known as KILSWITCH and APASS. KILSWITCH is an acronym that stands for Kinetic Integrated Low-cost Software Integrated Tactical Combat Handheld. APASS stands for the Android Precision Assault Strike Suite.
The IG's findings were cited in a Marine Corps force-wide message in late June warning commanders that the applications are only used on military-issued "hardened" hand-held devices that are not connected to cellular or civilian Wi-Fi networks, not personal devices troops purchased commercially that are far more susceptible to malware and hacking.
All applications and technology contain some level of cybersecurity vulnerabilities, said Dr. Herb Lin, a senior research scholar for cyber policy and security at Stanford University's Center for International Security and Cooperation and a fellow at the Hoover Institution.
However, in a battlefield situation those risks—in terms of their ability to endanger troops' and pilots' lives—increase exponentially when personal tablets and cell phones are being used, he said.
"If [troops] are bringing their own personal devices to work, into combat—what they bought at the Verizon store—that's an even worse scandal," he said in an interview. "Those are not hardened [devices], and the military-issued Android devices should be hardened and more secure."
The availability of KILSWITCH and APASS through the military's National Geospatial-Intelligence Agency's "GEOINT App Store" for ready download by most servicemembers made matters worse, according to Tom McCuin, a retired public affairs officer for the Army Reserves who served two tours in Afghanistan.
"This meant that Marines (and service members from other services, no doubt) were downloading the app to their personal phones as a convenient way to use it," he wrote in online essay for www.clearancejobs.com about the mapping applications vulnerabilities and the whistleblower who was allegedly retaliated against for exposing them.
"After all, in this connected age, no soldier or marine goes to the field without his or her personal electronic device (or devices). It's so pervasive that I've heard soldiers joke about it in their PACE plans."
PACE stands for Primary, Alternate, Contingency and Emergency means of Communication.
Cybersecurity experts and weapons engineers familiar with the hacking vulnerabilities in military systems point to the Russian hacking of Ukrainian soldiers' hand-held electronic devices to demonstrate the danger.
"The Ukrainians very quickly found out that was very dangerous," Lin said.
Ukrainian troops in 2016 started using a cell phone app that allowed artillery men to shoot howitzers in seconds rather than minutes.
After they showed off the technology on YouTube, Russian military intelligence hacked into the app, giving them a backdoor that allowed full access to the device that showed each soldier's exact geographic location.
The Russians put the malware into the phones and then the app became beacons to target the Ukrainian military units with soldiers getting killed as a result, according to a CBS News report.
These sorts of vulnerabilities are what is alarming special operators across the military who have heard of the KILSWITCH and APASS mapping applications' hacking vulnerabilities, especially when used on personal devices.
David Foster, a former Marine Corps pilot who went on to spend 20 years as a strike weapons engineer and operations analyst with U.S. Navy's Naval Air Systems Command, said Russian and Chinese intelligence are constantly looking for ways to interfere with U.S. military operations.
Because the U.S. military now relies mostly on airstrikes to fight its enemies, anything the Russians and other bad actors can do to undermine that system could have a major impact, he said.
Troops and pilots relying on several electronic devices to do their jobs is like going into a "cyber vector malaria swamp with all these little surface cuts," he said.
Using the apps on personal devices would exacerbate the problem and be an obvious area that the Navy and all service branches could and should be cracking down on, he said.
Despite the USMC force-wide message, special operators and troops across the service branches are not getting the message.
One special operator, who requested anonymity out of fear of reprisal, told the Free Beacon that the USMC and Navy as a whole are not getting the word out to troops.
"I don't think people know it's making them vulnerable," he said. "It's not something that is being said widespread, the word hasn't gotten out, and if it has, it's not something people are talking a lot about."
A Navy official said the Navy inspector general investigation into the matter is still open, so it would be "inappropriate" to comment on the larger cybersecurity issues with the apps or the tendency for soldiers to bring their personal devices into combat.
The military early this year was forced to ban the use of Fitbit and other fitness devices after the GPS tracking company Strava published a global heat map using satellite information to map the locations and movements of subscribers of the company’s fitness service over a two-year period.
The posting of the map on the internet showed the exact locations of military personnel, revealing highly sensitive information about the locations and activities of soldiers at military bases.
A former fighter pilot who now works in the cyber-security field likened the quandary to supply problems early in the war on terror.
"The question is what's the alternative—to have no capability whatsoever?" he said. "Are pilots and troops using this because they have no other option? It's a little bit like [troops] buying their own body armor in 2003. Here's some software that makes your life a lot better so you bring in a personal device so you can use it."
"If you're forcing people to use unsecured apps, that's not optimal, but what's the alternative?"
In this case, critics of the KILSWITCH and APASS applications say there is a better alternative. Another geo-spatial app, known as ATAK provides up-to-the second situational awareness whose software has been rigorously tested and doesn't have the cybersecurity vulnerabilities.
That more rigorously tested and widely trusted program across the military branches, according to interviews with active-duty troops, is the Android Tactical Assault Kit (ATAK), which was developed and fully vetted and tested by the Air Force Research Laboratory, or AFRL. Created in 2010, ATAK appears to be the program of record for the U.S. Special Operations Command (SOCOM), according to ATAK's website.
It is unclear whether its software engineers were aware that warfighters would immediately begin to use the KILSWITCH and APASS mapping apps in battle.
Lin said he did not have enough specific information to discuss the possible particular cybersecurity vulnerabilities KILSWITCH and APASS pose but said because it has been used in mission critical combat situations, there likely should have should have been a more rigorous software development process.
"It's common to develop a product just as a feasibility demonstration—just to prove the concept would work," he said. "The fact that it doesn't have security built into it only become a problem at the next stage."
Once the engineers have proven feasibility, "the right thing to do is throw out the [code] and start again and integrate security into it," he said, noting that doing so costs a lot more money.
"The temptation is very large to add security to [proof of concept product]," he said. "That's how you lose on security. You're basically trying to fix up a system that you never put security into in the first place—the security wasn't baked in from the start."