The government's top watchdog agency on Tuesday warned President Donald Trump and Congress that two war-fighting mapping applications widely used in combat, and disseminated to U.S. allies, have made U.S. troops vulnerable to cyberattacks by Russia, China, and other hostile actors.
The U.S. Office of Special Counsel (OSC), an internal investigative and prosecutorial agency that operates independently from other government agencies, "fully substantiated" whistleblower warnings first reported by the Washington Free Beacon in late October, the OSC said in its release on the matter. It was the first time the OSC has weighed in publicly on its nearly year-and-a-half investigation into the matter.
The OSC specifically faulted top Navy leaders for failing to warn U.S. military personnel and to take the necessary steps to try to protect sensitive data from being hacked. The mapping apps are used to accelerate precision targeting and facilitate situational awareness and data-sharing between ground forces and overhead aircraft.
"When Navy leadership was made aware of software vulnerabilities, it failed to take sufficient action to warn U.S. military personnel or to safeguard sensitive data," Special Counsel Henry Kerner said in a statement. "Thanks to a brave whistleblower who spoke up, the Navy is now taking the cyber threat posed by these apps seriously and ensuring security measures are in place."
The investigation found that two mapping software apps, known as KILSWITCH and APASS, were "broadly used in military operations" and have "significant cybersecurity vulnerabilities that have not been effectively mitigated."
"The investigation also found that Navy software developers provided inaccurate, incomplete and misleading information to operational units in advocating for the distribution and adoption of this insecure software," the OSC said.
In response, the OSC said the Navy has "issued directions mandating that the software only be utilized with proper security measures in place."
In the OSC letter to Trump and Congress, a heavily redacted version of which it released Tuesday, Kerner said "despite these corrective actions, significant concerns remain relating to the extensive and apparently unregulated distribution of the software, and the circulation of notice of its shortcomings."
It notes a Navy IG inspector general finding that"'thousands' of copies of the [apps] were loaded on to government issued and personal procured tablets" that don’t have adequate security protections even though the software developers never intended the apps to be used in an "operational setting by forward-deployed personnel" but for research and development purposes.
The top investigator also slammed the Navy for not following its "complex process for approval and evaluation of software used by military personnel" and called for an "accountability review" of the individuals who facilitated the apps widespread use in combat and training and called for "any disciplinary action" deemed necessary.
"This process was totally circumvented here," Kerner wrote. "The blatant disregard for procedure endangered the lives of military personnel."
Kerner strongly commended the whistleblower for his "public service" in disclosing a "serious issue that potentially endangered the physical safety of forward-deployed military personnel."
He added that the whistleblower "should be lauded for his determination to protect the safety and wellbeing of military personnel who risk their lives to protect the United States."
The letter, dated December 19, was sent to the chairmen and ranking members of the Senate and House Armed Services Committees.
As of late October, the time of the Free Beacon's first reports on the vulnerabilities, the Navy had not issued any type of force-wide message warning commanders and officers in charge of cybersecurity for their units that a non-public Navy inspector general report had confirmed the whistleblower's warnings. The Marine Corps did issue a force-wide message on June 18.
At the time, the Free Beacon reported that the KILSWITCH/APASS applications, which were created by civilian software engineers at the Naval Air Warfare Center Weapons Division at China Lake, Calif., had proliferated among special operators and other forces across the military, and that the Navy had known for more than a year about the serious cyber security risk they posed.
Both the Navy and U.S. Special Operations Command said in October they could not comment on what they said was still an ongoing investigation. While the Navy said it is looking into the matter, Special Operations Command did not immediately respond to a request for comment Wednesday.
Anthony Kim, a civilian program analyst with 28 years of military service and experience as a Joint Terminal Attack Controller (JTAC), a specialist who orders airstrikes and other close-air support, is the whistleblower in the case. His lawyer said the findings are a long-awaited vindication for Kim, who has been the victim of reprisals for his warnings; he was suspended and his managers tried to revoke his security clearance.
"Today's findings by the [OSC] are a welcome vindication for Maj. Kim, whose courageous actions exposed a serious and unmitigated threat of harm to U.S. troops," Sean Bigley said in a statement. "While the system ultimately worked in this case, Maj. Kim suffered egregious reprisal—the suspension and attempted revocation of his security clearance—for his lawful actions."
Bigley said he and Kim look forward to the findings of a still-ongoing Department of Defense inspector general investigation and urged Congress to pass a pending bill that would establish penalties for "those who misuse the security clearance system as a tool for whistleblower reprisal."
In response to that case, Rep. Louie Gohmert (R., Texas) recently introduced legislation to establish, for the first time, mandatory penalties for government officials who abuse the security-clearance system to unlawfully punish whistleblowers.
Numerous warfighters interviewed for October's Free Beacon article expressed deep anger that the Navy top brass did not warn them cyber risks were not sufficiently vetted prior to distributing the software to frontline troops.
They fretted that the hacking vulnerabilities put them in alarming jeopardy, that the Russians, Chinese, and other hostile actors could easily hack the mapping apps.
A special operator who calls in airstrikes and has had multiple deployments in the Middle East said warfighters trust the military and civilian Pentagon leadership to test the systems they provide, not hand them technology that could endanger them.
"As warfighters, we trust the military is going to provide for us. They get the money and the funding, and it's very transparent to the operator, to the pilots, and the JTACs, that we're going to use this product, and this is accredited and certified," he said. "The guy at the pointy end of the spear—we have to trust the system to provide for us. We are the people who are putting our lives on the line."
The apps provide satellite views of a warfighter's surroundings similar to Google Maps that help pinpoint locations. They also enable forces to talk to each other and share updates in real time like instant messages to provide better situational awareness.
Engadget noted in a 2015 blog post that the KILSWITCH app can help JTACs deliver airstrikes in four minutes, faster than ever before.
Before the development of sophisticated satellite-mapping software programs, requests for airstrikes and other close air support were done using radios and paper maps. After the initial request, there would be a long lag time for the airstrikes to arrive.
Careful coordination between JTACs and the inbound aircrews is necessary in order to avoid friendly fire. In intense combat situations, such constant coordination can take place in the middle of a firefight with opposing forces.
While some special operators in the Navy and conventional Marines readily embraced the KILSWITCH/APASS applications, critics aware of the hacking weaknesses point to a preferred and more trusted geo-spatial program that provides up-to-the second situational awareness with software that has been rigorously tested and doesn't have the cybersecurity vulnerabilities.
That more rigorously tested and widely trusted program across the military branches, according to interviews with active-duty troops, is the Android Tactical Assault Kit (ATAK), which was developed and fully vetted and tested by the Air Force Research Laboratory, or AFRL. Created in 2010, ATAK appears to be the program of record for the U.S. Special Operations Command (SOCOM), according to ATAK's website.
A program of record designation means a new technology has been subjected to such rigorous testing that it's part of an approved budget line for the Future Years Defense Program, an annual catalogue summarizing resources and programs associated with Department of Defense operations.
There is also a civilian version of ATAK that has fewer features than the military's, which is widely used and trusted by the U.S. law enforcement agencies.