Unmanned Aircraft Systems (UAS), or drones, significantly improve the human condition in the right hands but cause carnage when used by someone with nefarious intent. There are good examples on the news every day: delivering much-needed medicines, protecting high profile security events, finding a lost child in the woods, and re-establishing a cellular phone network in a hurricane-ravaged Puerto Rico. Conversely, we also see the bad: delivering drugs and weapons to prison inmates and use of a suicide drone to assassinate a national figure. However, the physical security threat is likely not the most serious. In an information age, the exploitation of data is more threatening than an improvised explosive device on an unmanned system.
Transition focus from the physical to the electronic “high ground”:
The physical threat of drones is all around us. It is no longer only in the realm of possible threats. Each attack culminates in a climactic event followed by traditional responses and recoveries. Security professionals assess the damage and develop new techniques in counter-drone technology which are increasingly effective thwarting physical threats. The electronic threat, however, may be insidious and unknown until used in a final catastrophic attack.
For example, the use of a drone to record industrial or military activity is similar to the earliest days of aviation. Observation balloons were used 200 years ago to provide military intelligence on troop movement. New high-resolution cameras and sensors can provide a fearful tool in corporate espionage by simply observing movements or photographing new equipment. The proliferation of new sensors, increased computing power, robust data analytics, and artificial intelligence has completely changed the landscape.
"In an information age, the exploitation of data is more threatening than an improvised explosive device on an unmanned system"
Additionally, the regulatory environment is evolving quickly. There are deliveries using drones and integrating into the supply chain and inventory management. New uses develop every day. As drone operations grow into a spider web pattern supporting a new last-mile delivery model, each flight gathers enormous amounts of data including photos of vehicle traffic in the area. Traffic surveillance is an excellent advancement for traffic accident investigations. However, using the data to track an armored truck carrying large amounts of cash should be controlled.
Facial recognition and license plate reader technology, coupled with high-resolution intelligent sensors, allows tracking methods previously not imagined. Data on electronic signatures viaWi-Fi and mobile networks from autonomous ground vehicles can build a picture of personnel and material movement that can recreate proportional uses of raw materials in manufacturing to mine proprietary formula information.
An Evolution of Information Security:
Enterprise security and the cybersecurity elements of any successful program are increasingly sophisticated. Evolving NIST guidance and information security are successfully mitigating threats from information enterprises control. The electronic high ground, however, must consider controlling information out of organizational control. A new threat has developed requiring controlling information in plain view. Laws, regulations, and standards are struggling to keep up with evolutions in drones and data collection. When coupled with analytics and artificial intelligence, the totality of information can be dangerous to organizational security.
In the law enforcement space, plain view doctrine is evolving on constitutional grounds because of the advancements in drone technology. Some jurisdictions require warrants for drone use in areas previously considered public. As an example, manned aircraft have not been restricted flying over residential areas due to privacy. However, a drone flying near windows or backyards can result in charges of voyeurism. A new model is needed to consider the enterprise security of information.
A New Model from an Old Concept:
The need to control open source or plain view information is not a new challenge. Industry and government have protected the release of crucial information or altered behavior to build misinformation. It is, essentially, a counter-intelligence activity. In the case of the government and the military, a foreign drone manufacturer’s data security drove a deluge of directives and acquisition rules, including secure software mandates with government testing and certification. While driven by sensitive site security in the government case, the data security concern is not only on enterprise-owned drones but on any drones—many that are unknown—that may surveil operations.
The military has used the term “Essential Elements of Friendly Information” or EEFIs to deny adversaries seemingly innocuous information that could be used to predict troop movements and deployments. Developed from the “loose lips sink ships” campaign of World War II, the concept is pretty straight forward. Soldiers, sailors, marines, and airmen are trained to be aware of information that may be an indicator of deployments and cautiously guard information. With regard to drones, a recent case is the protection of large events from pre-surveillance attack activity. The University of Arkansas obtained authorization to use drones for event surveillance at football games. It is a handy tool to develop response protocols and manage traffic. Part of the activity is detecting unauthorized drone activity. Rogue drones can steal proprietary broadcast of games, provide intelligence on future attacks, give an active shooter the high ground, steal data, and look for personnel in the crowd or scout areas for vehicle theft. This new electronic high ground can be used by nefarious individuals to amplify their attack. In this case, the law and federal regulations provide a framework to deny EEFIs from the adversary.
In other cases, the regulatory framework does not provide mechanisms to protect EEFIs. In those situations, enterprise security needs a new model. The steps to protect EEFIs otherwise in plain view require a three-step process:
1. Identify EEFIs such as the movement of goods, services, and people that are critical when used in conjunction with other information to build a vulnerability.
2. Educate members on EEFIs and techniques to protect information.
3. Develop mitigation strategies, including considering using misinformation to deny effective analysis by adversaries.
There are many tasks and sub-tasks in each step of the process. It requires planning and consistent execution built into the culture of an organization. Over time, organizations can significantly improve information security obtained by drones and create a culture of EEFI-consciousness. In some areas, one only needs to look up to see the threat.