National Security

Underwater Unmanned Vehicles: A New Frontier for Cybersecurity

“The DoD budget for underwater drones in FY2017 is at least $360 million.”

Strange creatures

In 1977, the exploration vessel Alvin dived 2,500 metres below the ocean waves enabling geologists to observe directly, for the very first time, the strange lifeforms that swarm around the super-hot vents at the planet’s mid-ocean ridges. Forty years later, new forms of extraordinary creatures patrol these depths. Employed in mine hunting, hull inspection, port patrol, environmental monitoring, and many other functions, underwater unmanned vehicles (UUVs) are now so numerous and diverse in their design and mission that the US has developed a technology roadmap – now in its third version – to integrate the technology into conventional warfighting and peacetime missions. Worldwide, demand for UUV units is expected to grow by 49% from 2016 to 2020 (of which 73% are expected to be used in the military, but there is rapid growth in the oil and gas sector). Some of the propulsion and mobility designs are borrowed from the natural world, and many look more like torpedoes. Fuel cells have increased UUV range and even traveling at a leisurely 2 knots, most types can roam far from their launch vessel or the shoreline, easily reaching the 12-mile nautical limit and beyond.

While research teams and commercial firms have succeeded in improving power and maneuverability, the laws of physics still constrain communications: high speed wireless ‘underwater internet’ of the type that is now pervasive in the world’s cities is still just theory. Without a cable, data just doesn’t transmit easily through water (even less so when it is salt water). But the technology is developing very fast. Experiments in the Baltic and North Sea in 2006 showed that UUV control signals will transmit at just 100 bits/s via acoustic channels. A survey published by RAND in 2009 recommended seven military missions for UUVs and reviewed the systems required to enable them. Rapid technical advances in onboard sensors and communications fill the agendas of an international annual conference and the product catalogues of commercial companies both large and small worldwide. Acoustic communications networks are the preferred channel and work well over short distances, yet they are vulnerable to attack and can easily be jammed. The NATO STO 2016 Underwater Communications and Networking conference discussed the near-term challenges and current state-of-art, such as work by an Italian team who have developed and commercialized secure underwater wireless communications that attain 10Mb/s at a range of 32 feet, in harbor water conditions.

Voyage plans

UUV communications protocols are generally proprietary, but the strong trend toward interoperability suggests this may not always be so. The 2004 Navy UUV Masterplan noted that “the compatibility conferred by the adoption of open architectures and communications standards is a must,” with secure communications identified as a vital item on the ‘to-do’ list. Subsequent versions of the Navy’s masterplan were classified; sections of the 2017 procurement plan are indicative of priority areas for R&D. While the 2009 US DoD roadmap for unmanned systems only alluded to the ability to operate in cyberspace (“future unmanned systems will require the ability to communicate through any and all means possible”), by 2011, the updated roadmap (2011-2036) looked distinctly different. Containing detailed references and laid out in a cross-domain ‘systems-ready’ structure, this was a document reflecting an active sphere of rapid development in military technology. ‘Cyber’ was still missing, but appeared by implication in sections on geopolitical concerns: section dealt with encryption and the provision “for secure classified information sharing with coalition and friendly forces.” Two case-studies (section 2.3) described hypothetical scenarios taking place in 2030, where UUVs work with many other forms of unmanned craft and conventional war-fighting equipment and techniques to neutralize threats and respond to a natural disaster. In the 2013-2038 version, cyberspace appears in the opening paragraphs. Section 4 deals extensively with secure communications, calling for “a platform-agnostic, sensor-specific approach to address program protection across multiple systems and platforms […] ensuring protection of not only the technology on which the sensors are based, but also the intelligence information collected by these sensors.” Again, a future scenario (this time in 2020) illustrates how UUVs work alongside conventional techniques in a search for WMD.

Scenarios where UUVs could be employed defensively and/or offensively are not hard to visualize. Situations where non-military UUVs pose a real threat to physical and/or information infrastructures are not discussed in the US roadmaps, but are equally easy to imagine.

Antwerp 2.0

In 2011, an attack on the Port of Antwerp remained undetected for two years, during which hackers profiled port infrastructure security vulnerabilities and assisted a criminal gang in locating containers carrying hidden consignments of drugs. Consider a similar attack launched using today’s UUV technology. In the very busy sea lanes around a giant port like Rotterdam (where vessels must comply with ISPS), Houston (where security is administered and enforced by the USCG and DHS, under 33 CFR 105) or in fast-growing ports like China’s Ningbo, a few UUVs each measuring less than a foot would be a useful asset for any well-resourced criminal gang. Posing as a Harbor Security Vehicle, perhaps, or a hull inspector, a single UUV equipped with sensors that can ‘read’ the proprietary communications protocols of other unmanned vessels in the area could, over time, build a profile of the localized attack surface. A gang could combine these insights with data on vessel movements, and wait until the arrival of an LNS tanker to hold the entire port ransom with the threat of an underwater mine.

Trojan Seahorse

In 2016, China’s navy lifted a US-owned research drone out of the water, west of the Philippines. The drone was later returned, but not before a diplomatic row between China and the US about the legal basis for the seizure. Let’s imagine a similar future scenario with three Norwegian-designed UUVs, manufactured by a Chinese subsidiary, operating from a deep-water rig that’s registered in Shanghai and parked off the coast of South Korea (where the are about to start enforcing a maritime version of their Air Defense Identification Zone). The UUVs are part of a large equipment inventory that has not recently been upgraded during a change in company ownership. One UUV ‘goes missing’ from the rig and reappears four weeks later – in the vicinity of Ieodo, a submerged islet claimed by multiple nations. The errant UUV is retrieved by South Korea’s Navy and returned to the company in Shanghai, where the new owner later discovers a breach of his networks – but not before the bug has propagated through the company’s inventory of nearby vessels. The company accuses South Korea, who in return blames the Chinese manufacturer.

Res Ipsa Loquitur

This article does not claim that either of the scenarios described are currently technically feasible: only that resolving multi-party responsibility in multi-jurisdictional spaces poses a vexing problem for security agencies, insurers and litigators. UUVs and their data are expanding the security perimeter of companies’ maritime operations, just as tablets and smartphones are augmenting the task of threat detection for IS officers on land. In each of these scenarios, what should be the role of the world’s navies in responding to cyber security incidents that involve commercial firms? Who is liable for the insurance of UUVs implicated in such incidents?

Events of 2016 showed that cybersecurity is firmly on the radar of the world’s navies and international shipping organizations, yet the legal basis on which navigation rights are agreed and data exchanged is increasingly challenged. We have seen how island-building in the South China Sea is changing the configuration of sea-power – whatever states’ differing opinions on the validity of legal jurisdiction may be. The decision, say, that UUVs operating off a vessel are subject to the same flag state responsibilities as the vessel (consider fishing vessels as a proxy for this problematic arrangement), may no longer hold good in a world where the laws and boundaries of the sea are openly contested. What, then, can be done? On the seas, as on land, companies can improve their cyber resilience and audit their risk profile, a legacy of the attack on Antwerp (and similar incidents) is an example of that, and while actual insurance policies are a work in progress, maritime insurance firms are now seriously considering cyber risk. Mitigating threats ahead of time ought to be achievable if special attention is given now to designing flexible and secure communications.

The deeper questions about the implications of utilizing UUVs in military operations, when decisions must be made very quickly, sometimes on less-than-perfect information, place new burdens on the Law of Armed Conflict. Technology is reconfiguring geography: in a multidimensional world, maybe our two-dimensional legal frameworks need an upgrade.

“Barring deviant behavior, on behalf of either the computer programmer or operator, it can be assumed that the vehicle will generally act within the permitted legal framework” (Colonel Darren Stewart, International Law Studies

At the edge of the map

Technology development ought to evolve lockstep with accountability. But the defense innovation ecosystem is global and the paradox of digital innovation in the military domain (as in other sectors increasingly reliant on digital) is that with enhanced capabilities come greater vulnerabilities. These issues were considered at the US Naval Sea Systems Command event on cybersecurity in October 2015, while at the 5th Annual DoD Unmanned Systems Summit in early March 2017, experts reviewed the challenges and requirements for interoperability. The DHS cybersecurity Transition to Practice report for 2017 is mute on maritime, but it’s easy to see how some of the new cyber technologies could have a role. At the AUVSI event in late October 2016, the buzzword was ‘swarming’: lots of new technologies for lots of complex scenarios – on missions enabled (and exacerbated) by cyberspace. The DoD budget for underwater drones in FY2017 is at least $360m. As Jacquelyn Schneider observes, nation states must now navigate a course toward improved capability while minimizing vulnerability, becoming ‘digitally-enabled’ (as in Japan and South Korea) rather than digitally-dependent. A new US roadmap is due any day now. Underwater, as on land, digital is here to stay and with legislation on commercial accountability in cyberspace likely in 2017, ‘digitally-enabled’ may soon need to include digitally-accountable.

Sally Daultrey

Sally Daultrey is an OpsLens contributor and Geopolitical analyst based in London, UK. The views expressed are the author’s own and do not necessarily represent those of any client or associate.

Join the conversation!

We have no tolerance for comments containing violence, racism, vulgarity, profanity, all caps, or discourteous behavior. Thank you for partnering with us to maintain a courteous and useful public environment where we can engage in reasonable discourse.