Hmmm, we can already seize your stuff, so why can't we shoot down your drone, officials mull

We're spying on you all the time, so why cry over a missing quadcopter – Feds

The US government is worried about its capacity for discrimination, at least with respect to drones.

It wants to extend its military's right to seize, surveil, or intercept drones to civilian agencies, the FBI, and criminal prosecutors. Rather than let Uncle Sam's armed forces have all the fun, why not give federal busybodies the right to stop or potentially shoot down flying gizmos.

"One of the biggest challenges for our federal security partners is threat discrimination – knowing who is flying where helps the FAA and our security partners understand what the operator’s intent may be, and is critical to threat assessment and response," explained Angela H. Stubblefield, deputy associate administrator for security and hazardous materials safety at the Federal Aviation Administration in prepared remarks on Wednesday.

Stubblefield delivered her testimony – an abridged version of her published commentary – before the Senate Homeland Security and Governmental Affairs Committee, during a hearing titled "Countering Malicious Drones."

The government gathering served as an opportunity to hear about the need for a recently proposed bill, the Preventing Emerging Threats Act of 2018 (S. 2836), which was co-sponsored by the two US senators running the show, Senator Ron Johnson, (R-WI) and Senator Claire McCaskill, (D-MO).

The bill would empower the Department of Homeland Security and the Department of Justice to surveil and seize drones, a power already accorded to the Department of Defense for national security.

The American Civil Liberties Union opposes the bill on the grounds that it's vaguely worded, lacks accountability provisions, and raises property and privacy rights concerns.

Drones, the coming threat

Drones, or Unmanned Aircraft Systems (UAS) for those who prefer the bureaucratic bowdlerization, represent a vessel for the investment-inspired hopes of entrepreneurs and the budget-buoying fears of law enforcement agencies.

Boosters of the flying machines tout their potential for delivering medicine, products and pizza, surveying, photography, and surveillance. Detractors point to alternative payloads – drugs and explosives – which have already been tried with some success.

Scott Brunner, deputy assistant director of the FBI's Critical Incident Response Group, in his spoken and written testimony warned that terrorists and criminals are already using drones – groups perhaps inspired by the drones used against them.

Swarming bugs

Drone 'swarm' buzzed off FBI surveillance bods, says tech bloke


"Drug traffickers have used UAS to smuggle narcotics across the US southern border, and criminals have used UAS to deliver contraband inside federal and state prisons," he said. "Similar to national security threat actors, criminal actors have utilized UAS for both surveillance and countersurveillance in order to evade or impede law enforcement."

And further malicious activity is anticipated. These threats, he said, could take the form of illicit surveillance, payloads involving chemical, biological or radiological weapons, or kinetic attacks against exposed facilities or events. It was also suggested that drones could assist with man-in-the-middle attacks on WiFi networks.

At the hearing, a video of an ISIS-flown drone dropping a grenade was shown to hammer home the threat.

Brunner said the FBI welcomed the the Preventing Emerging Threats Act of 2018. That's not entirely surprising given that the DHS, FBI and FAA helped develop the language of the bill.

The FAA, Stubblefield, said wants to see drone operators identified, for the sake of public safety.

"Anonymous operations in the National Airspace System are inconsistent with safe and secure integration," she said, adding that the model aircraft exemption makes it nearly impossible for the agency to develop new safety regulations and promotes the misperception among recreational drone users that they're not required to follow basic safety rules.

Bureaucracy steps in

While future rules such as those proposed in S. 2836 have to be hashed out through the legislative process, past rules have allowed the FAA to move forward with technical systems designed to support its regulatory mandate.

Recently, the agency in April began beta testing what it refers to as Low Altitude Authorization and Notification Capability (LAANC), which is intended to allow drone operators to get automated FAA clearance for planned flights while alerting air traffic controllers. It's a part of the planned UAS Traffic Management system, which will allow drones to be operated out of operator line-of-sight – a current requirement.

To further assist in separating the good drones from the bad, the US government is expanding its forensic arsenal.

The National Institute of Standards and Technology (NIST) maintains a library of forensic images of devices like computers and mobile phones known as Computer Forensic Reference Datasets, or CFReDS.

These data dumps are used by investigators and academic researchers as a digital baseline to which other devices can be compared. Recently, drones joined the list of samples.

Last year, under contract from the US Department of Homeland Security, cybersecurity biz VTO Labs began archiving drone image files. The archive currently holds 14 types of drones and that number is expected to reach 30 by December.

According to NIST, the data that can be retrieved from drones includes serial numbers, flight paths, launch and landing locations, photos and videos, and (in one case) credit card numbers. ®

Broader topics

Other stories you might like

  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Oracle sued by one of its own gold-level Partners of the Year over government IT contract
    We want $56 million, systems integrator tells court

    Oracle has been sued by Plexada System Integrators in Nigeria for alleged breach of contract and failure to pay millions of dollars said to be owed for assisting with a Lagos State Government IT contract.

    Plexada is seeking almost $56 million in denied revenue, damages, and legal costs for work that occurred from 2015 through 2020.

    A partner at Plexada, filed a statement with the Lagos State High Court describing the dispute. The document, provided to The Register, accuses Oracle of retaliating against Plexada and trying to ruin the firm's business for seeking to be paid.

    Continue reading
  • OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw
    Though severity up for debate, and limited chips affected, broken tests hold back previous patch from distribution

    Updated The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).

    OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).

    But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.

    Continue reading

Biting the hand that feeds IT © 1998–2022