A Navy inspector general report has concluded that a series of popular software used in Android tablets that aid Marines and Navy personnel in coordinating precision air power and battlefield situational awareness had significant cyber vulnerabilities.
The software, known as Kilswitch and APASS, was developed by Naval Air Warfare Center Weapons Division, Digital Precision Strike Suite for use in small tactical handheld Android tablets.
Those tablets and software are in the hands of thousands of Marines and other service members, some who have been using it in real-world operations.
The vulnerable software potentially puts Marines and sailors at substantial risk by hackers and sophisticated near-peer rivals like Russia, who could hack the devices in an effort to glean sensitive battlefield information or location data.
A letter to President Donald Trump from the U.S. Office of Special Counsel following the investigation noted that the complex process by which military software is evaluated had been “totally circumvented.”
“The blatant disregard for procedure endangered the lives of military personnel,” the letter stated.
However, the inspector general’s report stated the cyber vulnerabilities could be mitigated if Marines and sailors used the software as originally stipulated in the services’ issued authorizations to operate, or ATO.
Those ATOs approved the use of Killswitch and APASS only on government authorized devices and tablets.
The IG report noted that a number of Marines downloaded the software, where it was available on internal unit websites, onto personal tablets and devices that may not provide adequate security protections.
“The internal marketing of the software contributed to its widespread use,” the special counsel’s letter reads.
The software and tablets have been popular with Marines.
During an experimental urban exercise in March 2018, held aboard Camp Pendleton, California, Capt. Benjamin Brewster, an infantry company commander said the tablet “gives me the ability to identify the things I think are important on a map. It’s battle tracking we’ve never had before.”
The IG report further state that “cybersecurity was not a concern for the developers because they expected that the software would be used only for its intended purpose, and would not be used widely in operations.”
Following the IG report, the Navy directed the Marine commandant and chief of naval operations to ensure the software was being used appropriately in accordance with the ATOs.
“Despite these corrective actions, significant concerns remain relating to the extensive and apparently unregulated distribution of the software," the special counsel said in its letter.
In a statement to Marine Corps Times, the Navy says it “has taken appropriate measures to address identified issues to ensure the continued safety and effectiveness of our Sailors and Marines.”
An investigation into the cyber vulnerabilities was launched following comments from a whistleblower who was a program analyst and qualified Joint Terminal Attack Controller working at NAWCWD.
He further accused the Navy weapons center of corruption in a letter to the president.
“Mr. President, I understand you want to ‘Drain the Swamp’ in D.C. However, I respectfully request that you start to ‘Pump Out the Sewer’ that is the DoD Acquisition corruption at Naval Air Warfare Weapons Division, China Lake, CA and NAVAR [naval air] Headquarter at Patuxent River, MD,” the whistleblower’s letter reads.
The whistleblower claimed that the main cause of the release of the vulnerable software was “corruption throughout NAWCWD leadership as well as NAVAIR [naval air] senior officers who used this software as a platform for political and financial (Navy Working Capital Fund) gains,” the letter stated.
The cyber vulnerabilities could prove to be a major threat to the Corps, especially for those who may be using the software on unauthorized devices.
The Wall Street Journal reported that Russia was actively hacking the smartphones of NATO service members to gain operational information.
And in 2016, CBS reported that Russia was able to hack a phone app developed by a Ukrainian artillery officer to improve his units shooting performance. That hacking proved lethal as malware turned the app into a beacon, allowing the hackers to locate the Ukrainian military positions.