“Recalculating Route”: A Realistic Risk Assessment for GPS

March 11, 2019

Never let a crisis go to waste.” Crisis drives change; there is nothing quite like impending calamity to create a sense of urgency. But to compel change, the argument that the crisis exists in the first place needs to be logical and correct.

Several recent articles have predicted calamity in the future relevance of space systems like the Global Positioning System (GPS). This growing trend includes articles with ominous headlines including, “Spoof, Jam, Destroy: Why We Need a Backup for GPS,” “The GPS Wars Are Here,” and “The Death of Precision in Warfare.” Each of these articles highlights vulnerabilities of GPS without offering realistic context or caveat to properly scope or provide scale to the actual threat. In fact, while friction exists in any endeavor of warfare, GPS remains resilient in the face of vulnerabilities, and — outside of the most total of wars — will remain so.

GPS skeptics sometimes mistakenly conflate technology that is GPS-aided and that which is GPS-dependent. Moreover, by failing to appropriately caveat their claims, these articles suggest GPS’s vulnerabilities to jamming, spoofing, widespread disruption, and even destruction are unlimited. These articles also make little or no distinction between vulnerabilities of civilian systems and military systems, often concluding GPS should be replaced outright with a supposedly more resilient but unexplained substitute that would suffer from the same nuisances. A more realistic characterization should clarify just how vastly different the risks are between civilian and military GPS use and take more seriously the numerous unmentioned advantages in retaining GPS.

We spent nearly a decade as U.S. Air Force weapons officers and have instructed, developed tests, tactics, and realistic exercises and informed the technical designs of future planning tools and weapon systems. The analyses offered by skeptics breaks drastically from our technical understanding and experience in examining threats against GPS. We seek to buck the trend of overwhelming presumption of danger to GPS and other space capabilities that overstates vulnerability while treating the technical challenge of threats too vaguely. We also reject the conclusion that GPS is too fragile to be reliable in warfare regardless of its scale or scope. Rather than sweeping claims of impending disaster, in this article we assert a more measured understanding of GPS’s vulnerabilities for civilian and military users, and a more reasonable expectation for how both sets of users can respond to denial attempts and disruption. After that, we proceed to the broader geopolitical relevance of GPS, responding to suggestions of these systems’ vulnerability to widespread kinetic and cyber attack by emphasizing just how important the system is to vital national interests. Finally, we consider whether deterrence safeguards GPS capabilities against extensive disruption or even complete destruction.

GPS Jamming for Civilians: Less Danger Than Meets the Eye

First, consider the threat of jamming to the civilian sector. Jamming in the civilian context refers to the unlawful blocking of the GPS signal with noise. Many legacy civilian systems rely on a single signal, which makes jamming relatively easy. While this danger is receding given the growing variety of GPS-like options to civilian users, this vulnerability is most concerning when GPS jammers have wandered too close to airports and ports, creating a minor yet immediate safety concern. Jamming is indeed worrisome in these sorts of local incidents, but assessments of the threat to airline or maritime receivers should take into account how GPS works within a broader context of complementary navigational capabilities and stringent redundancy rules. There are a multitude of other factors to consider as well, including the physical location of both jammer and receiver, and what happens after jamming occurs.

For those who use handheld devices to navigate, many civilian receivers, including recent iPhone and Garmin models, may redundantly use signals provided by America’s GPS, Europe’s Galileo, and Russia’s GLONASS if any one frequency is jammed. International Maritime Organization rules make this same form of redundancy mandatory in 2020 for sea traffic. This means any meaningful denial effort would require the sophisticated jamming of all the differentiated signals of GPS, Galileo, and GLONASS simultaneously. Of course, rarely are readers told there is always the option of simply asking for directions.

Federal Aviation Administration regulations require air carriers navigating by GPS to be able to safely identify a disruption or failure of GPS and proceed to their destination — including via international routes — using secondary navigation capabilities. Similar standards are agreed upon by the International Civil Aviation Organization as well as the International Maritime Organization rules for sea traffic.

To sum up the danger of GPS jamming to the civilian sector: The nuisance is local and temporary, and if users rely on it within the limits of rules and regulations, there is little threat to public safety as these threats can be detected, located, and prosecuted. The suggestion that jamming might cause “society to grind to a halt,” or function so poorly as to create widespread weakening of a whole country vastly overstates the vulnerability. Civilian GPS use relies on human agency, natural resiliency, and failure modes with sufficient redundancy.

GPS Jamming and Military Operations: Even Less to Fear

Military GPS is much more resilient than its civilian analog. Military GPS signals are multiple, spread across a wider segment of the electromagnetic spectrum than civilian signals, making it harder to disrupt their reception. Arguments about the technological fragility of GPS usage often make incorrect assumptions about civilian vulnerability which creates confusion about how the military system performs under realistic stress and human tactical response. Blanket statements like “there’s no precision in jamming; block one, block all” are untrue. Just as with civilian GPS, military systems have a complement of capabilities that enable redundancy and resiliency. For example, the U.S. Air Force has demonstrated several alternative means of extending GPS use to frustrate denial attempts. Western forces also have a more than adequate ability to apply basic tactics to retain the advantage of GPS even if the system is partially disrupted. Under the leadership of U.S. Strategic Command’s Joint Navigation Warfare Center, the U.S. military and its allies have tested its technology to the breaking point regularly since at least the first “Jamfest” in 2004. Beyond testing, U.S. forces exercise against realistic jamming applied by thinking “red forces” putting their tactics to the test to preclude a “Day Without Space.” Any suggestion that the U.S. military has an underdeveloped understanding of navigation and GPS-aided weaponry is misleading.

Furthermore, many military receivers today use decades-old electronic protection features and designs that reduce vulnerability to jammers. Beyond these basic technical capabilities, tactics further extend resiliency, especially on land where natural terrain variation provides a barrier against jamming. This is as simple as it sounds: Even without proven and accessible mitigation technology, placing your receiver behind the crest of a hill, or even in a hole, out of the line of sight of the jammer, might be enough to determine one’s position in a denial environment. Additionally, the newest military receivers built after 2017 are enabled to use yet another encrypted broadband signal transmitted with even higher strength. This new signal is designed especially for reception in the face of more complex adversary GPS denial attempts and provides additional redundancy — meaning the enemy has to be even more sophisticated to achieve a similar level of disruption. Even now, jamming U.S. military systems is not only technically difficult but, if attempted on a modern battlefield, is extremely conspicuous and dangerous. As has been known since the Fulda Gap scenarios of the Cold War, high-powered jammers make for a more easily identifiable and inviting target.

To be clear, using GPS on the future battlefield will not be without its difficulties. GPS certainly can’t solve all position, navigation, and timing needs like some “easy button.” But Western militaries are no longer using GPS naively, making the situation far different from the unconditional warning some have issued. Instead, users are in for more of the same: A modicum of tactics has always been necessary to appropriately take advantage of GPS. The tactics that preserve and extend the utility of GPS are nothing onerous for professional forces if they continue to train against realistic threats.

Jamming as an interference method might degrade military GPS systems, but it is unlikely to deny them completely. This key distinction between nuisance and unconditional vulnerability leads many astray. It is misleading to suggest that “Ground-based receivers can be jammed using commercially available equipment, leaving satellite receivers unable to access satellite signals for as long as the jammer is deployed,” without making any distinction between civilian or military capabilities nor providing caveats about the impact of such jamming. Arguing about the impact on U.S. military capabilities using civilian examples leads to a misunderstanding of the problem’s scope.

GPS Spoofing and Civilian Society: Numerous Safeguards

Beyond jamming, GPS spoofing has garnered more mainstream concern in the civilian sector. Spoofing aims to trick a receiver into thinking the transmitter is a satellite in order to spoil the GPS’s position calculations. The most advanced form of spoofing was demonstrated under some very specific and controlled conditions to adjust the perceived position of a well-understood receiver in a perfectly understood guidance system. Such assumptions in the real world are unrealistic — yet the presumption of ease abounds. There are reports of spoofing from incidents in the Black Sea, an academic study using a civilian yacht amongst others by the University of Texas, and an outlandish claim by Iran regarding a crash-landed RQ-170.

These examples also lead to a mistaken assumption regarding the vulnerability of GPS. Just as with jamming, the problem of spoofing for civilian use of GPS can be solved by relying on redundancy in systems. Many receivers already do so. One shouldn’t dismiss spoofing altogether, but neither should we abide exaggeration.

For civilians, spoofing is a risk in instances where GPS is used inappropriately as a sole means of navigation or a naive source of timing. How humans use GPS — if incorrect, inappropriate, or beyond its intended use — isn’t a fault of the technology. The civilian signal’s vulnerability to spoofing is the second-order effect of an original design feature of GPS that makes the signal available for a wider array of commercial purposes. This is because the signal was always intended to be publicly available to serve a role in numerous fields, especially in analysis that enables greater accuracy in surveying for architecture design, infrastructure development, municipal planning, transportation, and agriculture.

That said, how can civilians guard against spoofing? First, as stated above, GPS should not be used naively as a single source if human life or tremendous wealth is at stake. Moreover, at least in Western air travel, proper usage is mandated by regulation and verified by checks. Other sectors, like banking, electrical grid infrastructure, agriculture, cellular networks, logistics carriers, and self-driving automobiles could do the same if directed.

Second, there are reasonable technical solutions available to critical civilian sectors that should at least indicate when spoofing is occurring and help warn of potential disaster. Commercially available solutions run the gamut from verification algorithms that ensure a signal is coming from the correct position, to powerlevel monitoring and comparison that asks whether the signal has all the appropriate characteristics of one transmitted from medium Earth orbit, to consistency checks against backup timing sources. One indirect solution already in commercial use is wide area augmentation. Many major transregional airlines use augmentation that indirectly reduces the risk of spoofing by providing another way to monitor GPS reception and health. There are also regional and local analogs that provide additional redundancy, and a secure military equivalent. The most reliable source of spoof-proofing is user consistency checks with other sources of navigation and timing — the crucial human element of appropriate technology usage is all too often overlooked.

GPS Spoofing and Military Operations: Trust the Process

On the military side, it is unlikely that military-grade receivers with properly loaded cryptographic keys can be spoofed. First, if GPS keys are diligently loaded, the threat of spoofing is prevented. Loading GPS keys is the quintessential tactic — skipping this basic step is detrimental. This is a leadership issue in the main, but also requires opportunities for instruction and realistic training. Second, GPS cryptographic keys in good practice change periodically, so even if a military receiver is spoofed, it will likely soon be undone. Third, and most importantly, if National Security Agency cryptographic codes are broken at will, the possibility of spoofing is the least of the warfighter’s worries. The sophistication necessary to spoof military forces who are well-led and trained in tactics related to the use of GPS in contested environments is tremendous. Like with jamming, most GPS-skeptical analyses make no distinction between civilian and military capabilities in the face of spoofing. Any characterization that spoofing could fool crypto-enabled military systems into mistaking their “true position, and/or weapon systems either striking the wrong target or missing a target altogether” vastly underestimates longstanding procedure that mitigates the danger of spoofing.

Worst Case Scenarios: Broad Disruption of GPS via Kinetic or Cyber Attack

Now consider the possibility of even worse disruption to GPS than mere spoofing or jamming. One GPS skeptic suggests, “The 24 [sic] satellites that keep GPS services running in the US aren’t especially secure; they’re vulnerable to screw-ups, or attacks of the cyber or corporeal kind.” The idea here is that while jamming or spoofing cannot obtain widespread effect, theoretical attacks against the ground control system, the software, or even the satellites could still have a disastrous global impact. While these threats are worthy of consideration, they are less plausible than assumed.

How would a widespread attack against military GPS systems play out? To completely deny GPS, an attacker would be forced to physically attack its critical command and control nodes or render inoperable most of the satellites. Such suggestions of widespread destruction or disruption almost always misrepresent the reality of how GPS functions as a system. Given the semi-autonomous nature of GPS and its gradual failure design feature, the effects of any ground site attack would be realized only after a protracted lapse of time. Given the location of GPS satellites in medium Earth orbit and the realities of accumulated physical attack on individual satellites, any kinetic attack against the system as a whole would likely evolve over a multi-day period. An adversary could launch several co-orbital systems to disrupt or destroy the constellation of GPS satellites, but this would either require numerous launches or conspicuous orbital transfers and would likely be detected given the extent of space situational awareness available to all the major world powers.

Cyber risks to the control of GPS are clearly on the minds of U.S. defense officials and have resulted in the enactment of stringent protections. Here again, however, GPS skeptics overstate the scope of the threat. This concern may be, in part, the result of popular plot presumptions more akin to a novelized portrayal of the next world war than to real-world threats. Against the threat of cyber attack, a defender has the option to harden systems against access or use the system in a manner mitigating the threat. Regarding GPS, the U.S. military has opted to do both. While imprudent to claim a 100-percent secure system, the Department of Defense is working to make GPS as hardened a target as possible.

Cyber attacks seeking to control the satellites themselves would require individually updating each of the satellites within the constellation with malicious code. Any upload to the whole system would take significant time, at least tens of hours, due to how contact is made with each satellite in their medium Earth orbits. In the meantime, the overwhelming scrutiny the GPS signal is under from U.S. military and civil monitoring stations, as well as from commercial augmentation services, surveyors, academic institutions, and others, could note any degradation or oddity in near real-time long before any aggressor attack could create widespread impact. And when a cyber attack is noted on one satellite, the control center stops subsequent contacts with other GPS satellites — precluding the spread of malicious code through the system. Realistically, because of the orbits of the GPS satellites and practical process, any disruption via this tactic would be obvious after the first few uploads and likely thwarted far before culmination.

Our point is not to suggest a widespread attack on all 31 satellites in the GPS constellation is impossible. If a satellite can be put into orbit an anti-satellite weapon can reach it. If cyber controls GPS satellites then vulnerabilities must exist. Instead, the question is how to exploit these at such a scale, with such surprise, to obtain a widespread result without time to respond. Complete denial of GPS — via kinetic or cyber attack — while maybe technically possible, is implausible as it would connote an enormous, perhaps even apocalyptic, escalation. Instead of assuming complete denial of GPS, we recommend — and have taught — Western forces to learn necessary variety in tactics that allows for overmatch when GPS is available and how to retain an advantage should adversaries degrade it. Additionally, the Department of Defense has undertaken and considered an expansion of its complement of proficiencies with GPS as a core capability; such redundancy is far preferable to supplanting GPS with a replacement that would still be subject to most of the nuisances noted in the aforementioned articles.

Finally, it is important to examine two other factors: escalation control and unintended collateral damage to vital interests. Again, to be clear, temporary nuisances are not a vital threat and the distinction between jamming or spoofing and widespread destruction of GPS is crucial. But what would happen to society if a frustrated adversary chose, despite the difficulty, widespread destruction of the GPS constellation? The positional and timing aspects of the system play an important role in 14 of the 16 sectors classified as critical infrastructure according to the U.S. Department of Homeland Security. One assessment states the “[t]otal economic impact of GPS is virtually the size of the whole [U.S.] economy.” Another report suggests the global economic impact of GPS is over $2 trillion dollars per year and growing, with most of that benefiting the West. This is why other major and regional powers are seeking GPS-like parity with indigenous systems (which share the same vulnerabilities as GPS). Because GPS has such a far-ranging impact on society, any total countervalue attack creating a lasting effect on the system would likely be seen as a vital threat to Western society.

Such a concern crosses the boundary into subjective considerations of conflict escalation. While banking delays, glitches in some power grids, and other awful outcomes might occur from complete denial of GPS, there is no guarantee it would wreck civilization. But any major power sophisticated enough to accomplish a widespread counter-GPS operation cannot be certain precisely how it would unfold. There will be many knock-on effects outside the scope of military conflict. Here arise concerns of escalation and geopolitical risk, especially as potential adversaries open themselves to similar risks to their own versions of GPS. Just as the major powers are constrained in using nuclear weapons for limited means, any widespread attack against GPS would be viewed as disproportionate. The signal in escalation would not only occur slowly as noted but also directly against vital interests. The United States would, at the least, respond in kind. Taking all of this into consideration, it is reasonable to believe GPS is protected against widespread attack under the same aegis of deterrence protecting other vital interests: the possibility of nuclear escalation.

Conclusion

While the potential for disruption of the dual-use GPS system continues to be a nuisance to both civilian life and military operations, an assessment of the facts and contexts shows the end is not actually so near for GPS. The system is more resilient than pessimists allow, and replacing a proven investment with thin promises of alternative resilience is bad advice. Further, nuisance and vulnerability are not the same thing. Finally, this article has explored what could happen if GPS’s widespread disruption or destruction is followed to a logical conclusion. A day without GPS, while perhaps possible, is implausible given how reliably well the system performs even under stress and how widespread destruction would be an escalation toward the extreme against a vital interest — an interest which all the major powers now share given their own equivalently vulnerable systems. Ultimately, a day without GPS is unlikely not because of the technology, but because of the human capacity to overcome nuisance in daily life and fight back using clever tactics.

 

 

Brandon Davenport is a U.S. Air Force officer, strategist, graduate of the space squadron of the U.S. Air Force Weapons School, and a graduate of the U.S. Air Force School of Advanced Air and Space Studies. As a space weapons officer, he has taught and developed GPS tactics for joint warfighters both in the Central Command area of operations and for Air Combat Command as an instructor at U.S. Air Force Weapons School. Brandon is an editorial alumnus of the Over The Horizon journal.

Rich Ganske is a U.S. Air Force officer, Ph.D. candidate, graduate of the B-2 squadron of the U.S. Air Force Weapons School, and a graduate of the U.S. Air Force School of Advanced Air and Space Studies. As a weapons officer, he led the development of tactics used by combat-ready aircrew and targeting professionals as a result of the experience of numerous GPS-denial exercises, tests, and experiments. Rich is also a member of the editorial board at The Strategy Bridge.

The views expressed are those of the authors and do not reflect the official policy or position of the U.S. Air Force, the Department of Defense, or the U.S. government.

Image: U.S. Air Force photo by Lt. Col. Erin Gulden