Most of the press coverage of the Lawfare Drone Smackdown has focused, understandably enough, on the FAA’s intervention in the event. In this post, however, I want to focus on some of the lessons of the event itself. The Smackdown was a game, not an attempt at a realistic simulation—a kind of a spoof, in some ways. But it ends up, in a parable-like fashion, representing and distilling real issues pointedly. In this post, which will be my last substantive post on the Smackdown, I want to highlight three such lessons. All of them are teased in earlier posts, particularly in this lengthy one laying out our battle strategy and tactics. I bring them out here for those readers who did not slog through all of the technical details.
Lesson #1: The Robots Are Coming
We live in the dawn of an age of consumer robotics. Think it of as roughly what the late 1970s were to home computing. For a few hundred bucks, hobbyists can put together robots that do all kinds of things. At this stage, they are still mostly at the level of cool gadgets, not anything really useful. But just as the hobbyist computer evolved quickly into a global networked IT infrastructure, the robots will get more powerful, smaller, and ever-more remotely operable for new applications we have not even dreamt of yet. And just as computers gave bad guys a new platform on which to operate, robots will extend people’s reach too. And just as our dependence on global information technology gave rise to security issues and vulnerabilities, our coming dependence on robots will create new vulnerabilities as well. The first lesson of the Smackdown, quite simply, is the mere fact that a group of completely untrained, tech neophytes could use off-the-shelf technology for under $500 each to create a flying robot war. Yes, it was a pretty unsophisticated flying robot war, but still. The robots are getting incredibly sophisticated. Yesterday, I posted a new video of cooperating quadrocopters throwing and catching a golf ball—and using an iterative learning algorithm to improve their performance over time. The youngest participants in the Smackdown ranged in age from 11 to 16. Ask yourself what an 11-year-old trained in robotics will be able to do—and afford—tomorrow.
We tend to think about drones in the context of overseas conflict. That’s certainly how I got interested in them. But the real issue—at least in the long run—will not be what the CIA can do with robotics. It will be what you can do with robotics.
Lesson #2: Don’t Forget Cybersecurity—Ever
Attacking Parrot drones with computers is a little like shooting fish in a barrel. The platform is completely unprotected—designed, in fact, to be as open and accessible as possible. So the fact that an 11-year-old can simply log into the onboard computer and shut it down, in and of itself, tells us relatively little. The fact that the security of the onboard computers didn’t figure into any of our competitors’ planning, by contrast, says a lot. It’s the same myopia about cybersecurity that leads smart, capable people to use weak passwords—or the same password for all of their accounts. It’s a sense that the offensive side must be pretty hard, and thus, that it won’t happen to me. The offensive side is, in truth, not hard at all. Two of our attacks—the only two we actually used—were trivial to develop. The third was a little more complicated but ultimately executable by an 11-year-old. By contrast, securing our drone against similar attacks was much harder and we ultimately could not do it completely. That is an elegant microcosm of the problem.
The simple truth is that if you are relying on networked computer technology for anything, you have to think about the security of that architecture. Period.
I have given a lot of thought to Paul’s post-Smackdown point that he should have adopted a declaratory policy of using an electromagnet to disable hostile computer equipment. It’s an elegant solution, but after consulting with the 14-year-old accomplice, I’m pretty confident that it wouldn’t have worked. The 14-year-old accomplice responded to the idea almost at once by pointing out, “I could just walk away.” What’s more the Android device she was using was so small and unobtrusive that she could have easily deployed her attack by stealth—standing in a crowd of spectators unnoticed, say. In other words, to the extent someone used such a declaratory policy as a countermeasure, it would encourage deniability and thus raise the attribution problem with respect to any attack that took place. Even the 11-year-old accomplice could have been much more stealthy than he was—simply running on a computer left on its own a program automating all the attacks he, in fact, conducted manually. We, in the spirit of friendly competition, proudly acknowledged our cyber attacks. But we didn’t have to.
At the end of the day, there is no substitute for good defense—and cyber offense (in real life, as in the Smackdown) is fast outpacing defense.
Lesson #3: Don’t Be Naive About International Cyber Agreements
One of the interesting things about the Smackdown was the degree to which the participants negotiated the rules in advance—knowing, as they did so, what sort of systems they planned to use. This process (very) crudely models negotiations over the Law of Armed Conflict, where countries approach negotiations very aware of the weapons systems and military strategies they mean to employ. I was struck in engaging these discussions how completely my strategy in the Smackdown permeated my negotiating position. That is, I was keen to keep cyber on the table as I drafted the rules—all the while without tipping my hand that this was my plan. What’s more, I was also aware that banning cyber in the rules would not actually prevent anyone from using it. If a drone simply declined to take off, who’s to say whether a cyber attack lay behind it or not?
This strikes me as a pretty good metaphor for the international situation today with respect to cyber. The major powers are all vulnerable to cyber attacks from one another. None believes the others will refrain were some agreement to ban cyber attacks. No means of verification exists, in any case. And countries are not willing to give up their own offensive cyber operations either. The result is that there is no prospect for any sort of agreement to eschew cyber warfare or cyber exploitation.
The rules will be written—as in the Smackdown—with a conspicuous silence about cyber attacks.