The Washington Free Beacon, an online newspaper covering government and politics, published a story on a Navy Inspector General report on Monday, and I’m not sure which is worse: the cyber vulnerability in a piece of mobile mapping software developed by the Naval Air Weapons Station China Lake, the retaliation of supervisors there against an employee who discovered the vulnerability, or the blatant acronym abuse necessary to name a mobile app KILSWITCH.
For the record, KILSWITCH is short for the tortured “Kinetic Integrated Low-cost Software Integrated Tactical Combat Handheld.” I swear if I ever meet the soulless minion who came up with that name just so he could name an app after his favorite metalcore band, I’ll punch him square in the mouth.
What is kilswitch?
KILSWITCH is a good idea with a bad name… and a security problem. It provides Marines with digital maps and satellite images on a handheld device without connecting to a mapping server. A 2015 Engadget article claimed the app allows Joint Terminal Attack Controllers—the men who guide fighter jets to ground targets in support of troops in contact—to call the aircraft in four minutes, versus the 30 minutes that using a map and a radio would require.
(On a personal note, all good soldiers mock the Air Force, but love JTACS. No one ever said anything more comforting to me during my two tours in Afghanistan than the JTAC who came down off the roof of a building to announce that “Bone 21 is on-station with eight JDAMS aboard.” Translation: “a B-1 bomber was nearby and prepared to drop as many as eight 500-pound GPS-guided bombs where ever we needed it to put them.”)
Here’s where kilswitch went off the map
Had the KILSWITCH software stayed confined to government-owned Android devices that do not connect to cellular or civilian WiFi networks, perhaps things would have been okay. But the app was available through the National Geospatial-Intelligence Agency’s “GEOINT App Store.”
This meant that Marines (and service members from other services, no doubt) were downloading the app to their personal phones as a convenient way to use it. After all, in this connected age, no Soldier or Marine goes to the field without his or her personal electronic device (or devices). It’s so pervasive that I’ve heard soldiers joke about it in their PACE plans.
PACE stands for primary, alternate, contingency, and emergency means of communication. A typical pace plan for an Army unit would be, “P: encrypted FM radio; A: encrypted satellite radio; C: satellite telephone; E: courier. Some have said a modern, realistic PACE plan would be more like, “P: text message; A: WhatsApp; C: Facebook Messenger; E: cellphone call.” It’s poor training and a bad habit to develop, but it is the reality we face today.
Although the app appears not to be available any longer, it is apparently enjoyed widespread distribution until recently. After all, it did what it was supposed to do. And that popularity and utility is likely the reason for the whistleblower retaliation.
REtaliating against the whistleblower
In the civilian world, Anthony Kim is a program analyst at China Lake’s Weapons Division, the office that developed the app. In the military, he’s an air liaison officer and JTAC in the Washington Air National Guard. He perviously served for 26 combined years in the Navy as a JTAC and pilot.
When he alerted his supervisors at China Lake that the KILSWITCH app, and its companion Android Precision Assault Strike Suite, or APASS, they reduced his pay. He then alerted “senior officials” in the Pentagon, and ultimately, the Office of Special Counsel, who referred the case to the Navy IG. When the IG agreed that Kim’s assessment was correct, he lost his security clearance.
Clearly, his truthful reporting bothered the people who were basking in the light of the app’s apparent success.
Kim is represented by my fellow ClearanceJobs contributor, security clearance attorney Sean Bigley. Like another of Sean’s clients I have written about, Office of Net Assessment employee Adam Lovinger, Kim blew the whistle by-the-book, yet still faced consequences at his job. This practice must end.
I’m not sure what perverse incentive the bosses at China Lake had for keeping a security vulnerability under wraps and punishing the person who was trying to get it fixed, but that kind of incentive, and the behavior it promotes, must stop. Cybersecurity, indeed good government overall, requires honest assessment of faults and weaknesses in order to fix them and prevent serious damage.
By (metaphorically) shooting the messenger, we’re choosing to overlook vulnerabilities that, rather than serve deployed forces, expose them to greater risk. Navy leadership handing out some severe punishments for the responsible parties at China Lake would send exactly the right message.
You’ll pardon me for not holding my breath, though.