This is probably considered to be “old news” by many, but I’m high-latency in my news at the moment.
Much was made of the fact that the US Military’s enemies are now eavesdropping on the video feeds from US Drones on the battlefield using cheaply available commercial technology. But it’s OK, because according to the Military, there was a Good Reason why it wasn’t encrypted:
The reason the U.S. military didn’t encrypt video streams from drone aircraft flying over war zones is that soldiers without security clearances needed access to the video, and if it were encrypted, anyone using it would require security clearance, a military security expert says.
I can only hope that this is not really what passes for logic among the security decision-makers in the U.S. Military and their contractors. There is additional information in the article which tells us that they at least performed a risk assessment, but the assessment seems to have been flawed.
It’s always easy to second-guess decisions in hindsight, but if the rationale given is even minimally truthful, then what they have essentially said is, The video feed was not encrypted because the policies which would have then applied would have been too onerous.
That’s not to say that my summary of the rationale is not sound in certain cases–after all, the processes necessary to comply are part of the cost of a countermeasure. But in this case, the policy was clearly flawed Who wants to bet that the same un-cleared soldiers never have access to encrypted radio links, or that they use military Web sites encrypted with SSL?
Access to (shared or symetrical) encryption keys probably does (and probably should) require a clearance, but claiming that requirement would extend to utilizing the encrypted link as rationalization for not doing so strikes me as a bit absurd.
Similarly, this justification:
…the video information loses its value so rapidly that the military may have decided it wasn’t worth the effort to encrypt it. “Even if it were a feed off a drone with attack capabilities, and even if the bad guys saw that the drone was flying over where they were at that moment, they wouldn’t have the chance to respond before the missile was fired,”
also fails to pass muster.
A key element of insurgency and counter-insurgency is the hide-and-seek aspect of it. The initial value of drones was their ability to monitor large areas in real time and loiter on-scene for much longer (and more cheaply) than conventional aircraft. As a result, drones are a huge force multiplier for the US and its allies in counter-insurgency operations. If the insurgents are able to determine where the US forces are looking for them, that is extremely valuable intelligence to the insurgents, since they can then identify which logistical routes or encampments are potentially compromised and re-route forces accordingly.
Using drones as a delivery platform for munitions, on the other hand, is relatively rare and was not, in fact, even in-scope for the drones when initially deployed.
As a general rule, justifications for risk acceptance based on exceptional cases should be taken as evidence that the decision was bad. This is not an exception to that rule.