Perhaps the most important event you’ve never heard of is scheduled to take place on April 6. That’s when the GPS rollover will occur. Without getting too far into the weeds, the Global Positioning System is one of the few but critical mechanisms that supports the accurate measurement of time—by accurate, we mean down to the nanosecond and beyond. This method involves counting weeks, and, every 19 years the week-counter must be reset to zero. This is what will happen on Saturday.
Why does this matter? Because timing is everything, including in matters of national security. Consider this warning of the European Aviation Safety Agency: “A nanosecond error in GPS time can equate to one foot of position error.” Aviation is just one of many sectors deeply dependent upon accurate time. Other critical infrastructure—including the power grid, financial services and telecommunications—are just as dependent. Catastrophic consequences could ensue without it.
Against this background, the Homeland Security Department has issued guidance on how best to prepare for the upcoming rollover (full disclosure: our Center hosted the rollout of this guidance). Among other things, this advice underscores the importance of resilience for entities that rely upon precision timing. Indeed, the ability to safely maintain continuity of operations, and to bounce back quickly in the event of a disruption (regardless of the nature of its cause), is of paramount importance—we simply cannot protect everything, everywhere, all the time.
The good news is that, relative to the rollover event, we are in reasonably good shape as a country and there is no need to panic. Nevertheless, the rollover does underscore a broader set of issues that require redress.
The complexity of the situation is compounded by our widespread connectivity. The billions of devices that make up the Internet of Things (think smart homes and connected cars) rely upon GPS for assured time; and these GPS-enabled devices and systems are subject to a gamut of cyber threats such as “denial-of-service attacks (jamming) and the introduction of bad data into the system (spoofing).” The GPS rollover thus presents a wealth of opportunity for bad actors seeking to disrupt or destroy. At the same time, the rollover event offers an opportunity for attackers and defenders to improve their tactics, techniques, and procedures.
The challenge is just as acute high above the Earth, where issues of positioning, timing, and navigation (PNT) intersect with cybersecurity, and do so in a way that could deeply damage U.S. national security and other vital interests and assets. The United States is highly dependent upon its network of space-based satellites, not only for military operations, but also for critical civilian and commercial endeavors.
Yet the space-based threat is significant and growing. As detailed in a recently released unclassified report by the Defense Intelligence Agency on Challenges to Security in Space (a report which received surprisingly little attention), China and Russia are developing capabilities that can produce “a range of reversible to nonreversible effects” and thereby “threaten others’ ability to use space.” In addition, the report states that Iran and North Korea “also pose a challenge to militaries using space-enabled services.”
The phrase “time and space” takes on added meaning in this context, where sophisticated and determined nation-state actors with hostile intent seek to undermine U.S. capabilities and, by extension, our resolve. As April 6 approaches, we would do well to think through carefully the implications of the GPS rollover—particularly within and across critical infrastructure sectors—with an eye to remaining resilient, not just in this lead-up period, but far into the future.
To this end, it is easy to grasp the idea that the military equipment and logistics mechanisms upon which U.S. forces rely must be effective, regardless. Perhaps less obvious are the consequences that could ensue outside the realm of national defense. Consider, for example, the fact that trillions of dollars in transactions across the global financial system are time-stamped, and if time-related inaccuracies were introduced therein, the very trust and confidence upon which the international financial system relies could be eroded.
Research can, and will, help get us to where we need to be, including in areas such as industrial control systems shared across critical infrastructure sectors. But striving for resilience is a team sport, and the integrity of time must be protected and preserved end-to-end throughout the supply chain, no matter the sector or industry. Otherwise, the system as a whole will only be as strong as the weakest link. That’s a powerful argument for baking both security and resilience into the design process, rather than trying to retrofit it later on.
Frank J. Cilluffo is director of the McCrary Institute for Cyber and Critical Infrastructure Security, and the Center for Cyber and Homeland Security, at Auburn University.
Sharon L. Cardash is deputy director of Auburn University’s Center for Cyber and Homeland Security.