A

You're listening to the Cyberwire Network powered by N2K.

B

Have you watched Project Hail Mary yet? Humanity is facing an existential threat and racing to solve it. With the clock ticking for security teams, that probably hits close to home.

A

With AI use rapidly spreading. Everyone's using AI, marketing, sales, engineering, Chris

B

the intern without security even knowing about it.

A

That's where Nudge Security comes in. Nudge finds shadow AI, apps, integrations and agents on day one and helps you enforce policy without blocking productivity. Try it free@nudgesecurity.com cyberwire.

B

One of the really interesting facets on this is beginning to understand how the specific, specific jamming and spoofing attacks on the cybersecurity and kind of RF security side are growing and evolving. Because even a few years ago, jamming and spoofing were kind of one off events that might impact something directly on a military conflict, but wasn't something that most of us saw on a day to day basis. But the current landscape of jamming and spoofing, we're seeing these activities persist over geographies long term.

A

Welcome, I'm Maria Varmazis and you're listening to T Minus Space Cyber Briefing. In this show we examine the evolution of cybersecurity in the global and orbital infrastructure that powers, protects and connects our lives. Hello and thanks for joining me today. It is inevitable and inescapable that a show like ours about cybersecurity in space is going to talk quite a bit about the global navigation satellite systems, especially the United States Global Positioning System, or gps. It is the backbone for so much of how our modern world works and it has been around for quite some time. An initiative to modernize GPS operations in cybersecurity called the Next Generation Operational control system, or OCX, was canceled by the U.S. space Force for being over budget and behind schedule. So what does this cancellation mean for GPS and how we use it? Well, in today's episode I'm speaking with Dr. Sean Gorman, who is the CEO of Zephyr, to discuss all of these and other concerns about the secure future of gps. Here's our conversation.

B

I'm Sean Gorman. I'm one of the founders of sepr. We do navigation powered artificial intelligence and that combines positioning, localization, understanding where a user is and what they're looking at. And as part of that work, we've gotten pretty involved in understanding ENT from a low level, including some defense work, which has brought us over into the world of jamming and spoofing. And also a bit of my background over the years working for a couple different startups that have built defense tech, mostly in the geospatial mapping and positioning space.

A

Thank you so much for joining me today. A lot of folks, I think they think they know a lot about GPS and how it works and also how it can potentially be monkeyed with. And I find often that there are a lot of perceptions that have to get busted just when starting a conversation like this. I imagine you've, you found the same. Maybe we just start real simple right there, before we dive in much deeper on what exactly? When we're talking about GPS jamming and spoofing, there are lots of different things that can happen there. Can you walk us through that just to start?

B

Yeah, definitely. I think, you know, one of the big misnomers is that there's just one constellation that is GPS that runs positioning on your smartphone, let's say. And typically GPS is just one constellation of a much larger set of constellations that are called GNSS or Global Navigation Systems. And that includes the US's GPS constellation. The Europeans also have a Galileo constellation. The Chinese have a constellation called Baidu. The Russians have a constellation called glonass. There's also regional constellations that Japan and India run. So there's a whole bunch of satellites up in the sky. GPS itself is about 32 constellations. And across all of those constellations, they're all a trusted network, right? We interconnect with Russian and Chinese constellations on our smartphones and we trust the signals across those different constellations. But that doesn't mean that there aren't bad actors out there. Typically that doesn't happen at the satellite level where the satellites are causing problems. But there are bad actors at the terrestrial level. So GPS jammers, which send out big disruptive, high frequency jamming signals that disrupt the very weak signals that come from the satellites way up in space. Those are pretty weak. And so if you have a really high powered disruptor that's operating at the same frequency as those GPS and GNSS signals, it can disrupt it and make it impossible to position with your phone. And then the other attack that we see commonly is spoofing, where instead of trying to disrupt that signal, it's trying to fake a signal and put an artificial signal into your receiver that's much more high powered than what's coming from the satellites with a fake location. And so instead of showing I'm in Boulder, Colorado right now, they might fake it and show me somewhere else. Like showing them at the airport, for instance, is a really common thing, because if drones, for instance, find themselves thinking they're at an airport, they immediately land and disable themselves because they don't want to enter airspace. So you see a variety of these kind of spoofing things happening along with jamming things. But that's kind of a high level breakdown of kind of how these constellations work together and then how bad actors try to disrupt those constellations.

A

Yeah. So I wanted to ask, so this is something I actually wasn't entirely aware of, to be honest. Something called ocx. Can you tell me a little bit about what that is and how that relates to gps, or what it was maybe is really more the question I should be asking.

B

So OCX was the next generation ground station that connects to the satellites up in space. So we think of the GPS satellites, the 32 of them revolving around the earth. But you need to get the data from those satellites, or more accurately, the ephemeris for where they're located at in space, down to these ground stations. So the ground stations track where the satellites are. And in order for GPS positioning to work in general, you need to not only know you're trying to figure out where the receiver is on the ground, but to do that, you need to know where the satellites are within a high level of accuracy. So in order to track where those satellites are, we have a sophisticated set of ground stations that track the exact location within a meter or two of where that satellite is in space. And so those ground stations become really critical. So the old ground station system was built in the 1990s. It's called AEP, but it was this monolithic structure that was built to track all of these satellites. But as we've been modernizing and putting up the new GPS 3 satellites, there's a lot of things that people wanted to do with a more modern ground station system. And so OCX was this next generation ground system that we spent six or seven billion dollars on to replace the 1990s AEP system with a much more robust, sophisticated set of ground stations to track these satellites up in space.

A

Hmm. And yet so. But it got canceled. Is that my understanding what happened there?

B

Yeah, well, it ends up. It's really hard to upgrade a massive monolithic system all in one go and make it completely backwards compatible with the system that was there before. And so that largely became the problem. And you have billions of devices that rely on this system. And we can't just take all of GPS down to do an upgrade. So you have to figure out how to upgrade that entire system in place and make it 100% backwards compatible to all of these devices that are already out there running on it. And I think that just ended up being too herculean of a lift to figure out and they kind of came to a dead end on it and unfortunately it got canceled. So now they're trying to figure out how to manage that with the existing AEP system, but it definitely kind of put an upward bound on how much we can modernize the current GPS system system.

A

So that's all well and good, but what's next then? What do we see for the future of gps? Well, we're going to take a quick break and we'll get back into our discussion with Dr. Sean Gorman after this. So good, so good, so good. Everything you want for summer is at Nordstrom Rack stores now and up to 60% off. Stock up and save on the brands you love like Vince Sam, Edelman Frame and Free People Join the nordiclub to unlock exclusive discounts. Shop new arrivals first and more. Plus buy online and pick up at your favorite Rack store for free. Great brands, great prices. That's why you wreck

B

Study and play

A

come together on a Windows 11 PC and for a limited time, college students

B

get the best of both worlds.

A

Get the unreal college deal everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft 365 Premium and a year of Xbox Game Pass ultimate with a custom color Xbox wireless controller. Learn more@windows.com studentoffer while supplies last ends June 30th terms at aka mscollegepc. So questions abound there certainly, and I'm wondering, especially on the resiliency of how we are able to, for lack of better words, use and digest the signals that we're getting from GPS satellites. It sounds like we kind of avoided a solution. So what do we do now?

B

Yeah, I think that's an open question for a lot of people right now that people are trying to wrap their hands around. I think there is. Obviously we've been patching and upgrading and dealing with the current architecture for quite a while, and it is still a robust system that the globe depends on and operates quite well. But the extent to which we can modernize that to increase cybersecurity across our GPS system is going to be hampered by the fact that we can't modernize that ground segment. And there's also soft power implications in that. There's GNSS positioning systems offered from a lot of countries and it's a big Soft power lever for the more countries and industries and technologies you can get dependent on your positioning system versus a rival's positioning system, the more soft power you have across the economic and military landscape. And China's system is much more modern and recent than ours with much more modern ground segment and more sophisticated satellites and signals. And so that's something that's been a concern on the American side for a while of Baidu's growing advantages within PNP and how we can modernize GPS to keep up and ideally move ahead.

A

Yeah, so that's a great point there. I mean GPS was presumably the first to attempt gnss. I think that's correct. I'm not sure if that's true.

B

We invented it.

A

Yeah, we invented it. It's ours. Great. But yeah, we are heavily constrained by 90s era ground station technology, which is quite a constraint. Although my understanding is it's sort of a patchwork of solutions for trying to ensure resilience of the fidelity of the signal that you're receiving that what you're getting is actually correct and hasn't been spoofed or otherwise messed with. Is that a correct read of the situation that you know we're going to have to sort of pull together a bunch of different solutions to ensure that sort of fidelity? Or is there maybe something else coming down the line that may fix a lot of our problems?

B

Yeah, I think that's correct. It is a patchwork, although I think it, it really highlights and probably moves even more weight to a trend that was already happening that there is not a silver bullet for having assured PNT globally, both from a defense and a commercial perspective, that it probably doesn't make the most sense to look at one single constellation as the path forward. And we already see that with multi constellation gnss. But even domestically within the US I think increasingly we're looking at alternative constellations that could be leveraged. So Starlink has an amazing constellation up. It is already used effectively for positioning and that within Starlink receivers. Actually this is just getting turned off I think like May 20th. But you could use like a GRPC call to get the position for your satellite receiver as determined by Starlink and their constellations using Doppler Shift and rtt.

A

Wow. And they're turning that off?

B

Well, they're putting it behind a telemetry API. It used to be open to anybody. And so the Iranians were hacking this to guide drone attacks and also to find dissidents. So it's definitely being exploited in bad ways. So it's A good thing it's being secured. But it's also testament to the efficacy of an alternative constellation, or what they sometimes called signals of opportunity, to provide positioning. And so that's generally accurate, I think within 20 meters, but probably can do even better than that with some dedicated use. The remit is that Starlink and SpaceX are working on a positioning system that can be directly leveraged against their constellation. And this telemetry API, my assumption is, would be a first step in that direction. You have existing constellations like Starlink, which are impressive in their scale and scope that potentially can provide positioning technologies that are resilient and separate from gps. And then you also have dedicated constellations like Zona that are being built and funded to provide a low Earth orbit GNSS constellation that is completely separate but operates on the same frequencies and will have the ability, if it all works out, to connect to existing GNSS receivers and provide their signals as an augmentation or alternative to gps.

A

So do we think that the future of GNSS is going to be completely shifting to Leo or is it always going to be a multi orbit solution?

B

I think it'll always be a multi orbit solution. I mean there's a lot of good reasons to have GPS and GNSS satellites and in middle Earth orbit because you need a lot fewer of them to get the position. And 32 satellites can cover the Earth really quite well when you start looking at a low Earth orbit. And I'm not sure what Zona's latest numbers are, but at least early on it was like 360 satellites are going to be needed to provide global coverage, so you need a much larger footprint to cover that. And I think Galileo has plans for a combination of LEO and VIO satellites for their constellation. China with Baidu is doing something similar. So these things do the multi orbit approach complement itself quite well. And I think we'll see that happening going forward in the future as well of these blended hybrid multi constellation approaches. That's the wonderful thing with GNSS writ large is it's an open interoperable system that works quite well even with global powers that are oftentimes at odds with each other. Yet we still are able to create these constellations that work seamlessly together across devices. We all have in our pockets will have multi constellation, whether it's your smartphone or your smartwatch or your wearable smart glasses, all of those things are generally using multiconstellation technologies. One of the really interesting facets on this is beginning to understand how the specific Jamming and spoofing attacks on the cybersecurity and kind of RF security side are growing and evolving because even a few years ago jamming and spoofing were kind of one off events that might impact something directly on a military conflict, but wasn't something that most of us saw on a day to day basis. But the current landscape of jamming and spoofing we're seeing these activities persist over geographies long term. Whether it's the Baltics with the Russians jamming Northern Europe or in Ukraine, there's an ongoing conflict with jamming on both sides. In the Middle east, there's persistent jamming happening all along the areas around Israel and Iran and the Persian Gulf. Now up into Turkey, we see persistent activity oftentimes in Asia as well, especially Myanmar. These things are impacting global aviation, global maritime, as well as just people's day to day activities. You see these funny, not funny stories of spoofing happening in Israel and Lebanon where as I said before, where they'll spoof locations to airports to defeat drone attacks. And so people will be on their driving apps or their dating apps and all of a sudden they're getting matched with somebody in a different country because their location's being spoofed to an entirely different place, oftentimes the Beirut or Cairo airports. So these kinds of cyber and RF incidents are no longer contained to just military operations that are rapidly bleeding into our day to day lives. And whether that's impacting summer travel because of what's happening in the Persian Gulf currently, or you get these weird wonky behaviors on your mobile phone, if you're in a geography that happens to be adjacent to a conflict, you're traveling through it.

A

Well, this super fascinating stuff and I greatly appreciate your expertise today and speaking with me.

B

Yeah, definitely. Thanks for having me. And it was lovely getting to share the work the team's been plugging away with.

A

And so for and that's T minus Space Cyber Briefing brought to you by N2K CyberWire. If you like what you heard today, you will also enjoy our newsletter, Signals and Space. You'll get research and notes pulled together by our producer Ethan Cook and me, along with this week's top space cyber news stories. Subscribe to it by visiting TheCyberWire.com newsletters and look for Signals and Space. You know, we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing cybersecurity landscape. If you like the show, please share a rating and review in your podcast app. You could also fill up the survey in the show notes or send us an email. Space2k.com is that email. We're proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector. From the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies, N2K helps cybersecurity professionals grow, learn and stay informed. As the nexus for discovery and connection, we bring you the people, technology and ideas shaping the future of secure innovation. Learn how@n2k.com thanks for listening to T Minus. I'm your host Maria Varmazes. The show is produced by Ethan Cook and Liz Stokes or mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our Executive producer is Jennifer Ibin with content strategy by Mayan Plout. Peter Kilpe is our publisher. See you next week.

B

T minus.

A

Some Follow the Noise Bloomberg Follows the Money. Whether it's the funds fueling AI or

B

crypto's trillion dollar swings, there's a money

A

side to every story.

B

Get the money side of the story.

A

Subscribe now@bloomberg.com.