- Email: [email protected]
GNSS security issues
/;
/"ill
0
-
Dts
..................... i J ........................... .............:. .................. /:......; ....................... t;.............................................................................................................................................................................................................................
GNSS Security Issues BenoTt HANCART,Pascal CAMPAGNE
Security and defence are at stake when GNSSis considered. GALILEO will have to be an operational system whose political, strategic, liability and security issues will have to be managed under Member States" and European Union's responsibility.
Beaoit Hancart, CNES-DGA
PascalCampagne, FD(
s stated in the 1998 Communication (COM 98/29 dated 21 January 1998) from the EC endorsed by the Council, security and defence issues are at stake when considering GNSS: - Firstly, "the availability of highly accurate navigation and positioning services across the continent raises both risks and opportunities" (same reference as above). The threats entailed by the misuse of such services are reinforced by the current geopolitical context: local conflicts, terrorism, fundamentalism, international crime and arms trafficking, including the illegal sale of nuclear materials can and already have spilt over into Europe; - Secondl~ some users of GNSS (including GPS, GLONASS, WAAS, EGNOS, MSAS, and GALILEO) services have stringent service guarantee needs. A break in availability could very quickly have dire consequences on national and European levels. This is the case of safety critical applications (air, land or sea), Civil security (police, customs,
A
search and rescue etc.), Communication and data networks (strategic communication and data networks synchronisation like in banking and GSM). This group of users could be named 'security users'. Technically and operationall~ these two requirements imply: - t o develop efficient ways to deny access to any kind of free access GNSS information inside and outside Europe when needed; -to develop GALILEO infrastructures with minimum protection; -to design GALILEO with a robust Controlled Access Service (CAS) especially reserved for the previously mentioned "security" users. This robust CAS is an efficient answer to those "security" users who have a stringent need of continuity of service. Furthermore, the European Union (EU) Treaty contains a binding commitment for the Union to develop a Common Foreign and Security Policy (CFSP). If Europe is able to deploy its own security tools to safeguard its own security; credibility of the CFSP will be reenforced. A robust CAS on GALILEO used by "security" users can be one of the instruments to implement a coherent CSFP,equivalent to the Euro currency for Economic and Monetary Union. Finally, all security issues connected with GNSS will have to be discussed with the United States. In particular, defining common and co-ordinated measures to den~ control, guarantee and certify GNSS services is crucial. In short, civil system GALILEO is not only a space based system dedicated for research matters as the European Space
llI
Agency is used to produce. GALILEO will have to be an operational system whose political, strategic, liability and security issues it sets will have to be managed under Member States' and European Union's responsibility.
Context Strategic context: crises directly threaten Europe, not US The end of Cold War and the recent expansion of the Union have dramatically changed EU's strategic situation. With the accession of Austria, Finland and Sweden, the EU is now more directly exposed to security risks on its borders and in the Balkans. Although the Soviet threat has disappeared, many new risks have appeared, not only in the east but also to .the south. The longterm effects of growing poverty a n d underdevelopment in North Africa and
GLOSSARY AO0 : AreaOf Operation(conflictarea) CAS: ControlledAccessService CFSP: CommonForeign and Security Policy GNSS: GlobalNavigationSatelliteSystem EC : EuropeanCommission EU: EuropeanUnion ICAO: InternationalCivilAviationOrganization IMO: InternationalMaritime Organization MOD: Ministryof Defence NBC: Nuclear,Bacteriological,Chemical SA: Selectiveavailability USDOD: USDepartmentof Defense
POINT OF WEW the Middle East may entail an increase in extremism, which can and already has spilt over into Europe. This can also include local conflicts, with the potential to spread to neighboring states or to escalate into terrorism, fundamentalism, international crime and arms trafticking, including the illegal sale of nuclear materials. All these threats are almost unknown to the US inside it's territory. Neighboring states of the US, Mexico or Canada have no reason to cause such concerns to the US. Furthermore, Cuba is no longer a danger. The only time the US can be exposed to major security risks is when involved with international partners in peace-keeping operations or wars, i.e. far outside its territory and, for the time being, close to Europe.
Political context : GNSS and Common Foreign and Security Policy As described in the previous section, since the end of Cold War, Europe's strategic situation is not very reassuring: terrorism is a daily threat and conflicts arise even inside Europe. Furthermore, US are substantially reducing its military presence in Europe and EU may thus no longer rely on US to take primary responsibility for its own security. Nevertheless, US will continue to be EU's principal ally, with growing interest in a transatlantic treaty that would integrate a whole range of relations - economic, political and security - into a single process based on a genuine partnership. Moreover, the European Union Treaty contains a binding commitment on the Union to develop a CFSP. This is a legal commitment that all Member States have accepted and must comply with. Article J.4 of the Maastricht Treaty begins as follows: "The common foreign and security policy shall include all questions related to the security of the Union, including the eventual drafting of a common defence policy, which might in time lead to a common de fence'. Moreover, as stated in the 1998 Communication (COM 98/29; 21 January 1998) of the EC endorsed by the Council, securi-
ty and defence issues are at stake when considering GNSS: "The availability of highly accurate navigation and positioning services across the continent raises both risks and opportunities. The possibility of dual use of GNSS needs to be explored, not least on cost effectiveness grounds. But it is also essential to ensure that the capabilities of a system designed for civil use cannot be used in a way that creates security concerns". "There are security and defence considerations, since the two global satellite systems present remain, for the time being, under the military control of the US and the Russian Federation". Therefore, GNSS security and defence issues have to be examined in the light of CFSP objectives approved by the Union.
Review of security and defence issues Economic growth and technological developments in the second half of the 20th century were based on the development of inbastructures which rapidly became essential, or even critical in sectors as varied as transport or nuclear safety. Communication or data networks are examples. Malfunctioning of certain types could rapidly have serious consequences on citizen comfort, economic competitiveness or even national security. Use of satellite navigation systems is currently becoming widespread and this trend is expected to continue making the vulnerability of these infrastructures and related services an even more critical factor. It is important to understand that shutting down a navigation service could quickly have dire consequences on a national level above all if this service is widely used by the operating core of our communication and data networks (banking, GSM...) and by all our modes of transport, given the leading performance and low cost of this service. While satellite navigation is a tool for economic growth, it is also an extremely sensitive political and strategic tool. AIR
& SPACE
Identified threats to GALILEO Threats to GNSS-2 have to be considered in a context where new requirements entail increasingly complex information system design and a wide use of communication networks. This move gives rise to new vulnerability especially in the field of data processing security. Thus, GALILEO designers will have to take into account potential threats both to the system itself and to processed and used information. These threats can be classified in three main categories:
Physical threats They can be caused by natural phenomena (earthquakes, land slides, floods, lightening...), attacks (intrusion, conventional or NBC attack...), accidents (fire, pollution...).
Electronic threats These are of special concern to the various devices used. They can be as varied as tapping, jamming, intrusion or microwave pulsing. But they also include these due to materiel breakdown such as power cuts, transmission cuts or computer problems.
Threats to data processing These include operational data garbling or destruction, but also copy or theft of data, software, equipment or documentation. All these threats have various origins: aggressors may defend a terrorist or strategic cause, but they increasingly exercise their "activities" as a game, out of greed or for personal interest. However, for two main reasons, the most significant threat is with no doubt unintentional and intentional jamming : - GNSS signals have the drawback to be extremely sensitive to any kind of interferences (GNSS signals are received with a very low power); - jamming GNSS can be very easily and cheaply processed.
Threats to persons, property and strategic activities Subversive use of satellite navigation systems is also a major threat against which states must protect themselves. Today, open access GNSS services include GPS-SPS and GLONASS. EUROPE
• VOL.
I
• No
3 -
1999
/,,
(,
........
Tomorrow, it will be added the new GPS "safety of life" frequency and the open access service of GALILEO. Indeed, since world-wide availability of an accurate and reliable navigation service only requires a cheap investment by users, these users can potentially implement a large number of undesirable actions. The most quoted ones are GPS guided low cost weapons of mass destruction (nuclear, chemical and biological weapons). GALILEO (like GPS and GLONASS) should be seen in the light of the Missile Technology Control Regime which is supported by all Member States of the EU.
Identified needs Need for a guaranteed service Some GNSS users have an obvious need for service guarantees. Among these users, the following ones have already been identified: -safety critical transportation applications (air, land or sea), -civil security (police, customs, search and rescue etc.), -communication and data networks (strategic communication and data networks synchronization in such sectors as banking and GSM ). For all of these users, the need for a guaranteed service prevail even when the electromagnetic environment is hostile (unintentional and intentional jamming ). For some of these users, the need for a guaranteed service prevail not only during peace time but also during crisis (this may be the case for search and rescue operations or Police). Need to protect GALILEO infrastructures Considering previously identified threats, GALILEO infrastructures will have to be designed with sufficient levels of protection. The usual methods used to protect civil strategic infrastructures are certainly applicable to GALILEO infrastructures. Security needs may be situated somewhere between those of a nuclear power plant, a bank and a hi-tech firm.
Similarly, it should be possible to rapidly define methods of reinforcing GALILEO signals after analyzing current and planned techniques on existing satellite navigation systems or techniques used by strategic public or private communications systems. Non-subversive aggression such as operator, manufacturing technician or computer engineer errors will have to be handled in normal standard quality procedures.
Need to control the availability of GNSS free access services Misuse of satellite navigation services has to be avoided as much as possible. NAVWAR : US solution to prevent hostile use of GNSS information The likelihood that any kind of hostile forces will be able to exploit satellite technolog)~ is a growing concern for US and Allies. GPS Selective Availability (SA) is a living example of the policy implemented by the US to control access to highly accurate navigation information. But the commercial success of GPS sets a problem for people in charge of security: as civilians become increasingly dependent on GPS, the demand for a more accurate signal for non-military users has increased. Already, commercial users are turning to GPS "augmentations" services that provide more accurate location data than the encrypted GPS signal available to military users. The 1996 US Presidential Directive Decision on GPS took into account these two stringent constraints: how to satisfy business interests while preserving national security. The decision was to turn off SA (before 2006) so that civil users may have access to meter range accurate navigation information with GPS alone, and at the same time have, to urge US DOD to cope with proliferation of these highly precise information. US DOD answer to this latter point is in fact an electronic warfare program called NAVWAR. In short, NAVWAR is the use of local jammers able to disrupt GNSS signals except encrypted GPS which become
IB
therefore the only available navigation service. These jammers are scheduled to be locally used in the Area of operation
(AO0). NAVWAR concept is the only concept as for now developed which is intended to be proposed by US to NATO.
Drawbacks of NA VWAR policy in the European context This concept is based on the following hypothesis: - a World War is no longer conceivable; - f u t u r e military conflicts will be limited to a specific area ("sea of peace and island of war"); - foreseeable military conflicts will take place outside Continental US. The two first items are shared by European Countries. But European Countries are closer to existing or potential conflicts and are considerably more exposed to terrorism. The main problem with NAVWAR concept is that it seems technically difficult to correctly master potential disturbing effects on the fringes of the AOO. The consequence is that some disturbances will occur not only in the AOO but may also occur in neighboring zones. This means that some business, strategic and critical security activities not using the GPS controlled access service will be affected in the AOO but also at its borders. These undesirable effects will be increased by the introduction of new GNSS open access services: higher power jammers will be needed to control them. This is particularly the case for the new GPS "safety of life" signal due to its foreseen technical features (20 MHz spread signal with 6 dB increased emission power). Consequences of applying such a concept is of special concern to Europe due to the current and forecast strategic context described in section ar Strategic Context above. In particular, implementation of NAVWARconcept to cope with malicious use of GNSS information over Europe means strong risks of denying use of GNSS to all kinds of civil users in neighboring zones of the AOO. Therefore, NAVWAR alone cannot provide the right solution for Europe.
POINT OF VIEW Need to control GNSS equipment exports The need to control export of goods and technology exists for all products and services likely to be used by back up undesirable actions. For instance, export sales of chemical or pharmaceutical products for agricultural or medical use are very strictly controlled because of their potential use to manufacture certain types of explosive or biological weapons. International agreements on export controls on goods and technology which can be used for dual (civil and military) purposes have already been ratified by some tens of countries (Wassenaar agreements). These agreements already concern satellite navigation systems and in particular export of receivers which must be automatically inhibited when the speed exceeds 515 m/s or when the altitude is greater than 18 km. These steps are examples and are certainly of limited efficiency in a market open to competition in which all players are supposed to be capable of developing their own receivers. Furthermore, they only concern a small number of potential subversive uses.
Proposed way ahead
is active or potential conflicts can go on arising; • And, finally, considering that some critical security applications (civil aviation for instance) need to have a robust GNSS service protected against intentional jamming and interferences; • It is strongly suggested that GALILEO provides European business, strategic and critical security applications with a dedicated CAS. Such a CAS is the only way to provide a guaranteed signal whatever the situation (peace, crisis or wartime). The use by civil aviation of a CAS (which will be an encrypted signal) will have to be raised. But the true question is the following one : is it better for civil aviation to use GPS open access signals which can be disrupted on unpredicted large areas far beyond an AOO (because of US NAVWAR concept), than a CAS which can be guaranteed for peaceful aeronautical applications even during crises? What is the best solution according to the spirit of ICAO Chicago Convention? The management of this CAS (Access policy, distribution of security chips and encryption keys...) will have to be ensured by a dedicated European political office. This office could be composed of Member States' representatives in charge of security matters.
A robust controlled access service to guaranty continuity of service for security users • Considering that: -misuse of GNSS information is a threat for Europe; -NAVWAR concept is the US and NATO military answer to control access to GNSS information during crisis or wartime; -NAVWAR concept can have unwanted and uncontrolled effects on the neighboring zones around the operational area; -and, consequently, some business, strategic and critical security applications using GNSS information can be hindered due to the effect of not receiving GNSS signals; • Having regard to the fact that Europe is clearly a place where either terrorism
GALILEO has to be under European control GALILEO could be developed in cooperation with other nations: - outside the European Union, countries wishing to take part in the development or use of this system (e.g. Switzerland, Norway, Japan, etc.); - the USA and Russia, who already have their own systems, and for whom compatibility with a future global system would be of mutual benefit. It is even possible to consider using existing systems as the basis for the future system, or developing this system jointly with these nations. Control of GALILEO is likely therefore to involve a large number of culturally and politically different nations. However, an international control may make the security problem more complex in particular by reducing responAIR
& SPACE
siveness of operators running the system when having to deal with subversive use of the service. That is the reason why GALILEO has to be exclusively controlled by the European Union. However, this statement does not preclude Europe from proposing guaranteed GNSS services to international organizations such as ICAO or IMO.
Co-ordination between Europe and US is mandatory All security and defence issues connected with GNSS have to be discussed with US authorities. In particular, the need to define common and co-ordinated measures to deny, control guarantee and certify GNSS services is crucial. For instance, it could be suggested that for world-wide security all "grand-public" users have access to a limited number of frequencies.
Conclusions The first satellite navigation systems were developed for military purposes and their ability to improve mission efficiency was clearly demonstrated during the Gulf War. The free availability of satellite navigation services all over the world was also at the root of a considerable market in civil and business applications. This initially underestimated market rapidly became of prime importance, penalizing US DOD leadership in the decisionmaking process and stimulating the need to develop other satellite navigation systems under civil control. In the meantime, free availability of accurate navigation services and massive use of these services by the civil community have obviously increased their potential use by numerous subversive and hostile applications. In addition, satellite navigation services are also expected to provide great benefits to many applications requiring service guarantees such as safety critical applications, civil security, strategic communication and data network synchronization. The need for guaranteed GNSS services is probably one of the major arguments EUROPE
• VOL.
I • No
3 -
1999
justifying the development of an independent system in Europe. Given the European context, (nearness to conflicts, terrorism ...), meeting this need requires implementation of a robust controlled access service reserved for these applications and ensuring signal protection. Infrastructures (software and hardware) must also be subject to special protection rules. Security needs must therefore rapidly be specified before GALILEO definition studies start. At the same time, a security policy must be defined. In any case, this policy may only be efficient if drawn up in full coordination with the United States, since if independent measures on GPS and GALILEO are decided, there is a risk this may make them totally inefficient. Finally, as stressed by the European Commission, a satellite navigation system is certainly a strategic tool to enable Europe to assert itself and consolidate its Common Foreign and Security Policy. •
~Ecole Polytechnique and i:~que et de I'Espace. He )eer with the D@l@gation Be position of Head of the :~llistics and Aerodynamics en head of the flight guidlecommunication and airOf French DGA activities Hancart joined the Joint l~les, France)Architecture international relations and ~viaation issues and chairBeno# HANCART !S, Centre de Toulouse, ~hitecture (CNES-DGA) Bpi 1417 avenue Edouard-Belin flouse cedex 4, France Fax: + 33 5 61 27 48 42
Conservatoire National des !~ters program in Acoustics lln Dassault Electronique in ~ponsible for diagnosis and ~as also been Project Mancharge of studies,develop~tems, airborne computers ~Os a satellite navigation M a n a g e r for all GNSS/GPS ojects. He is also personally ~,~ to the French MOD and ; Secretary of the Security EC in the framework of the
~
Pascal CAMPAGNE D~veloppement Conseil 10, cours Louis-Lumi#re 94300 Vincennes, France Tel.: +33 1 53 66 11 11 Fax: +33 1 53 66 11 00
This article is published with the kind permission of the French Institute of Navigation. The views expressed in this paper are not official statements. They are the personal views of the authors.
ill
/"ill
0
-
Dts
..................... i J ........................... .............:. .................. /:......; ....................... t;.............................................................................................................................................................................................................................
GNSS Security Issues BenoTt HANCART,Pascal CAMPAGNE
Security and defence are at stake when GNSSis considered. GALILEO will have to be an operational system whose political, strategic, liability and security issues will have to be managed under Member States" and European Union's responsibility.
Beaoit Hancart, CNES-DGA
PascalCampagne, FD(
s stated in the 1998 Communication (COM 98/29 dated 21 January 1998) from the EC endorsed by the Council, security and defence issues are at stake when considering GNSS: - Firstly, "the availability of highly accurate navigation and positioning services across the continent raises both risks and opportunities" (same reference as above). The threats entailed by the misuse of such services are reinforced by the current geopolitical context: local conflicts, terrorism, fundamentalism, international crime and arms trafficking, including the illegal sale of nuclear materials can and already have spilt over into Europe; - Secondl~ some users of GNSS (including GPS, GLONASS, WAAS, EGNOS, MSAS, and GALILEO) services have stringent service guarantee needs. A break in availability could very quickly have dire consequences on national and European levels. This is the case of safety critical applications (air, land or sea), Civil security (police, customs,
A
search and rescue etc.), Communication and data networks (strategic communication and data networks synchronisation like in banking and GSM). This group of users could be named 'security users'. Technically and operationall~ these two requirements imply: - t o develop efficient ways to deny access to any kind of free access GNSS information inside and outside Europe when needed; -to develop GALILEO infrastructures with minimum protection; -to design GALILEO with a robust Controlled Access Service (CAS) especially reserved for the previously mentioned "security" users. This robust CAS is an efficient answer to those "security" users who have a stringent need of continuity of service. Furthermore, the European Union (EU) Treaty contains a binding commitment for the Union to develop a Common Foreign and Security Policy (CFSP). If Europe is able to deploy its own security tools to safeguard its own security; credibility of the CFSP will be reenforced. A robust CAS on GALILEO used by "security" users can be one of the instruments to implement a coherent CSFP,equivalent to the Euro currency for Economic and Monetary Union. Finally, all security issues connected with GNSS will have to be discussed with the United States. In particular, defining common and co-ordinated measures to den~ control, guarantee and certify GNSS services is crucial. In short, civil system GALILEO is not only a space based system dedicated for research matters as the European Space
llI
Agency is used to produce. GALILEO will have to be an operational system whose political, strategic, liability and security issues it sets will have to be managed under Member States' and European Union's responsibility.
Context Strategic context: crises directly threaten Europe, not US The end of Cold War and the recent expansion of the Union have dramatically changed EU's strategic situation. With the accession of Austria, Finland and Sweden, the EU is now more directly exposed to security risks on its borders and in the Balkans. Although the Soviet threat has disappeared, many new risks have appeared, not only in the east but also to .the south. The longterm effects of growing poverty a n d underdevelopment in North Africa and
GLOSSARY AO0 : AreaOf Operation(conflictarea) CAS: ControlledAccessService CFSP: CommonForeign and Security Policy GNSS: GlobalNavigationSatelliteSystem EC : EuropeanCommission EU: EuropeanUnion ICAO: InternationalCivilAviationOrganization IMO: InternationalMaritime Organization MOD: Ministryof Defence NBC: Nuclear,Bacteriological,Chemical SA: Selectiveavailability USDOD: USDepartmentof Defense
POINT OF WEW the Middle East may entail an increase in extremism, which can and already has spilt over into Europe. This can also include local conflicts, with the potential to spread to neighboring states or to escalate into terrorism, fundamentalism, international crime and arms trafticking, including the illegal sale of nuclear materials. All these threats are almost unknown to the US inside it's territory. Neighboring states of the US, Mexico or Canada have no reason to cause such concerns to the US. Furthermore, Cuba is no longer a danger. The only time the US can be exposed to major security risks is when involved with international partners in peace-keeping operations or wars, i.e. far outside its territory and, for the time being, close to Europe.
Political context : GNSS and Common Foreign and Security Policy As described in the previous section, since the end of Cold War, Europe's strategic situation is not very reassuring: terrorism is a daily threat and conflicts arise even inside Europe. Furthermore, US are substantially reducing its military presence in Europe and EU may thus no longer rely on US to take primary responsibility for its own security. Nevertheless, US will continue to be EU's principal ally, with growing interest in a transatlantic treaty that would integrate a whole range of relations - economic, political and security - into a single process based on a genuine partnership. Moreover, the European Union Treaty contains a binding commitment on the Union to develop a CFSP. This is a legal commitment that all Member States have accepted and must comply with. Article J.4 of the Maastricht Treaty begins as follows: "The common foreign and security policy shall include all questions related to the security of the Union, including the eventual drafting of a common defence policy, which might in time lead to a common de fence'. Moreover, as stated in the 1998 Communication (COM 98/29; 21 January 1998) of the EC endorsed by the Council, securi-
ty and defence issues are at stake when considering GNSS: "The availability of highly accurate navigation and positioning services across the continent raises both risks and opportunities. The possibility of dual use of GNSS needs to be explored, not least on cost effectiveness grounds. But it is also essential to ensure that the capabilities of a system designed for civil use cannot be used in a way that creates security concerns". "There are security and defence considerations, since the two global satellite systems present remain, for the time being, under the military control of the US and the Russian Federation". Therefore, GNSS security and defence issues have to be examined in the light of CFSP objectives approved by the Union.
Review of security and defence issues Economic growth and technological developments in the second half of the 20th century were based on the development of inbastructures which rapidly became essential, or even critical in sectors as varied as transport or nuclear safety. Communication or data networks are examples. Malfunctioning of certain types could rapidly have serious consequences on citizen comfort, economic competitiveness or even national security. Use of satellite navigation systems is currently becoming widespread and this trend is expected to continue making the vulnerability of these infrastructures and related services an even more critical factor. It is important to understand that shutting down a navigation service could quickly have dire consequences on a national level above all if this service is widely used by the operating core of our communication and data networks (banking, GSM...) and by all our modes of transport, given the leading performance and low cost of this service. While satellite navigation is a tool for economic growth, it is also an extremely sensitive political and strategic tool. AIR
& SPACE
Identified threats to GALILEO Threats to GNSS-2 have to be considered in a context where new requirements entail increasingly complex information system design and a wide use of communication networks. This move gives rise to new vulnerability especially in the field of data processing security. Thus, GALILEO designers will have to take into account potential threats both to the system itself and to processed and used information. These threats can be classified in three main categories:
Physical threats They can be caused by natural phenomena (earthquakes, land slides, floods, lightening...), attacks (intrusion, conventional or NBC attack...), accidents (fire, pollution...).
Electronic threats These are of special concern to the various devices used. They can be as varied as tapping, jamming, intrusion or microwave pulsing. But they also include these due to materiel breakdown such as power cuts, transmission cuts or computer problems.
Threats to data processing These include operational data garbling or destruction, but also copy or theft of data, software, equipment or documentation. All these threats have various origins: aggressors may defend a terrorist or strategic cause, but they increasingly exercise their "activities" as a game, out of greed or for personal interest. However, for two main reasons, the most significant threat is with no doubt unintentional and intentional jamming : - GNSS signals have the drawback to be extremely sensitive to any kind of interferences (GNSS signals are received with a very low power); - jamming GNSS can be very easily and cheaply processed.
Threats to persons, property and strategic activities Subversive use of satellite navigation systems is also a major threat against which states must protect themselves. Today, open access GNSS services include GPS-SPS and GLONASS. EUROPE
• VOL.
I
• No
3 -
1999
/,,
(,
........
Tomorrow, it will be added the new GPS "safety of life" frequency and the open access service of GALILEO. Indeed, since world-wide availability of an accurate and reliable navigation service only requires a cheap investment by users, these users can potentially implement a large number of undesirable actions. The most quoted ones are GPS guided low cost weapons of mass destruction (nuclear, chemical and biological weapons). GALILEO (like GPS and GLONASS) should be seen in the light of the Missile Technology Control Regime which is supported by all Member States of the EU.
Identified needs Need for a guaranteed service Some GNSS users have an obvious need for service guarantees. Among these users, the following ones have already been identified: -safety critical transportation applications (air, land or sea), -civil security (police, customs, search and rescue etc.), -communication and data networks (strategic communication and data networks synchronization in such sectors as banking and GSM ). For all of these users, the need for a guaranteed service prevail even when the electromagnetic environment is hostile (unintentional and intentional jamming ). For some of these users, the need for a guaranteed service prevail not only during peace time but also during crisis (this may be the case for search and rescue operations or Police). Need to protect GALILEO infrastructures Considering previously identified threats, GALILEO infrastructures will have to be designed with sufficient levels of protection. The usual methods used to protect civil strategic infrastructures are certainly applicable to GALILEO infrastructures. Security needs may be situated somewhere between those of a nuclear power plant, a bank and a hi-tech firm.
Similarly, it should be possible to rapidly define methods of reinforcing GALILEO signals after analyzing current and planned techniques on existing satellite navigation systems or techniques used by strategic public or private communications systems. Non-subversive aggression such as operator, manufacturing technician or computer engineer errors will have to be handled in normal standard quality procedures.
Need to control the availability of GNSS free access services Misuse of satellite navigation services has to be avoided as much as possible. NAVWAR : US solution to prevent hostile use of GNSS information The likelihood that any kind of hostile forces will be able to exploit satellite technolog)~ is a growing concern for US and Allies. GPS Selective Availability (SA) is a living example of the policy implemented by the US to control access to highly accurate navigation information. But the commercial success of GPS sets a problem for people in charge of security: as civilians become increasingly dependent on GPS, the demand for a more accurate signal for non-military users has increased. Already, commercial users are turning to GPS "augmentations" services that provide more accurate location data than the encrypted GPS signal available to military users. The 1996 US Presidential Directive Decision on GPS took into account these two stringent constraints: how to satisfy business interests while preserving national security. The decision was to turn off SA (before 2006) so that civil users may have access to meter range accurate navigation information with GPS alone, and at the same time have, to urge US DOD to cope with proliferation of these highly precise information. US DOD answer to this latter point is in fact an electronic warfare program called NAVWAR. In short, NAVWAR is the use of local jammers able to disrupt GNSS signals except encrypted GPS which become
IB
therefore the only available navigation service. These jammers are scheduled to be locally used in the Area of operation
(AO0). NAVWAR concept is the only concept as for now developed which is intended to be proposed by US to NATO.
Drawbacks of NA VWAR policy in the European context This concept is based on the following hypothesis: - a World War is no longer conceivable; - f u t u r e military conflicts will be limited to a specific area ("sea of peace and island of war"); - foreseeable military conflicts will take place outside Continental US. The two first items are shared by European Countries. But European Countries are closer to existing or potential conflicts and are considerably more exposed to terrorism. The main problem with NAVWAR concept is that it seems technically difficult to correctly master potential disturbing effects on the fringes of the AOO. The consequence is that some disturbances will occur not only in the AOO but may also occur in neighboring zones. This means that some business, strategic and critical security activities not using the GPS controlled access service will be affected in the AOO but also at its borders. These undesirable effects will be increased by the introduction of new GNSS open access services: higher power jammers will be needed to control them. This is particularly the case for the new GPS "safety of life" signal due to its foreseen technical features (20 MHz spread signal with 6 dB increased emission power). Consequences of applying such a concept is of special concern to Europe due to the current and forecast strategic context described in section ar Strategic Context above. In particular, implementation of NAVWARconcept to cope with malicious use of GNSS information over Europe means strong risks of denying use of GNSS to all kinds of civil users in neighboring zones of the AOO. Therefore, NAVWAR alone cannot provide the right solution for Europe.
POINT OF VIEW Need to control GNSS equipment exports The need to control export of goods and technology exists for all products and services likely to be used by back up undesirable actions. For instance, export sales of chemical or pharmaceutical products for agricultural or medical use are very strictly controlled because of their potential use to manufacture certain types of explosive or biological weapons. International agreements on export controls on goods and technology which can be used for dual (civil and military) purposes have already been ratified by some tens of countries (Wassenaar agreements). These agreements already concern satellite navigation systems and in particular export of receivers which must be automatically inhibited when the speed exceeds 515 m/s or when the altitude is greater than 18 km. These steps are examples and are certainly of limited efficiency in a market open to competition in which all players are supposed to be capable of developing their own receivers. Furthermore, they only concern a small number of potential subversive uses.
Proposed way ahead
is active or potential conflicts can go on arising; • And, finally, considering that some critical security applications (civil aviation for instance) need to have a robust GNSS service protected against intentional jamming and interferences; • It is strongly suggested that GALILEO provides European business, strategic and critical security applications with a dedicated CAS. Such a CAS is the only way to provide a guaranteed signal whatever the situation (peace, crisis or wartime). The use by civil aviation of a CAS (which will be an encrypted signal) will have to be raised. But the true question is the following one : is it better for civil aviation to use GPS open access signals which can be disrupted on unpredicted large areas far beyond an AOO (because of US NAVWAR concept), than a CAS which can be guaranteed for peaceful aeronautical applications even during crises? What is the best solution according to the spirit of ICAO Chicago Convention? The management of this CAS (Access policy, distribution of security chips and encryption keys...) will have to be ensured by a dedicated European political office. This office could be composed of Member States' representatives in charge of security matters.
A robust controlled access service to guaranty continuity of service for security users • Considering that: -misuse of GNSS information is a threat for Europe; -NAVWAR concept is the US and NATO military answer to control access to GNSS information during crisis or wartime; -NAVWAR concept can have unwanted and uncontrolled effects on the neighboring zones around the operational area; -and, consequently, some business, strategic and critical security applications using GNSS information can be hindered due to the effect of not receiving GNSS signals; • Having regard to the fact that Europe is clearly a place where either terrorism
GALILEO has to be under European control GALILEO could be developed in cooperation with other nations: - outside the European Union, countries wishing to take part in the development or use of this system (e.g. Switzerland, Norway, Japan, etc.); - the USA and Russia, who already have their own systems, and for whom compatibility with a future global system would be of mutual benefit. It is even possible to consider using existing systems as the basis for the future system, or developing this system jointly with these nations. Control of GALILEO is likely therefore to involve a large number of culturally and politically different nations. However, an international control may make the security problem more complex in particular by reducing responAIR
& SPACE
siveness of operators running the system when having to deal with subversive use of the service. That is the reason why GALILEO has to be exclusively controlled by the European Union. However, this statement does not preclude Europe from proposing guaranteed GNSS services to international organizations such as ICAO or IMO.
Co-ordination between Europe and US is mandatory All security and defence issues connected with GNSS have to be discussed with US authorities. In particular, the need to define common and co-ordinated measures to deny, control guarantee and certify GNSS services is crucial. For instance, it could be suggested that for world-wide security all "grand-public" users have access to a limited number of frequencies.
Conclusions The first satellite navigation systems were developed for military purposes and their ability to improve mission efficiency was clearly demonstrated during the Gulf War. The free availability of satellite navigation services all over the world was also at the root of a considerable market in civil and business applications. This initially underestimated market rapidly became of prime importance, penalizing US DOD leadership in the decisionmaking process and stimulating the need to develop other satellite navigation systems under civil control. In the meantime, free availability of accurate navigation services and massive use of these services by the civil community have obviously increased their potential use by numerous subversive and hostile applications. In addition, satellite navigation services are also expected to provide great benefits to many applications requiring service guarantees such as safety critical applications, civil security, strategic communication and data network synchronization. The need for guaranteed GNSS services is probably one of the major arguments EUROPE
• VOL.
I • No
3 -
1999
justifying the development of an independent system in Europe. Given the European context, (nearness to conflicts, terrorism ...), meeting this need requires implementation of a robust controlled access service reserved for these applications and ensuring signal protection. Infrastructures (software and hardware) must also be subject to special protection rules. Security needs must therefore rapidly be specified before GALILEO definition studies start. At the same time, a security policy must be defined. In any case, this policy may only be efficient if drawn up in full coordination with the United States, since if independent measures on GPS and GALILEO are decided, there is a risk this may make them totally inefficient. Finally, as stressed by the European Commission, a satellite navigation system is certainly a strategic tool to enable Europe to assert itself and consolidate its Common Foreign and Security Policy. •
~Ecole Polytechnique and i:~que et de I'Espace. He )eer with the D@l@gation Be position of Head of the :~llistics and Aerodynamics en head of the flight guidlecommunication and airOf French DGA activities Hancart joined the Joint l~les, France)Architecture international relations and ~viaation issues and chairBeno# HANCART !S, Centre de Toulouse, ~hitecture (CNES-DGA) Bpi 1417 avenue Edouard-Belin flouse cedex 4, France Fax: + 33 5 61 27 48 42
Conservatoire National des !~ters program in Acoustics lln Dassault Electronique in ~ponsible for diagnosis and ~as also been Project Mancharge of studies,develop~tems, airborne computers ~Os a satellite navigation M a n a g e r for all GNSS/GPS ojects. He is also personally ~,~ to the French MOD and ; Secretary of the Security EC in the framework of the
~
Pascal CAMPAGNE D~veloppement Conseil 10, cours Louis-Lumi#re 94300 Vincennes, France Tel.: +33 1 53 66 11 11 Fax: +33 1 53 66 11 00
This article is published with the kind permission of the French Institute of Navigation. The views expressed in this paper are not official statements. They are the personal views of the authors.
ill