Testimony Before the Subcommittee on Aviation of the Committee on Transportation and Infrastructure U. S. House of Representatives June 8, 1995 Dr. Dorothy E. Denning Computer Science Department Georgetown University Washington, DC 20057 202-687-5703 Mr. Chairman, thank you for the opportunity to testify on the FAA's plans for augmenting GPS. My name is Dorothy Denning and I am Professor of Computer Science at Georgetown University. I have been in the field of cryptography and information security for over twenty years and have worked in both academia and industry. I am currently specializing in encryption policy and technology. I knew practically nothing about GPS prior to being asked to testify before this subcommittee. I was asked to consider the question of whether the FAA's planned differential GPS correction signals could be encrypted with a commercial algorithm that would be essentially unbreakable. Currently, there are no plans to use any type of encryption in either the Wide Area Augmentation System (WAAS) or the Local Area Augmentation System (LAAS). However, the private-sector differential GPS providers encrypt their signals with proprietary algorithms in order to protect their commercial interests. I found no technical obstacles to encrypting the differential corrections with a strong algorithm, although this application might not require such a strong algorithm. However, I did find considerable controversy over the question of whether encryption should be included at all. I will focus my testimony on the arguments for and against encryption. There are four arguments in favor of encryption. First, encryption would provide a method of denying access to adversaries. Although jamming also can be used for this purpose, it might not be suitable in some situations. Second, encryption would enhance safety by providing a method of detecting spoofed signals transmitted by an adversary for the purpose of causing a crash. Third, encryption would provide a mechanism for recovering costs since access to the signals could be conditioned on paying a fee. Costs could be recovered through other means such as the airline ticket tax, but using encryption for this purpose leads to the fourth argument for encryption: it would protect the commercial interests of private-sector differential GPS providers since the FAA's signals would not be available for free. Although the private-sector providers could continue to find a strong and growing market by providing greater precision or other niche services, encryption would resolve any market overlap. There are also four arguments opposed to encryption. First, encryption would require a major redesign and development effort that could take several years. This could potentially delay operation of WAAS while adding significant development and implementation costs, probably in the tens of millions of dollars if not more. In addition to direct costs, delayed operation of the proposed augmentation system could delay projected cost savings to the FAA, which are estimated to reach several billions of dollars. Second, encryption introduces potential safety problems. If the encryption or key management system fails in any way, the signals would not be available, possibly in an emergency situation. Third, putting encryption into WAAS might undermine U.S. leadership in GPS and harm U.S. industry. If WAAS is significantly delayed or if encryption is not accepted internationally, a non-U.S. GPS augmentation system, without encryption, could be adopted internationally. This might reduce the potential market for U.S.- made GPS receivers. On the other hand, it is conceivable that encryption could be gradually integrated into the FAA's system without adding significant delays, for example, by adding a few simple hooks now, and that it could be done in a way which would be accepted, possibly even preferred, internationally. My understanding is that Australia has just adopted a policy requiring encryption of their precise navigational signals. Fourth, adding encryption would require a complex key management infrastructure so that devices could be keyed and re-keyed. Even if key distribution is done electronically, managing the infrastructure could be a major task and administrative burden. The key management system could be eliminated by using a proprietary, non-keyed encryption method. This is the approach taken by the commercial differential GPS providers. However, it would not work with the FAA's system. Since the algorithms must be made public in order to achieve widespread acceptability and standardization, the encryption would be readily defeated. It is conceivable, however, that for this limited application, the key management could be simplified so that it is not onerous. Given that there are arguments on both sides, the question of whether to encrypt might best be resolved by establishing a national policy on precise navigational signals over our airspace. I recommend that Congress review the national security and safety risks associated with not encrypting these signals and consider establishing a policy for these signals. If the decision is made in favor of encryption, then a study might be conducted, say over six months, that would include the following objectives: 1) a preliminary systems engineering requirements specification; 2) a proof-of-concept prototype model; 3) a detailed cost analysis to include development, production, testing, integration, operations, and maintenance costs; and 4) a risk assessment and risk mitigation plan.