With tons of U.S. vehicles and aircraft left behind in Afghanistan, America’s near-peer competitors like China and Russia stand to learn a lot, according to Josh Lospinoso, the CEO of cybersecurity company Shift5.
In the final weeks of the U.S. military mission in Afghanistan, U.S.-backed Afghan government forces surrendered to the Taliban and U.S. troops became overwhelmed with the task of evacuating tens of thousands of people out of an airport under constant threat of attack. In the chaos, tons of drones, planes, helicopters, armored vehicles and other equipment were left up for grabs.
In an interview with American Military News, Lospinoso said the fact that the Taliban now have their hands on much of that U.S. equipment, and could potentially sell it to countries like Russia or China, creates a “playground” for America’s adversaries to figure out how the equipment works and how it can be hacked and “turned into a paperweight.”
Lospinoso was among the first crop of officers to help stand up the U.S. Army’s Cyber Command. In that role, Lospinoso spent a lot of his time conducting “penetration tests” where he would try to find ways to hack into the digital components of military equipment to interfere with their physical operations.
“A lot of folks are going to be looking at IT and how does IT offensive and defensively kind of play into the military’s strategy,” Lospinoso said. “Why don’t we look at the fleet assets, the things like the Abrams tank or a military vessel like a destroyer.”
Lospinoso said the increasing number of physical components on fleets of military vehicles and aircraft makes them increasingly vulnerable to hackers who could potentially interfere with or even shut off vital components mid-operation.
“With a few thousand dollars worth of equipment, you could cause an Abrams tank to turn into a paperweight, or a fighter jet to be completely mission incapable, in some cases put it into unsafe conditions where it’s going to have a hard time staying in the sky,” he said.
After the last U.S. troops left Afghanistan, U.S. Central Command (CENTCOM) head Gen. Kenneth McKenzie told AFP the U.S. left behind 73 aircraft, around 70 Mine-Resistant Ambush Protected (M-RAP) armored tactical vehicles, 27 more Humvees and multiple counter rocket, artillery and mortar (C-RAM) systems that helped defend the Kabul airport from attacks during the evacuation effort. Video from those final days in Afghanistan even showed U.S. troops smashing up those abandoned vehicles with hammers.
McKenzie said, “We demilitarize those systems so that they’ll never be used again.”
Lospinoso, however, said even demilitarized, that abandoned equipment is useful to America’s enemies.
“What we’ve been hearing is that these things have been demilitarized,” Lospinoso said, “which means that that specific asset can’t be used against us directly like in some sort of combat scenario, which is ‘good,’ but that doesn’t do nearly enough.”
One of the things Lospinoso learned from penetration testing America’s military equipment was that “one of the most important things was getting a physical representation of that asset, even if it was just a part of it.”
Any number of adversaries could now potentially gain access to the equipment abandoned in Afghanistan. Iran borders Afghanistan to the West. Russia has a military presence in Tajikstan, which lies on Afghanistan’s northern border. The Taliban have also described China as its main partner going forward.
“I think it’s really the near-peer adversaries that are benefitting the most from this kind of exposure,” Lospinoso said.
“If you’re able to find cyber vulnerabilities in these really critical weapons systems, whether that’s the backbone of our air transportation infrastructure or its the ground combat vehicle that undergirds our entire mechanized infantry, or God-forbid it’s a fighter aircraft that gives us air superiority, you’re going to win that fight,” he said. “If you can, without firing a single shot, if you can send some message to a system and it turns into a paperweight, you’re going to win that fight.”
Lospinoso said it won’t be easy to simply seal up the vulnerabilities exposed after the U.S. left behind so much equipment in Afghanistan because cybersecurity was not a key factor in how many of those systems were originally designed
“We can’t redesign the system,” he said. “We have to sort of put anti-virus in place to work around what is already there.”
It could also be tricky figuring out to how to protect future U.S. military systems from being captured and then exploited by America’s enemies. Lospinoso said it “makes a ton of sense” to add a form of digital killswitch to wipe the data off of a captured piece of equipment, but there would have to be some safety features in place so that such a killswitch wouldn’t then be used against equipment the U.S. military is actively using.
Lospinoso said the cyber-physical components of military equipment need to be a key focus in the future systems the U.S. designs. His company, Shift5 is one of a few firms focused on cyber-physical security but he said “we need more talent flooding into this problem space.”
“So folks that are maybe working on IT systems and are cybersecurity professionals or critical thinkers that work on those systems, we need some of those folks to jump that lacuna to where we are here and work on fleet assets because the cyber-physical effects are just too great.”
