recommended reading

Coast Guard Aviators Shop for a Course-Plotting iPad App

The U.S. Coast Guard wants to buy a navigating app, similar to those already used by civilian pilots, for service members who are substituting iPads for flight bags, according to a government solicitation. But the software specifications omit certain safeguards to prevent hackers from hijacking the cockpit, some information technology specialists say.

The section of the Aug. 14 work order pertaining to security requirements states, "There are no special security requirements.”

Today, with paper-based aviation charts, it's hard, if not impossible, for bad guys to corrupt directional guides. But, as flight planning migrates to software-based resources, it is critical that agencies ensure those programs do not contain malicious code, said Bernard Skoch, a retired Air Force brigadier general and government IT consultant. 

"It doesn't take much imagination to envision a horrible scenario in which a bad actor corrupts every Coast Guard cockpit with a few keystrokes," he said.  

The service's purchase plans do not require that the app's code be developed in the United States or that it be subjected to penetration attempts by hired hackers. "I think that opens up a significant risk area. The software will become mission critical and should be domestically written, or as a minimum it should be provided only by programmers in countries friendly to the U.S.," Skoch said. 

Coast Guard officials did not respond to a request for comment. 

The app will display confidential government information, such as maps and charts collected by the National Geospatial-Intelligence Agency, but stolen secrets are not the main concern. 

The sensitivity-level of that NGA data does not require special data protections, Skoch said. But that data and all the other code in a navigation app, regardless of content, should require that the software be designed stateside and undergo thorough testing and validation, he said, because digital vulnerabilities can be exploited to manipulate aircraft. 

The Air Force Special Operations Command canceled an iPad procurement in February 2012, after receiving a query from Nextgov about its stated plans to use Russian-developed GoodReader software for mission security and as a document reader.

There is room to enhance the Coast Guard’s security requirements, but this expected IT buy is "a good sign" for the federal acquisition process, said Warren Suss, a government telecommunications analyst. "In recent years, the security cops have really stood in the way, by being absolute, looking for the 100 percent security."

Now, civilian agencies, and even the Pentagon, are deploying “mobile device management” systems to reduce the risk government-issued consumer electronics will compromise agency networks or leak information.

The Coast Guard is probably considering, “How likely is it that these maps either could get in the wrong hands or could be changed or compromised, and how do you weigh that against the potential benefits of giving these fliers a better solution for getting their geographic information? I believe that is a legitimate tradeoff,” Suss said.

During potentially four years of use, the app will support between 200 and 1,100 iPads, according to the contract documents.

The tool, described as "critical to USCG aviation's operation requirements," will feed the service's personnel terminal instrument approach procedures, arrival and departure instructions, and en route navigational charts, officials said. Like a consumer iPad app, it must understand finger gestures, such as pinch-to-zoom, as well as incorporate "night settings" for easy viewing during operations in the dark. 

Threatwatch Alert

Stolen credentials

Hackers Steal $31M from Russian Central Bank

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.