Department of Defense officials have yet to address known cyber security risks associated with a military aircraft tracking tool and have only two years before the system must be fully integrated, according to a Government Accountability Office (GAO) report published Jan. 18.

The Automatic Dependent Surveillance-Broadcast (ADS-B) Out tracking tool, part of a Federal Aviation Administration (FAA) program to provide transparency on military aircraft, falls short of fully protecting operational information from adversaries and remains vulnerable to electronic warfare and cyber attacks, according to the report.

“Since 2008, the Department of Defense and the Department of Transportation’s Federal Aviation Administration have identified a variety of risks related to ADS-B Out technology that could adversely affect DOD security and missions,” the GAO writes in its report. “However, they have not approved any solutions to address these risks.”

DoD has until 2020 to equip its aircraft with ADS-B Out in an effort to upgrade its radar systems and provide increased transparency. The program is part of the FAA NextGen initiative to modernize radar-driven, ground-based air transportation systems to satellite-driven space-based systems.

The Senate tasked GAO with assessing DoD’s plan to address known vulnerabilities with ADS-B Out, which provides real-time information on an aircraft’s location, velocity and airframe dimensions.

Concern has been raised about the satellite-based ADS-B Out technology’s potential to pose operational risk if adversaries are able to expose the positions of military aircraft.  

“DOD and FAA have drafted a memorandum of agreement that focuses on equipping aircraft with ADS-B Out but does not address specific security risks,” the report says. “Unless DOD and FAA focus on these risks and approve one or more solutions in a timely manner, they may not have time to plan and execute actions that may be needed before January 1, 2020—when all aircraft are required to be equipped with ADS-B Out technology.”

DoD has only fully implemented two of the eight initiatives included in the NextGen program from 2007 and has yet to finalize a mitigation plan for addressing cyber risks with ADS-B Out, according to the report.

One of the initiatives DoD has yet to address is devising a cohesive plan for integrating defense-wide components needed to properly secure ADS-B across all military aircraft.

“As a result of DOD not fully implementing the 2007 NextGen memorandum, DOD components have lacked direction and cohesion while trying to address FAA’s requirement to equip military aircraft,” GAO says.

GAO recommends DoD and FAA approve at least one solution for the time being to solve known ADS-B security risks.