On the scale of potential cyber-threats, who expected a fitness tracking app to create an international security headache?
Strava is a popular app that pairs with wearables like Fitbits and Apple Watches to aggregate exercise data. When you go jogging Strava uses GPS to keep track of where you go.
The Strava company describe their product as a ‘global network of athletes.’ They use the GPS data collected by their app to create a map, showing the jogging routes of their users, which is publicly available on the company’s website.
That all seemed pretty harmless, but one Australian university student noticed something about the Strava map data that was a bit concerning.
Nathan Ruser is a 20-year-old student of international security at the Australian National University. He has a long-term interest in Greater Middle Eastern conflict zones and when he looked at the Strava map he saw that there were numerous areas where GPS activity data had been recorded in and around military bases.
In countries like the United States and Australia, the Strava map was covered with many users’s overlaid data trails. But in the Middle East, Ruser observed, the only tracking data seemed to belong to foreign military personnel, showing up around bases.
(Image below: a screenshot of the Strava online map showing the Middle East region.)
Once Ruser had noticed the correlation between known military installations and Strava activity, he started seeing hotspots in remote regions that seemed to represent frontline tactical positions as well. In a report from ABC News, Nathan Ruser observed that the Strava map could be used to “establish a pattern of life for a base.”
“You can see the main supply highway for US forces in Syria,” Ruser said. “I just remember thinking; f***, that's not good."
Ruser Tweeted his concerns about the Strava map data and his Tweets got the attention of the US Department of Defense, who are now investigating Rusers observations. The Washington Post has quoted a spokesperson as saying that the US Military is “revising its guidelines on the use of all wireless and technological devices on military facilities as a result of the revelations.”
(Image below: a screenshot of the Strava map Tweeted by Nathan Ruser, showing user activity in remote regions of Afghanistan.)
Unforeseen Consequences
The US Military actively encourages their personal to use fitness tracking devices. The potential security issues around having the daily movements of their soldiers recorded by a third party GPS app weren’t recognised until that data became public.
It seems incredible that the US military could be unwittingly allowing soldiers to reveal their movements; data that could be exploited by enemy combatants. Military activities are usually subject to strict security protocols, but the Strava map shows how easily sensitive data can be accidentally compromised.
The Strava situation highlights the unpredictability of cybersecurity risks. We are in a world of complex, overlapping digital technology that gives us a huge amount of data to work with but that data is also a significant vulnerability. How to securely store data, and how to control who can get access to it is a crucial risk management issue for all organisations, corporate as well as military.
Security is a top-level responsibility
Everything an organisation does generates data and that data can be damaging in the wrong hands. We seem to be in an era right now where we have adopted a plethora of new technology but haven’t quite come to grips with the security implications.
Organisations are discovering that they have to extend their cybersecurity thinking into new realms because the boundaries of the online environment are increasingly blurred. In the case of the Strava map the compromised data isn’t comportate or military in origin. It’s personal data created by privately owned devices, but it could be interpreted to reveal sensitive military intel that would be valuable to hostile forces.
Because interconnected digital technology is involved in every aspect of our lives, cybersecurity is increasingly seen as a macro-level problem that affects every aspect of an organization's activities.
Can cybersecurity be considered simply as an IT issue in the current context?
Craig McDonald recently interviewed Gary Martin on the MailGuard Blog.
Gary Martin is Emeritus Professor of Murdoch University’s School of Business and Governance.
Craig asked Prof. Martin about his ideas on cybersecurity management:
“what is required now is a truly multidisciplinary approach which must involve all parts of an organisation, including an organisation’s senior management and its Board, and not just IT personnel,” Prof. Martin said.
“Most breaches of IT security are through human error – not a lack of technology protection. So an organisation’s culture plays a huge role in setting the standards for behaviours that help to prevent cybersecurity issues – and culture is very much the responsibility of the CEO and the C-suite; in fact all of those working at an organisation...”
Stay informed about cybersecurity
A recent report published by The World Economic Forum (WEF) predicts the cost of data-breaches and cybercrime to exceed US$8 trillion this year. The WEF’s report places cybersecurity among the most significant global threats alongside climate change and natural disasters.
With data-breach statistics showing accelerating growth, cybersecurity is becoming a top-priority for business leaders and governments alike.
If you would like to keep up-to-date with the latest cybersecurity news and commentary subscribe to MailGuard Blog updates:
