Why waste your time scanning police radio when you can watch live video feeds from American UAVs. Wired recently published an interesting piece (http://www.wired.com/dangerroom/2012/10/hack-proof-drone/) indicating that half of US drones broadcast their video feeds in the clear. The strategic disadvantage of letting your opponents know what you are watching and what you can see is clear – so why does such a serious security hole exist?
We would need to know the details of the development of the drone technology to understand how they came to be developed as they were, but the very fact of the hole can give us some indications. It seems a clear indication of the “security as an afterthought” paradigm, where systems are developed without regard to security, and then security features are patched on after the fact. Then, of course, under the pressure of resource constraints and time, some things just have to give. Even if serious consideration is given to security (as one would think it would be in a military environment,) the existing structures may be such that it is extremely difficult or costly to add security features without re-engineering the entire product. Even when things succeed, there are more likely to be holes, weaknesses, and bugs where the software interfaces with the security modules.
So what is the solution? Engineering for security from the bottom up. The base task should be “how do we make this work securely?” not simply “how do we make this work?” With such an approach, all interfaces and processes are developed to be secure, and the internal design of the system reflects that methodology. All bugs can not be avoided, but with a well-engineered framework, they can, at least, be minimized and easily remedied.