Before WannaCry Was Unleashed, Hackers Plotted About It on the Dark Web
Last weekend, more than 150 countries and 300,000 machines experienced the largest cyberattack to date. The attack did not come out of nowhere—it exploited a known flaw in some versions of Windows. Microsoft issued the patch for it back in March, but many people failed to update their systems, leaving them vulnerable. The hackers knew that many machines would have been left unprotected. In fact, they were counting on it.
Hackers network with one another through many platforms, and a very popular one is forums. These forums work like regular messaging boards where people create profiles and post in threads among different categories. The difference here is that all posters are anonymous, and the forums are present on both the Clearnet (hacker-speak for the regular, less private internet) and the darkweb. Most of the time discussions are harmless and focus on current events or white-hat coding, but sometimes, as in this case, they are used to identify vulnerabilities and exploits as the beginning of cyberattack plans. A 2012 report from Imperva studied a popular hacker forum and found that posts mentioning SQL injection (a web hacking technique) and distributed denial-of-service attacks each generated 19 percent of the discussion volume studied, making them the most discussed topics on that forum. Hackers can give each other ideas and help troubleshoot obstacles in these forums, making them very important to monitor.
WannaCry was no exception. The cybersecurity company CYR3CON, where I am a researcher, found evidence of hackers discussing the attacks before they happened on darkweb forums in several languages including English, Russian, and Arabic. (Disclosure: CYR3CON is an Arizona State University spinout. The university is partnered with Slate and New America in Future Tense.) The forum posters discussed the specific exploit used for WannaCry and recognized its potential for a widespread attack. This exploit was revealed by a Russian hacking group called the Shadow Brokers, who leaked it in a dump of stolen NSA tools on April 14. On the forum CYR3CON monitored, the hackers indicated they were surprised about the lack of patching for the vulnerability and saw it as an opportunity to act fast before it was resolved.
CYR3CON identified a post in a Russian-language darkweb forum that specifically named medical centers as prime targets as medical centers. This is because in the past, some similar institutions had paid ransomware. The poster figured that tens of thousands of systems would be susceptible. He or she was relatively new to the forum but participated in widely read threads. The hackers on these discussions recognized that although Microsoft released a patch in March, few enough systems had been updated that an attack of this scale was possible. The slow pace of patching plus the exploits’ availability combined to inevitably allow for the global attack. The hackers have received 296 ransom payments so far, totaling almost $100,000.
The WannaCry attack is a reminder that most cyberattacks are carried out using known and reported vulnerabilities. The 2015 Verizon Data Breach Investigations Report stated that 99 percent of breaches were due to known vulnerabilities. A study from the University of Maryland suggested that only 1 to 3 percent of vulnerabilities are exploited “in the wild,” though given the number of devices out there, that’s still a huge number. According to an unpublished study conducted by researchers here at Arizona State University, 30 percent of vulnerabilities listed in a database maintained by the National Institute of Standards and Technology that have been mentioned on the dark web are found to be exploited. Knowing where an exploit is being posted and discussed can help organizations with vulnerability prioritization.
Cybersecurity researchers are trying to change how vulnerabilities and potential attacks are discovered by using both human analysts and advanced machine learning capabilities to search for red flags on the darkweb and Clearnet. These red flags include zero-day exploits for sale, undetectable malware for sale, freelance hackers for hire, tutorials about malicious hacking for download, and discussions among hackers about malicious activities. Hackers are aware of weaknesses and will exploit them—and they’re not shy about admitting it on the dark web. A telling quote from the now-closed Hell Forum said: “There is no right or wrong, my friend. There are only the weak and the strong.” Keeping an eye on hacker chatter can help strengthen the efforts to keep the internet safe.
Google's New Lens Feature Turns Your Smartphone Camera Into a Search Engine
Smartphone cameras have a lot of utility these days: capturing a memory, snapping a selfie, taking notes (far better to photograph a Wi-Fi password than write one down), checking one’s complexion (who needs a mirror?). And at Google I/O on Wednesday, the tech company’s annual developer confab, CEO Sundar Pichai unveiled a new product that adds one more function to our phone cameras’ repertoire: search engine. It’s called Google Lens.
First the gee-whiz-how-cool-is-this part: At its most basic, Google Lens recognizes the contents of images its users take and then displays detailed information about those contents. But this vision-based search engine goes far beyond previously developed products, by Google and others, that offered only trivial information or superficial descriptors. Demoing the new technology during his keynote address, Pichai showed Lens identifying a flower’s genus and species from only a photo, connecting to Wi-Fi after snapping a picture of a network name and password, automatically scheduling billboard-advertised events as Google Calendar appointments, and displaying detailed information about businesses—including reviews, hours of operation, and contact information—with a single shutter-click.
Could San Francisco Ban Those Adorable Food-Delivery Robots?
One San Francisco elected official is on the warpath against food-delivery robots. As reported by Recode, Norman Yee, one of the 11 elected representatives who make up the San Francisco Board of Supervisors, proposed legislation on Tuesday to ban the autonomous vehicles from the sidewalks of the city by the bay. Yee’s office had previously looked into administrative ways to curb autonomous delivery services, apparently out of concerns that the squat, boxy robots—which trundle along at a mean 4 miles per hour—could barrel over elderly pedestrians, people with disabilities, or children.
“Our streets and our sidewalks are made for people, not robots,” Yee told Recode. “This is consistent with how we operate in the city, where we don’t allow bikes or skateboards on sidewalks.” And as the supervisor added to the San Francisco Examiner (beneath the lede “Adios, R2-D2”), “I’m doing this because I do care about safety, and it’s something that could endanger our pedestrians, especially ones who are vulnerable.”
Future Tense Newsletter: Comey Leaves Behind a Damaged Tech Legacy at the FBI
Greetings, Future Tensers,
Though it may seem like the sudden firing of James Comey from his post as FBI director happened a lifetime ago, it was only last week. In a piece on his legacy at the bureau, Josephine Wolff reflects on how the FBI’s use of technology and investigations of cybersecurity incidents during his tenure—from his first success taking down one of the world’s largest botnets to the Apple encryption controversy—have damaged the agency’s reputation and credibility.
Wolff also weighed in on the massive malware attack on the British National Health Service, explaining how it could have been prevented. She writes, “If you’ve ever dismissed a warning from your operating system urging you to download a critical update, you’re part of the problem.” (The good news is you weren’t making that decision on behalf of an entire nation’s health service.) Despite the scope of the attack, the hackers responsible have only profited about $55,000 as of Monday afternoon. A more lucrative venture would be to hack a $275 million superyacht, as an IT specialist demonstrated at the Superyacht Investor Conference held earlier this month.
Other things we read this week while trying to picture planes catapulting off aircraft carriers:
- Map databases: Two bills introduced earlier this year have fair housing advocates and academic researches worried they’ll lose access to important government-held data. Faine Greenwood explains why this should worry all of us.
- Trump tweet turned Twitter pitch: Will Oremus questions the intentions of Anthony Noto, chief operations and financial officer of Twitter, who responded to President Trump’s threat to cancel press briefings with a tweet suggesting the President use Twitter as a platform for Q&A.
- Uber software engineers jump ship: The ongoing legal battle between Alphabet and Uber has software engineers in Uber’s self-driving technology division looking elsewhere for work. Ian Prasad Philbrick explains how their departures might affect the company.
- Sign language translation: Researchers are employing the same computer animation techniques used in animated films like Ratatouille and Happy Feet to translate written and spoken words into sign language for deaf and hard-of-hearing students.
Brainstorming Wi-Fi passwords for my superyacht,
for Future Tense
It Took a Specialist Less Than Half an Hour to Hack Into a Superyacht
As a rule, superyacht owners are not a group that inspires a lot of pity. But this scenario truly does seem scary: While at sea, hackers located miles away take control of your 100-foot-long, $275 million superyacht’s poorly secured Wi-Fi network. The break-in grants them access to your banking information, emails, and potentially compromising pictures featuring your high-profile guests. It even permits them to rejigger the ship’s navigational systems and sail it off course.
Superyachts’ digital vulnerabilities were on full display at the 2017 Superyacht Investor conference, held in London on May 3 and 4. Campbell Murray, a BlackBerry IT specialist who focuses in thwarting cybercrime, demonstrated the ease with which digital infiltrators could break into the vessels’ Wi-Fi networks. As reported by the Guardian, it took him and a colleague less than a half-hour to take over one ship’s internet connection. “We had control of the satellite communications,” Murray told the assembled audience of superyacht designers, industry leaders, investors, and other conference-goers. “We had control of the telephone system, the Wi-Fi, the navigation. … And we could wipe the data to erase any evidence of what we had done.”
What Slate Readers Think About Synthetic Biology
Our latest Futurography unit focused on synthetic biology. We published articles on the regulatory status of the field, the possible militarization of the natural world, and even synthetic biology’s relationship to queer theory. But we’re also interested in what you have to say, so we’ve written up our survey on the topic.
One of the most immediate stumbling blocks in discussions of synthetic biology comes from the difficulty of defining what, exactly, the term means. Some Slate readers agreed that it might be worth trying to clarify what we’re talking about. “I would define synthetic biology as the engineering approach to biology,” one wrote, though he or she acknowledged that this framing could potentially “overlap with fields such as genetic engineering and metabolic engineering.” A few suggested that we should limit the term to attempts to create artificial life, while others argued that getting scientists to agree on what their field entails would likely be futile. Or as one reader put it, “Good luck! It's like pornography, you know it when you see it.”
Readers listed a wide range of promising possible applications for synthetic biology. One proposed that “[g]ene drives to mitigate mosquito-born disease and invasive species” were the field’s best hope, while another pointed to “[m]any medical aspects, such as a possible cure for diabetes, and food applications that help resist crop diseases, aid food security.” Agricultural applications were popular with a few other readers as well, but many remained unconvinced of the field’s prospects. “There is so much hype and poor reporting on synthetic biology it is tough to know how much of the ‘promise’ is at all feasible,” one wrote, before adding, “I hope of course for some medical breakthroughs in areas like cancer or HIV treatment, but I’m not holding my breath.”
That attitude also resonated throughout many of the responses to our query about overhyped areas of the field: Numerous readers touched on the same issues that others had celebrated. In agriculture, for example, one suggested that synthetic biology “could be the cherry on top of conventional selection programs, not a replacement” for those efforts. Others questioned some of the field’s basic premises, such as the notion that we can work with DNA in same way that we do with computer code. Another argued, “The experimentation occurs so much faster than the understanding of the implications,” which encourages researchers to make claims that outstrip the actual capacities of their scientific pursuits.
Whatever the practical promise of the field, many readers felt that we should establish wholly new laws to regulate it instead of attempting to amend old ones. One suggested that we need a “paradigm shift” and proposed that we “[s]tart over from scratch, in the spirit of laws governing animal and crop development.” Taking a similar angle, another suggested that we should aim to make new regulations that are friendlier to smaller businesses, since technologies such as GMOs “are so heavily regulated that only large corporations can afford to take part.” Others, meanwhile, wrote that even if it would be better to establish new laws to regulate synthetic biology, doing so would be too difficult to pull off in practice.
Some offered similarly skeptical responses to our question about whether synthetic biologists should be able to patent organisms. “For anything to be patented, it needs to be a new, useful invention that isn’t obvious. I find it hard to imagine an ‘organism’ ever fitting this definition, but would not object to one being patented if it did,” one wrote. Some felt there might be an acceptable middle ground, as did one who wrote, “Pieces or organisms should not be patentable if they are modified from natural components. Methods patents should not be allowed for organisms.” Another argued synthetic biologists should be able to patent “only the specific traits they design. Intellectual property must be protected.”
As for the safety of synthetic biology, many readers indicated that they were concerned about the possibility of weaponized synthetic biology. Most of those who elaborated on their answers, however, suggested that they were only worried up to a point. “I think it would be difficult to make biological weapons that are more powerful than what we can do already,” one wrote. Another argued that we should concern ourselves more with non-proliferation than with preventing the technologies from being developed in the first place. And a third wrote, “I do not see it being used,” though he or she acknowledged that assumption might be “too optimistic.”
Fewer readers still were troubled by the idea of foods modified through synthetic biology. “I already have eaten food products that only exist thanks to biological manipulation—from cutting-edge R&D products to the cheese I eat almost every day,” one observed. Many others echoed this point, noting that very little of what we eat is free from some form of human influence. As one put it, “We have been using mutagenesis on crops for over a century.” Some did suggest that it would be worth taking a longer view and waiting to make sure new developments were safe. The majority, however, seemed willing to embrace the attitude of one reader who simply responded, “I look forward to it, yum!”
So Far, That Enormous Ransomware Attack Has Only Netted About $55,000 for the Hackers
On this side of the Atlantic, reaction to the the WannaCry ransomware attack that affected at least 150 countries and crippled Britain’s National Health Service has been fairly muted. Homeland Security officials reportedly met over the attack on Friday and Saturday, and U.S. officials said Monday that only a handful of American companies, like FedEx, have been affected so far. That may well be a consequence of pure luck—a security researcher who goes by the handle MalwareTech accidentally triggered a kill switch in the attack’s program that has bought those with uninfected computers some extra time.
The attack, which works on Windows PCs, has been spread mostly by email. It locks, encrypts, and threatens to erase an infected computer unless the owner pays a gradually increasing ransom starting at about $300 worth of Bitcoin. Despite the global reach of the malware, trackers set up to monitor the amounts being paid to the hackers in ransom suggest that relatively few have lost money. The Twitter account @actual_ransom says that as of 2 p.m. Monday, the hackers behind WannaCry had made just over $55,000.
Mikko Hypponen of the Finnish cybersecurity firm F-Secure says that many who have paid the ransom have regained control of their computers and their files. But paying is ill-advised, especially since the hackers behind the attack reportedly have to approve each decryption. There’s no guarantee whatsoever that paying will actually work. (Furthermore, Josephine Wolff has written in Slate that you should only pay a ransom for your files if it's a matter of life.)
It could have been much worse. While looking into the attack’s malware, MalwareTech discovered that the code was written to query an unregistered URL. When MalwareTech registered the domain and diverted traffic to a sinkhole—a server that takes in traffic from infected computers and prevents hackers from controlling them—the code shut down. The malware had evidently been designed to deactivate itself if the domain was active. “Competing theories exist as to why WannaCry’s perpetrators built it this way,” Wired’s Lily Hay Newman writes. “One possibility: The functionality was put in place as an intentional kill switch, in case the creators ever wanted to rein in the monster they’d created.” MalwareTech believes it's also possible that the kill switch could have been intended to circumvent analysis of the malware itself:
That sort of examination often takes place in a controlled environment called a “sandbox.” Researchers construct some of these environments to trick malware into thinking it’s querying outside servers, even though it’s really talking to a bunch of dummy sandbox IP addresses. As a result, any address the malware tries to reach gets a response—even if the actual domain is unregistered. Since the domain MalwareTech acquired was supposed to be dormant but went live, WannaCry may have assumed it was in the middle of forensic analysis, and shut down.
Either way, the activation of the kill switch gives those with uninfected computers an opportunity to protect them. Microsoft has taken the rare step of offering a security patch for older Windows systems, including Windows XP, which has proven particularly vulnerable to the attack. If you are running a Windows machine and you haven't updated it yet, you should do so immediately.
Microsoft has also published a statement partially blaming the National Security Administration for the attacks. WannaCry used a vulnerability in Windows systems that the NSA cataloged for use and was leaked by the hacking group Shadow Brokers in April. “[T]his attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” the statement reads. “This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.”
The Malware Attacking the U.K.’s National Health Service Could’ve Been Stopped. Here’s Why It Wasn’t.
The ransomware attacks spreading across the computer systems of the British National Health Service this week are a stark reminder of the shocking state of software-updating practices in even the most critical infrastructure systems across the world. The attacks involve the ransomware strain WannaCryptor, which encrypts the contents of infected computers until the victims make a Bitcoin payment of roughly $300. WannaCryptor takes advantage of vulnerabilities in the Windows operating system that were patched in March by Microsoft, after a group called the Shadow Brokers leaked similar tools, allegedly stolen from the NSA.
The NHS had two months to install this patch and inoculate itself from WannaCryptor—but it didn’t. In fact, many systems remain vulnerable. It would be bad enough if a wave of hospitals were under attack because a brilliant, determined adversary had identified new, never-before-exploited vulnerabilities in their computer systems. But to be suffering these sorts of crippling attacks at the hands of an adversary who is merely recycling old malware, which could have been stopped using existing patches, is downright shameful.
This is an old story. Computer security workers have been complaining about the people and organizations who don’t download security patches promptly for pretty much as long as there have been software patches. If you’ve ever dismissed a warning from your operating system urging you to download a critical update, you’re part of the problem. But then, you’re probably not making that decision on behalf of an entire hospital—much less, an entire nation’s health service.
And yet, those software patching decisions that are so much more crucially important in the context of health care and other critical infrastructure systems are, at the same time, much more difficult to execute. Ironically enough, this is partly because the health care industry has historically been subject to much more stringent data security and privacy regulations and standards than other sectors. In the United States, for instance, medical information is subject to the requirements laid out in the Health Insurance Portability and Accountability Act of 1996. That means that every new system or piece of software purchased by a hospital or health care provider in the U.S. needs to be approved as being HIPAA-compliant.
This is probably a good idea, at least in theory. It makes sense to have some checks and security standards for health care-related computer systems and software. But it also means that updating systems—switching to a newer version of an operating system, for instance—can be a major challenge for health care organizations. A new operating system, or even an updated operating system, can often mean switching to new software programs and altering other components of the network. But at a hospital, every single one of those changes necessitates a slow, expensive compliance audit to ensure that none of the government’s data protection standards has been violated.
Instead of encouraging hospitals to make rapid changes and updates to their computing infrastructure, policy initiatives aimed at improving the security of health data have instead focused on trying to ensure that those decisions be carefully vetted and evaluated. It’s impossible to have it both ways: Either we can demand that hospitals do an in-depth sector-specific check of new systems and software before implementing anything, or we can expect them to download all important security patches within a matter of weeks. And it’s very difficult to know how health care providers should best strike a balance between these two goals.
At present, it’s very difficult for the health care industry to respond to threats even over the course of two months—and as this week’s news demonstrates all too clearly, that’s a problem with enormous associated risks. On the other hand, it could also be very risky to place too much pressure on hospitals to update systems and download new software too quickly before it could be thoroughly evaluated and vetted.
One of the other striking features of the spread of the WannaCryptor ransomware across NHS hospitals is the apparent lack of effective network partitioning or quarantining tools in the health care sector. That the malware is spreading so quickly among multiple hospitals suggests that the NHS is struggling to cut off the infected machines and had no serious contingency plan in place for how to deal with a malware infection in its centralized system.
In computer security, we often like to take metaphors, names, and lessons from the public health sector. Notions of quarantining computers, teaching users good computer hygiene, even computer viruses, all originate from the language and practices of medicine. It seems the lessons technologists have drawn from the health care world need to be conveyed back to the hospitals and health care providers where they originated.
Trump Threatened to End Press Briefings. Twitter Saw a Chance to Profit.
On Friday morning, President Trump issued his latest threat to curtail the media’s access to the White House—and a top Twitter executive took it as an opening to make a marketing pitch.
It started when Trump began tweet-storming his excuse for the false statements that his spokespeople, Sarah Huckabee Sanders and Sean Spicer, made about the firing of FBI Director James Comey in this week’s White House press briefings.
As a very active President with lots of things happening, it is not possible for my surrogates to stand at podium with perfect accuracy!....— Donald J. Trump (@realDonaldTrump) May 12, 2017
Maybe the best thing to do, Trump mused, would be to cancel the briefings altogether, ending a longstanding practice that is widely considered an important venue for the press to publicly hold the president accountable. The president suggested that his communications team could instead “hand out written responses for the sake of accuracy.”
...Maybe the best thing to do would be to cancel all future "press briefings" and hand out written responses for the sake of accuracy???— Donald J. Trump (@realDonaldTrump) May 12, 2017
To journalists, this is a familiar and galling PR tactic—a way for powerful people and institutions to dodge tough questions about their words and actions. Live, in-person interviews can force subjects to respond more clearly and frankly, because they can’t cherry-pick favorable questions or consult with lawyers or marketing gurus to craft cagey answers. It’s pretty obvious why a man like Trump, who tends to make up his version of the truth as he goes along, would want to shut down a venue in which his spokespeople have to defend him in real time, on live TV. The president of the White House Correspondent’s Association weighed in with a statement opposing Trump’s proposal.
White House Correspondents' Association statement on press briefings. pic.twitter.com/qAzrzehENL— Jeff Mason (@jeffmason1) May 12, 2017
To Twitter’s Anthony Noto, however, it apparently sounded like a golden opportunity. Noto, the former Goldman Sachs banker who is now Twitter’s COO and CFO, has been described by the tech blog Recode as “the man running Twitter.” (CEO Jack Dorsey splits his time between Twitter and the mobile payments company Square, where he is also CEO.) Here’s how he replied to Trump’s tweet Friday morning:
@realDonaldTrump May I suggest questions submitted and answered via Twitter. A perfect record and we distribute to the world not just those with a TV— Anthony Noto (@anthonynoto) May 12, 2017
That sounded a lot like an endorsement of Trump’s proposal to permanently end press briefings. And while Twitter has its virtues as a forum for public debate, replacing live briefings with written Twitter responses would play right into the administration’s goal of limiting its accountability. With countless questions to choose from, Trump and his deputies would have plenty of cover to ignore the curveballs and home in on the softballs from partisan allies. And they could presumably take their time answering, making sure not to commit themselves to anything that could prove controversial.
About three hours after he published that tweet, Noto followed up with what he framed as a clarification. Conceding that Twitter is “not a substitute for a vibrant & free press,” Noto tweeted that he doesn’t actually support cancelling press briefings. “Sorry 4 confusion,” he added.
Twitter declined to comment further, referring me to Noto’s follow-up tweet.
The company has already taken some flack from Trump opponents for giving the president a platform that he has often used to spread misinformation, launch personal attacks on political rivals, and in some cases denigrate minority groups. As I reported in November, the company has not ruled out suspending Trump’s account if it determines that his tweets clearly violate its terms of service. That’s in contrast to Facebook, whose CEO Mark Zuckerberg has indicated that he considers Trump’s rhetoric to automatically fall within the bounds of acceptable political discourse by definition. Still, it seems clear that Twitter has no plans to take action against Trump, whose use of the platform has helped to underscore Twitter’s relevance at a time when it’s under heavy pressure from investors.
I think Twitter is right to give the president of the United States some leeway in what he’s allowed to say on the platform. The public has a compelling interest in hearing directly from Trump, even—or perhaps especially—when he’s saying things that are false, outrageous, offensive, or otherwise indefensible. And Twitter Q-and-A’s with the president or his spokespeople are not an inherently bad idea, as long as they don’t come at the expense of the professional media’s access.
The problem is the careless opportunism of Noto’s tweet. Twitter likes to think of itself as a public square, and it generally deserves praise for taking its role in political discourse seriously. The downside of the “mission-driven” culture at Twitter and other prominent Internet companies, however, is that it can lead people like Zuckerberg and Noto to conflate their own firms’ interests with those of society at large. The result is that, in many cases, they’re all too eager to disrupt things that would probably be better off undisrupted.
It’s nice that Noto followed up with a note of support for press briefings, although I don’t really buy that the reaction to his original tweet was based on “confusion.”
The White House press briefing is far from a perfect institution. But at a time when Trump is doing all he can to dismantle the checks on his power, the last thing we need are Silicon Valley titans sponsoring his assaults on democratic norms.
Everything You Need to Know About the “Digital” “Catapults” Donald Trump Thinks the Navy Doesn't Need
In an interview with Time excerpted online Thursday morning, president Donald Trump covered an array of topics. None of his statements has proved more baffling, however, than his claims about catapults aboard USS Ford-class aircraft carriers, the first of which should be in service this summer. Yes, catapults. His remarks on the topic are worth quoting in full:
You know the catapult is quite important. So I said what is this? Sir, this is our digital catapult system. He said well, we’re going to this because we wanted to keep up with modern [technology]. I said you don’t use steam anymore for catapult? No sir. I said, “Ah, how is it working?” “Sir, not good. Not good. Doesn’t have the power. You know the steam is just brutal. You see that sucker going and steam’s going all over the place, there’s planes thrown in the air.”
It sounded bad to me. Digital. They have digital. What is digital? And it’s very complicated, you have to be Albert Einstein to figure it out. And I said–and now they want to buy more aircraft carriers. I said what system are you going to be–“Sir, we’re staying with digital.” I said no you’re not. You going to goddamned steam, the digital costs hundreds of millions of dollars more money and it’s no good.
Why, you might reasonably ask, does an aircraft carrier need catapults? And what’s the difference a between steam catapult and a “digital” one? Glad you asked!
You first have to understand that Trump wasn’t talking about medieval siege engines, though you’d barely know that from reading his comments. Instead, the key is in his offhand claim that his interlocutor said something about “planes thrown in the air.” Despite their size, aircraft carriers have relatively short runways. Accordingly, they employ catapult systems to help assist with takeoff.
For decades, the steam-powered launch system that Trump alludes to have been the norm. Despite its antiquated-sounding name, these catapults are complicated mechanisms, not some sort of Victorian holdout. Illumin offers a helpful gloss of the way it all works, but it goes something like this: When they’re preparing for launch, planes are strapped into the catapult, holding them in place, even as their pilots are throttling their engines. When the steam—drawn, as Defense Industry Daily explains, from a carrier’s nuclear reactor—accumulates, it activates pistons in the catapult, removing the restraints and sending the aircraft hurling forward and into the sky. Fwoosh!
It’s an effective system, which is why it’s been employed for so long, but it’s not without its problems. As Defense Industry Daily notes, “The result is a large, heavy, maintenance-intensive system that operates without feedback control; and its sudden shocks shorten airframe lifespans for carrier-based aircraft.” In addition to increasing wear-and-tear, steam-based catapults may not be ideal for future generations of aircraft, some of which may be too heavy for the system to support them.
Enter the Electromagnetic Aircraft Launch System, generally known as EMALS. (Yes, really.) This new system—which is presumably what Trump had in mind when he spoke of “the digital”—really is complicated, but the basic function is simple enough: In fact, it’s reportedly similar to the technology used on rollercoasters. EMALS works by activating a series of motors that pull the aircraft along a track, helping it reach its appropriate speed as it accelerates. The process puts considerably less stress on aircraft, meaning that they can remain operational for far longer. It’s also faster and allows for more precise calibrations, allowing carriers to quickly launch a variety of aircraft
I called up defense expert Peter W. Singer of New America (which is a partner with Slate and Arizona State University on Future Tense) who affirmed the potential benefits of EMALS. “They offer you improved efficiency and are less maintenance intensive. It allows the aircraft carrier to operate more effectively, because the turn-around time is better,” he said. He also pointed out that China will likely incorporate EMALS-type technology into the generation of aircraft carriers after the one they’re currently developing.
“Trump doesn’t know what he’s talking about. That technology is a key selling point of the new aircraft carriers,” Singer said.
One of the most puzzling elements of Trump’s statement is his description of the catapults as “digital” rather than electromagnetic. It seems entirely possible, of course, that Trump—who, as we have long known, understands terrifyingly little about computers—simply flipped the two words. Indeed, his assertion that “you have to be Albert Einstein to figure it out” squares well with his previous claims about hacking and other problems with what he has called “the cyber.”
That said, it’s worth noting that the underlying digital complexity of EMALS is one of its selling points. According to a post on the site Global Security, “Another advantage of EMALS is that it would reduce manning requirements by inspecting and troubleshooting itself.” While it would demand that crews be taught new skills as they learn to interact with the new system, it presumably wouldn’t require whole teams of Einsteins, thanks in part to its self-diagnostic capabilities.
Why, then, would Trump want to abandon this promising new technology just before it goes into operation? If we take him at his word, it’s presumably because the system is pricier than the older alternative. There may be some truth to this claim: The Ford-class carrier program has been dogged by delays and cost overruns. But as the Atlantic notes, “[T]he problems with the Ford-class carrier program are more organizational than technological.” What’s more, Navy Times cites an estimate indicating that EMALS will “save the Navy $4 billion in maintenance costs over the course of the ship’s 50-year lifetime.”
Further, Foreign Policy’s Robbie Gramer points out that this proverbial ship has already sailed, even if the USS Ford hasn’t. “Experts say it’s virtually impossible to sort out how to replace the existing EMALS system with the old steam-powered system, and that could cost billions of dollars,” Gramer writes. In other words, Trump’s attempt to save money could cost the military dearly, even as it restricts its capacity for technological development in other ways.
Singer echoed many of these concerns in our conversation. “For people who know this topic of defense acquisitions one of the reasons you get escalating costs is when you change the requirements and designs midstream, and that’s exactly what [Trump’s] proposing to do here,” he told me. Moreover, he noted, “This is inappropriate, and an amazing level of micromanagement that would have Republican defense wonks apoplectic if Obama had done it.”
They don’t seem to be objecting yet.