The Cyber Maritime Environment: A Shared Critical Infrastructure and Trump’s Maritime Cyber Security Plan
Last month, the unclassified version of the Donald Trump administration’s Maritime Cybersecurity Plan was published to the White House website … and then summarily taken down, apparently relegated to the trash bin marked “last president’s stuff.”
The plan was roughly 36 pages of mostly overly broad declarations about the insecurity of the seas; the reliance on, and therefore vulnerability of the United States to, maritime hijinks; and a thinly veiled warning about Chinese competitors and port technology. The document is officially dead letter mail, but here is why Washington cannot afford to let the plan’s points of emphasis sink obscurely into the murky ponds of Mar-a-Lago. Whether in competition or in war, the United States is a maritime country. Land security fails without sea supply defense.
The Maritime Cybersecurity Plan provides a basis upon which the Biden administration can build a whole-of-nation defense in a digitalized environment. Yes, it has broad declarations that declare anew work that has long already been in motion for years like “develop risk modeling to inform maritime cybersecurity standards and best practices.” (Hint: It will look a great deal like the current National Institute of Standards and Technology Cybersecurity framework heavily informed by the excellent ongoing and rarely recognized work of the Coast Guard). The work is ongoing but, without the much needed urgency generated by public and policymaker pressure momentum will be lost. The gap between what engineers and maritime transportation experts know and what the policymaker and the public perceives as a cyber threat is a veritable ocean. The intent of the plan was to fire the starting gun for action in a field nearly entirely ignored by most non-maritime techies and policymakers.
The foot-stomp attention is much needed. The maritime environment is the world’s most complex, critical, and digitally vulnerable infrastructure. The seas are the world’s trade and supply backbone at an estimated 80 percent by volume and 70 percent by value. Information and communications technological change is diffuse, decentralized, and mostly regulated in hindsight. Oceans and waterways are no different.
The country has been slow to grasp the importance of the seas being—like the land—at risk of cyber events. Washington’s hyper focus on land attacks, if understandable, misses those in maritime settings with major economic and security implications. For example, the NotPetya cyber attack against Maersk shipping, one of the world’s most integrated and wide-reaching global maritime networks, cost the company between $250 and 300 million. The ongoing COVID-19 pandemic has laid bare the potential economic and security losses with slowed or halted shipping. Pandemic safety measures are costly and time-consuming for port operators. It is time policymakers recognized that the same effect is also achievable through cyber attacks on critical maritime operations.
The United States is reliant upon freedom of transport across the seas for more than a quarter of its gross domestic product. Deployment of any major military forces to any overseas contingency is primarily reliant upon sea lift. It is long overdue that the U.S. government start talking about cyber security threats to the maritime environment as thoroughly as it has for our domestic continental networks, infrastructure, and territory.
Why Cyber Maritime Security Should Be a Biden Priority
Cyberspace and the maritime environment are integrated and, therefore, share vulnerabilities. One vulnerability lies in the global cyber infrastructure that passes through underseas cables, which carry 99 percent of commercial internet traffic. The primary threats to them is from physical damage and local intelligence penetration, including undersea tapping from submerged platforms.
Another vulnerability is the shore-based infrastructure that links to those undersea cables. The landing points of the world’s internet were largely secured through obscurity, but it was only a matter of time before more critical eyes started to ask, why bother attacking undersea when the landing points are lightly secured? While mainland critical infrastructure strategies do not currently take this space into consideration, the new maritime plan does.
Finally, the systems that enable the maritime transportation system are also subject to cyber attacks. The machines and systems that ferry global trade are shot through with microchips, internet connections, and satellite communications. This maritime transport system operates on the knife’s edge of ever-increasing automated efficiency, which also means these systems—by definition—will be kludged together with varying security standards and requirements based on their country of origin. Similarly, as a target for terrorism, consider that the cruise industry is made up of literal floating cities of crazed connectivity that hacker Stephan Gerling refers to as a “swimming internet-of-things” moving unwitting tourists from port to port globally.
Whether the target is ships, humans, or logistics chains, the maritime environment continues to be vastly underappreciated for its cybersecurity risks and, ultimately, represents a major and underserved economic Achilles heel of the nation.
What Was in the Plan?
The National Maritime Cyber Security Plan has the same limits as any broad strategic vision. But, appropriately, the document focuses on three areas of needed actions: assessing risks and developing standards of protection, ensuring information and intelligence sharing between the public and private sectors, and creating a maritime cyber security workforce.
Assessing risk is partially an effort of down and in (domestic agency coordination) as well as up and out (private sector, and partners and allies). The plan tasks the National Security Council staff to “identify gaps in legal authorities and identify efficiencies to de-conflict roles and responsibilities for [maritime] cyber security standards.” Simultaneously, the plan tasks the Coast Guard to “analyze and clarify … cybersecurity reporting guidance for maritime stakeholders and collect maritime cyber incident reports to identify trends and attack vectors” to reduce risk.
Risks to maritime activities—both shore- and sea-based—are hard to mitigate. No single government agency (or even group of agencies) actually controls the 25,000 miles of coastal and inland waterways, 361 ports, 3,500 maritime facilities, and 20,000 bridges that appear integrated and have the grandiose title of the Maritime Transportation System. It is not a breakdown between federal, state, and local governance. Much of the Maritime Transportation System activity is non-governmental and motivated by commercial profit. It is a “system” only because the parts must connect to function at all. The government may have financed the initial industrial age infrastructure that allowed the maritime businesses to develop securely: lighthouses, aids to navigation, dredging municipal harbors, etc. But the federal government has not done the same in cyberspace. It does not hand out free, and securable or secured, software to ensure success to maritime business, although the U.S. Coast Guard does set requirements. It does not send out teams to ensure the commercial maritime cyber hygiene of all components of the Maritime Transportation System.
The plan’s second element, “ensuring information and intelligence sharing between public and private sectors,” is a herculean task all its own. Unlike domestic critical infrastructures that are usually integrated (albeit loosely) into state and local government systems, woe be unto those who seek to wrangle the maritime domain. The shared critical infrastructure of the ocean’s straits, private ports, multiplicities of ship registration, tracking, and ownership is dizzying, not to mention politically delicate. Most operations are commercial, but some commercial operations are also subsidiaries of foreign state-controlled companies such as China, which has an established history of economic espionage via cyber means. Information sharing will not simply be difficult; it will be a matter of diplomacy.
The third and culminating section of the plan is about workforce expansion. The plan directs the Department of Homeland Security through the Coast Guard to develop maritime cybersecurity “career paths, incentives, continuing education requirements, and retention incentives to build a competent maritime cyber workforce.” On-the-job training will not be enough. Maritime cyber security requires specific knowledge of, and familiarity with, port and vessel systems. A maritime cyber security workforce will need specialists who are knowledgeable of operational technology systems, as well as information technology and how they apply specifically to the maritime environment. The ideal member of the workforce would not so much be a hacker longshoremen (though we find the idea appealing) but a formally trained engineering professional who knows the workings of maritime technology and code development. The ideas emphasized in the plan would be critical to ensuring the building of such a cadre in sufficient numbers. As seems obvious, the Coast Guard and Navy are expected to play the strong roles in sponsoring the development of this civilian workforce, which would, hopefully, then leave federal service to populate the industry, much as Cyber Command and the Air Force have helped expand the employee pools of the commercial cyber and aviation industries, respectively.
The Biden administration should ensure effective action in all three areas. These seemingly standard recommendations for any terrestrial cyber security playbook are more critically needed for the maritime threats. Cyber effects in the maritime realm—particularly shore-based infrastructure—are usually not as immediately evident as they are on land. If part of the electrical power grid is shut down in Los Angeles, people instantly know it. If the offloading infrastructure of the Port of Los Angeles-Long Beach (the largest port in the United States) goes down, the public would hardly notice at first. The damage is diffuse and opaque, but the costs accrue regardless. Dedicated policy is needed to fix this “never in sight, out of mind” tendency and keep this nationally critical infrastructure at the top of mind.
Take Over the Rudder, But Keep the Ship Steady on Course
So, here is what the Biden administration should keep in mind.
First, the Maritime Cybersecurity Plan was a critical starting point. All new administrations want to strike their own path, but it is important that this incoming administration understand the importance and value of what has been accomplished here. The plan lays out the outline of what should be done, especially in terms of the existential need for better coordination with our allies and global firms. Obviously, the plan does not go far enough, but it could serve as the beginning of cleaning up the country’s vulnerabilities associated with a digitally interconnected, mutually interdependent, but increasingly technologically feral maritime environment.
The United States should demonstrate that is willing to set reasonable expectations for the kinds of fine-grained negotiation and cooperation necessary. Like it or not, the country should learn how to preserve the health and security of the domain in collaboration with uneasy, unfamiliar, and sometimes unwilling partners. At a minimum, Washington should kick start a process to get the right collaboration with industry, internal agencies, and allies before it all goes wrong and the digitizing maritime infrastructure is riddled with vulnerabilities.
Second, America’s adversaries already are using cyber capabilities, money, influence, and bullying to make the maritime environment increasingly dangerous for the United States and its allies. This document may seem to matter only to maritime thinkers, but the sea is a critical element in China’s global maritime Belt and Road campaign. As part of this initiative, China’s port investments have included gaining effective control over the shore service infrastructure supplying electrical power and communications to the visiting vessels. U.S. and allied interests are increasingly imperiled if the democracies do not actively seek to protect safe and cyber-secured ports in the developing world.
Third, the United States can set a positive example for the rest of the international community by addressing vulnerability the cyber-related vulnerabilities in its maritime supply chain.
The Maritime Cybersecurity Plan offered an imperfect but useful path forward for the United States to advance its interests in cyberspace. The Biden administration should avoid the classic mistake of ignoring the content because they dislike the messenger. This plan lays out a need for new thinking and new incentives in working with allies and the maritime private sector.
The White House should take on the priorities of this document and—whether it wants to recast them in their own words or not—start doing the hard work of realizing agency alignment, increased information sharing, and generating a workforce needed to keep us safe. Doing so will not be easy, but to the United States should view this as paying down on better national security for tomorrow rather than simply cleaning up the messes after the fact.
Nina A. Kollars is associate professor in the Cyber and Innovation Policy Institute. She is a senior adjunct scholar at Center for a New American Security and a Brute Krulak Center fellow at the Marine Corps University. She publishes on cybersecurity, hackers, and military innovation. She presented her own hacker project at DefCon27, “Confessions of a Nespresso Money Mule.” Kollars is currently completing her book, Trustworthy Deviants: White Hat Hackers and Security. Kollars is also a certified bourbon steward.
Sam J. Tangredi is the Leidos Chair of Future Warfare Studies. He has also served as the director of the Institute for Future Warfare Studies. He has published five books, over 150 journal articles and book chapters, and numerous reports for government and academic organizations. He is a retired Navy captain and surface warfare officer specializing in naval strategy. His co-edited volume AI at War: How Big Data, Artificial Intelligence and Machine Learning Are Changing Naval Warfare will be released by Naval Institute Press in April 2021.
Chris C. Demchak is the RDML Grace M. Hopper Chair of Cyber Security and Senior Cyber Scholar of the Cyber and Innovation Policy Institute, U.S. Naval War College. In her research on cyberspace as a globally shared insecure complex “substrate,” Demchak takes a systemic approach to comparative institutional evolution with emerging technologies, adversaries’ use of cyber campaigns, virtual worlds/gaming for strategic/operational organizational learning, and resilience against imposed surprise in complex systems.