Tag Archives: cyber

Capability Analysis, Strategy

Three Hard Questions for U.S. Maritime Strategy in a Digital Age

1 Comment

By Frank T. Goertner

From the White House to the Pentagon, the message is clear. The world of 21st Century great power competition has arrived, and it is distinctly different from the one today’s U.S. national security enterprise was designed to confront. Now is the time for every agency, department, and service in the executive branch to ask itself hard questions and consider decisive change.

Nowhere is the imperative for introspection more acute than in the U.S. Navy, Marine Corps, Coast Guard, and Merchant Marine. They are the sea services responsible for sustaining American sea power; their forces the guarantors of maritime superiority for a maritime nation. Moreover, their leaders are the custodians of the national assets most threatened by the rise of China and Russia as new global rivals in the maritime domain.

With this in mind, it is time to consider whether the emergent norms of this new era of great power competition also warrant a campaign to rethink the functions and missions of these sea services. Is now the time for a new maritime strategy for the United States?

The answer is yes. Three hard questions point to why.

What Will We Do if the Lights Go Out?

The sea services have always been on the nation’s first line of defense against threats to national interests and on the first line of response to disasters at home and abroad. Traditionally this has taken the form of sustaining and guarding physical sea lines of communication (SLOCs) that connect the United States to other maritime nations, while exercising readiness to project military power or render disaster response to physical crises around the globe. 

The current maritime strategy of the United States bins these roles into five enduring functions – deterrence, sea control, power projection, maritime security, all domain access – and promotes seven naval missions – defend the homeland, deter conflict, respond to crises, defeat aggression, protect the maritime commons, strengthen partnership, and provide humanitarian assistance/disaster response. Anyone capable of tracking their way through these lists as they read the document is then offered a tour of U.S. maritime capabilities as they relate to each of these functions and roles. En route, they will find sound justification for everything the sea services are doing today. What they will not find is precise direction on how they should change to confront the future of maritime competition. 

This is a problem. China and Russia are both developing capabilities that could fundamentally change the character of contests at and from the sea.  They are investing in unprecedented capacity for new means of physical and digital coercion. Russia brands it Information Confrontation. For China, it is Low Intensity Coercion and Intelligentized Warfare. Each involves developing sophisticated offensive cyber doctrine, investments in high-end electromagnetic pulse weaponry, and capabilities to disrupt critical communications architecture around and beneath the sea. In early phases of escalation or conflict, it is fully plausible either rival could disrupt civil communications, impair digital infrastructure, and impede electrical services across large swaths of the United States. 

The implications for the future sea services are profound. Each must prepare to defend against digital coercion by maritime rivals and to protect new digital SLOCs for future maritime operations. What are the means by which the sea services could align with other national instruments of power to deter such coercion in peace and in war, and what could each sea service offer the nation in the worst-case that deterrence fails? Could the Navy and Merchant Marine deliver power-generating capacity and internet services from the sea? Could the Coast Guard help reestablish communications between coastal U.S. hubs? Could the Marine Corps help rebuild and defend critical digital nodes and infrastructure? Who would repair the undersea cables and defend them against further attack? In sum, the sea services need a strategy that evolves beyond today’s functions and missions, and toward defining future means to protect America against 21st Century coercion and be ready to respond if the lights go out.  

What if the Oceans Turn Transparent?

One of the tenets of naval strategy has always been the vastness of the world’s oceans. There has traditionally been so much water, with so much activity occurring within and around it, that it was inconceivable any nation could capture and make sense of it all. Any ship at sea was not just the proverbial needle in a haystack. It was a moving needle among hay that was tossing, turning, and even inhabited.

The best navies in history have applied this tenet to their advantage. They developed navigational and communications techniques to maintain the edge over rivals in knowing where their ships were among others in the haystack, along with the fastest ships to traverse the open ocean swiftly or furtively. Maintaining that part has always been hard, demanding continual progress in command, control, and communications technology in platforms built to leverage every boundary of physics they could challenge. On the other hand, hiding has historically been easy. It has been a matter of either knowing where to hide in the ocean’s multi-layered domain or reducing physical signature enough to look like other needles or hay in the stack.   

For the first time in history, there is evidence that this may all be about to change. With the emergence of a globalized sensor-based economy, the world is on track to host more than 50 billion “smart” devices and one trillion digitally connected sensors by the early 2020s. Of course those won’t all be sensing the maritime domain, but many will be. 

They will be mass-manufactured in a host of sizes and configurations and employed on long-endurance drones on and above the ocean’s surface, in nano- and micro-satellites in space, or scattered along the coasts and sea-bed. They will be employed in abundance on military, commercial, and possibly even biological platforms; collecting, deciphering, and transmitting the data of the seas.

For the aggregators of this data, virtually everything in the haystack could be visible – critical portions of the oceans will be effectively transparent. Yet that is only half the problem. Development and operationalization of Artificial Intelligence (AI) and autonomous systems, alongside advances in quantum computing and radar, offer the promise of harnessing machine processors to discern patterns in the data such that nearly every needle can be found, or at least rendered probabilistically present, with greater accuracy than humans have ever achieved. 

The impact on the future sea services will be immense. Postures of passive defense will no longer be enough to protect their assets at sea. Is the United States ready for a fight in which the competition for sensor saturation and AI dominance is a core determinate of victory at and from the sea? Are the sea services prepared for an operating environment in which maneuver among rival maritime forces becomes an active game of confounding the predictive analytics of rivals and finding novel ways to hide in the clutter of the oceans’ dynamics? And perhaps of greatest concern, what if the transparency extends below the sea surface and the Navy’s undersea contribution to the U.S. nuclear triad is someday laid bare? Is it worth a strategic hedge such as diversifying employment of strategic weapons and high-yield tactical missiles onto surface combatants, carrier-launched aircraft, or in extremis even container vessels of the Merchant Marine? In sum, the sea services need a strategy that addresses holistically how to sustain American sea power if the oceans turn transparent.     

How can We Mobilize a Digital Maritime Nation?

Since the War of Independence, America’s leaders have recognized that they are responsible for a maritime nation. Yet how to convey that in policy has not always been self-evident. During the inter-war years of the 1930s, as now, the U.S. Government witnessed an escalation of competition among maritime rivals on a scale that had never been seen before, enabled by technology that was fundamentally changing the character of contests between them. National leaders at the time knew the United States had an edge in industrial production and innovation, but they did not know how to mobilize it for a global fight.

In response, the President and Congress passed the Merchant Marine Act of 1936, establishing a Maritime Commission. It was a federal body directed and authorized to chart the mobilization of an American maritime nation for the level of global competition and contest it saw on the horizon. By the 1940s, when those contests turned to war, the nation had at least thought through what was needed in the months and years ahead.      

America remains a maritime nation but is now a digitally interdependent maritime nation in a digital age. This is something new. Wall Street and the solvency of the Federal Reserve are nearly as reliant on foreign digital market transactions as they are on U.S. investments.  The nation’s most powerful and valuable firms are corporations with legal, digital, and human elements that span the world. And U.S. universities – the engine of digital and industrial ingenuity – are digitized global enterprises unto themselves.       

The significance for the sea services is dramatic. They need to think through how to secure America’s national innovation complex and defend its intellectual edge in a world of commoditized data and information. They merit collective contingencies to mobilize the industrial giants of the Fourth Industrial Revolution for sea power competition on behalf of America and our Allies. What will be the legal and financial terms under which the services of Amazon, Microsoft, Google, Apple, Space-X and others are commissioned should today’s contests turn to war? Is it time to reconsider standards and terms of selective service for the Digital Age? Do the sea services need new authorities to explore, resource, and test innovative concepts for burden sharing in the event of mobilization? In sum, there should be a strategy to articulate a national vision and lay the foundation for mobilizing a digitized America for the digitized contests on the horizon.

Time for Answers

These are the first of many questions the U.S. sea services should be asking, but the questions are just the start.  Collectively, the services need answers, and they need them fast in order to beat emergent maritime rivals to the future. Equally important, these answers must align across national maritime authorities – public and private, agencies and services, U.S. and Allied – to ensure they all get there together.

In short, they need a new U.S. maritime strategy for a digital age.

Frank Goertner is a Commander in the U.S. Navy. His most recent assignment was as a Strategic Planner for Future Fleet Design and Architecture in the Office of the Chief of Naval Operations, Future Strategy Branch. The views and opinions expressed are the author’s alone and do not represent the official position of the U.S. Navy, U.S. Department of Defense, or U.S. Government.

Featured Image: NATIONAL HARBOR, Md. (April 3, 2017) Vice Chief of Naval Operations (VCNO) Adm. William Moran, left, speaks at the 2017 Sea, Air and Space Exposition. Moran was joined by a panel including Assistant Commandant of the U.S. Marine Corps Gen. Glenn Walters, Vice Commandant of the U.S. Coast Guard Adm. Charles Michel, and Joel Szabat, executive director of Maritime Transportation, to discuss a “Sea Services Update” regarding today’s maritime environment. (U.S. Navy photo by Mass Communication Specialist 2nd Class Danian Douglas/Released)

Strategy

The Navy Needs to Do More Than Rebuild for the Future, It needs to Reinvent Itself

3 Comments

It is time for a Navy-wide campaign to rethink force strategy, design, and culture for competition in a digitized world.

By Frank T. Goertner

When paradigms change, the world itself changes with them.1

— Thomas Kuhn

Return to great power competition; revisionist powers; renewed capabilities; rebuild our military: such phrases feature prominently in recent U.S. national security guidance. They convey an imperative to look to the past as the nation prepares for a potentially volatile future. For American navalists in particular, they offer nostalgic optimism. Three times in the 20th Century, the Navy confronted rivals to U.S. sea power and prevailed. As the world returns to similar heights of geo-strategic rivalry, it is tempting for Navy leaders to approach the future via plans to rebuild past success. With concerted effort, the Service can revise known strategies, renew forgone capacity, and return to prior postures for the contests ahead. This approach would appear logical. It would also be a mistake. 

The world and its competitive landscape are changing in profound ways. The advance and proliferation of digital technologies among interdependent societies has established digitized information as a new global commodity of unprecedented strategic value. This development is upending competitive norms across and within human enterprises around the world and inspiring new paradigms that will reshape future contests between them. We see this in markets and geopolitics alike.    

For the Navy, one such enterprise, this implies that the approaches most pertinent to its future may not be behind it, but around it. This is not to say history is irrelevant. But alongside its lesson, Navy leaders should account for how commercial peers and maritime rivals are preparing their own enterprises for the contests ahead. As important, they should do so free of any assumptions that could self-constrain the Navy’s ambitions for its future within paradigms of its past.

A glance around at the Navy’s peers and rivals suggests that an approach to rebuild for the future is not enough.  Navy leaders should promote new competitive paradigms to fully leverage digitized information and harness its strategic value. They need a campaign to rethink force strategy, design, and culture for the contests ahead. In sum, the Navy needs to reinvent itself as a digitized enterprise for the digitized world.

The Market and Its New Norms

“Data [is] to this century what oil was to the last one. . . It changes the rules for markets and it demands new approaches.”2

-The Economist

Information has always been a source of competitive advantage in the market, but digitized information in a globalized and digitized economy is something new. It is a global commodity that can assume unprecedented levels of strategic value. In industries around the world, control of digitized information has become as – sometimes more – determinative of competitive outcomes than ownership of physical space or manipulation of material goods. 

It is a phenomenon that Chris Anderson of WIRED magazine terms 21st Century Free,3 and Andrew McAfee and Erik Brynjolfsson of MIT call the new economics of free, perfect, and instant.4 Digitized information, for decades one of many resources used by firms to enable operating efficiencies or assist in corporate planning, is emerging in the 21st Century as a driver of new competitive norms. It can be accessed and transmitted at unparalleled scale, scope, and speed. With near-zero marginal costs to produce, it can grant firms extraordinary levels of efficiency as they shift from material to digital infrastructure. It can assume considerable monetary value and hold that value across traditional industry and national boundaries. It can be harnessed for innovation and expansion into new, often unexpected, sectors. In short, a firm that can effectively amass, manipulate, and control digitized information can achieve unprecedented levels of command over what Michael Porter of Harvard refers to as a new competitive landscape of smart, connected products.5

To account for these new norms, firms in an array of industries are promoting new competitive paradigms. They are migrating from 20th Century corporate thinking based in competition for profits within material manufacturing or services toward new thinking that prioritizes competition for access, manipulation, and control of digitized information alongside – often in place of – traditional sources of profit. Some go so far as to completely invert previous paradigms. Firms that once saw digitized resources as means to achieve ends within a competition for physical resources now see physical resources as means to achieve ends within the competition for digitized information.6

Commercial Peers and Their Race to Reinvent

“If you won’t or can’t embrace powerful trends quickly… you’re probably fighting the future. Embrace them and you have a tailwind.”7

– Jeff Bezos

The challenge is that paradigms don’t change easily.  Moreover, if they don’t change fast enough, a firm risks obscuring its vision for the future within lenses ground in the past. Therefore, executives of the most successful firms are promoting their new paradigms with campaigns to rethink corporate strategy, design, and culture for the market’s new norms. In effect, they are reinventing their firms as digitized enterprises for a digitized world.8 What does this entail?

First, it takes executive commitment to reshape strategic perspectives to account for the new competitive norms of a digitized market.9 From the top down, executives and their strategic planners must embrace the fact that digitized information is no longer merely a means to enhance value of current service or production techniques. As a strategic commodity, it can often be the source of new value and innovation.10

Second, it takes a disciplined effort to redesign platforms and operations, not only within existing functions, but also into new frontier functions that command of digitized information can make accessible.11 One approach that has gained prominence is the digital platform approach; focusing design efforts on platforms that integrate digital and material resources, re-aligning current operations and investments to support those platforms, and posturing both to outperform competing platforms by beating competitors to market to learn early and learn fast from the environment.12 This is often complimented by a digital journey approach to iterative platform re-design; mapping theoretical customer journeys across each platform of a firm in order to identify both efficiencies to improve value and options to open new competitive fronts along the way.13

Third, it takes planning to evolve a digital culture or digital DNA14 of the workforce to ensure they build human-machine teams to engage in a digitized world. This includes experimenting with organizational balance between minds and machines15 as well as talent management models to develop leaders to translate digitized information into human action – leaders Robert Reich of Harvard calls symbolic analysts.16

For an idea of how this looks in practice, Marriott is a firm driving to reinvent. For five decades through the 1990s, Marriott was a leading owner of lodging and dining facilities. As of last year, it owned just 22 hotels worldwide; yet still claimed control of “more than 6,000 properties in 122 countries and territories.”17 In the two decades between, Marriott executives promoted a new competitive paradigm that prioritized digitized information as a global commodity and strategic priority on par with – sometimes superior to – material sources of value. As evidence of how comprehensive this paradigm shift has been, Marriott’s 2016 acquisition of Starwood Hotels was the biggest deal in hospitality history. Yet consider what aspect of the deal Marriott flagged to investors in its annual report: “With the acquisition, Marriott now has the most powerful frequent traveler programs in the lodging industry.”18 For Marriott, the deal’s value derived at least as much from the digitized information gained as in material resources. Since the deal, Marriott’s focus has been to harness the strategic value of that commodity. They use a platform approach to integrate material and digital resources across reservation, financial, and management systems. Executives are envisioning Marriott customers as digital immigrants, with planners evaluating each immigrant’s digital journey, “from searching for a hotel room . . . through and then after the stay.”19 And Marriott personnel are retooling practices to align human talents and machine tasks across the merged digitized enterprise.  

General Electric (GE) and Boeing offer additional examples somewhat closer to the Navy. GE is racing to preserve its claim as the last original American industrial firm in the DOW by reinventing itself around its digital platform – PREDIX. Boeing, for its part, now refers to “data as fuel,” and is proactively exploring how to design future systems, platforms, and workforces around its own digital platform – Analytx.20 Both, like Marriott, are racing to reinvent themselves as digitized enterprises for the digitized contests they see ahead.

The Maritime Operating Environment and Its New Norms

“A war of ideas can no more be won without books than a naval war can be won without ships. Books, like ships, have the toughest armor, the longest cruising range, and mount the most powerful guns.”21

-President Franklin D. Roosevelt

As in business, information has always been an integral part of military competition. The quote above from one of the 20th Century’s great navalists highlights this poignantly. Yet reread it substituting FDR’s books with today’s equivalent, digitized information, and the quote rises to a whole new meaning.

In the 21st Century, digitized information has emerged as a global commodity of unprecedented strategic value in the competition for sea power among maritime nations. With maritime communication, transportation, and national service networks reliant on digital infrastructure, the information they carry has immense geo-political value. Employment of digitized information in automated battle management systems, operational analytics, and cyber operations could drive down marginal costs and augment cumulative effects of military operations at exponential rates. Finally, networked digitized information offers the prospect of widely disbursed forces operating with nearly free, perfect and instant command, control, and communications (C3) with coherency and precision.

As a result, a fight for sea power in an operating environment where digitized information is a global commodity is not just a faster fight or more multi-faceted fight. It is a completely different kind of fight. The contest for Volume, Velocity, Veracity, and Value of Information becomes paramount – so much so that the strategic ends in future digitized conflicts may no longer be control or destruction of physical combat forces and facilities, but rather control of digital devices, connections, networks, and perceptions of those engaged in the contest.22 Marine Lt. Gen. Vincent Stewart, recent Director of the Defense Intelligence Agency, calls it 5th Generation Warfare and the Cognitive Battle.23 Dr. William Roper, recent Director of DoD’s Strategic Capabilities Office, envisions it as digital blitzkrieg in which “whoever collects the most data on Day One just might win the war before a single shot is fired.”24 

In sum, digitized information in the 21st Century maritime operating environment is more than an operational enabler; it is a strategic resource that can be as – perhaps more – decisive to victory as the physical control of territory or the kinetic lethality of material weapons. These are the new norms of the digitized maritime operating environment, and navies around the world are taking note.

Maritime Rivals and Their Race to Reinvent

“Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness. Thereby you can be the director of the opponent’s fate.”25

-Sun Tzu

It is hard to imagine a better resource than digitized information for a modern military in pursuit of Sun Tzu’s timeless ambitions. This is not lost on 21st Century rivals for U.S. sea power. Both Russian and Chinese military leaders are promoting new paradigms that effectively invert past thinking on military competition, migrating away from 20th Century doctrine focused on a digitally-enabled fight for control of the territory and infrastructure that have historically defined victory. Rather, they are strategizing for a materially-enabled fight to control the digitized information that could define victory in a future fight. In effect, like their commercial peers, each is racing to reinvent themselves as digitized enterprises for the digitized contests they see ahead. What does this entail?

First, Russian and Chinese leaders appear committed to reshape strategic perspectives to account for the new norms of a digitized operating environment. In both practice26 and in doctrine,27 Moscow has elevated manipulation and control of digitized information to an unprecedented level of prominence in their strategic planning. Information Confrontation is the Russian’s name for their new approach. Surpassing traditional information warfare, its ambition is to align missions and operations across digitized diplomatic, economic, military, political, cultural, and social enterprises such that national influence can be targeted with new levels of efficiency and precision, plus in new unprecedented ways.28 Similarly, China is advancing its sea power with a new approach the Department of Defense terms Low Intensity Coercion.29 Through precisely coordinated diplomatic, economic, and military ventures; they seek to integrate digitized and material resources under centralized command and control in what Admiral James Stavridis has called “a kind of hybrid war at sea.”30 Further, like Russia, their ambition is unconstrained by 20th Century concepts. In the words of Elsa Kania of the Center for New American Security, Beijing’s ultimate aim is to “fundamentally change the character of warfare” and thus seize “the ‘commanding heights’ of future military competition.”31

Second, both rivals are intent to redesign platforms and operations and evolve a digital culture to account for their new strategic perspectives and make best use of digitized information as a strategic resource. Russia’s hybrid social media tactics in Ukraine,32 emphasis on offensive cyber,33 development of deep-sea capabilities to hold sea-bed communications cables at risk,34 and alleged GPS-spoofing in the Black Sea35 offer a sense how they are retooling Russian forces, to include the Russian Navy, for the new norms of the digitized operating environment. Similarly, Beijing’s investments in unmanned air, surface, and undersea vehicles; advanced cooperative maritime surveillance and targeting systems; electromagnetic pulse weapons; and quantum technology offer an idea of how they too are retooling their military for digitized maritime contests.36 It also appears Russia and China have started to align toward a digital platform approach in designing for force-wide employment of Artificial Intelligence (AI). Russian President Vladimir Putin recently asserted that the nation and military that leads in AI will rule the world.37 The Chinese military sees it as their “trump card”  in leading progress from today’s ‘informatized’ ways of warfare to future ‘intelligentized’ warfare,” and Beijing has set a goal for China to be the premier global innovation center in AI by 2030.38 Both nations are aggressively investing in force-wide AI applications that range from surveillance and decision aids to fully automated lethal systems. Fully realized, a Russian or Chinese Navy redesigned around a force-wide AI digital platform could credibly overmatch rivals in employment of digitized information for unmanned systems; intelligence fusion, processing, and analysis; operational training, war-gaming and simulation; information warfare; and support to both strategic and tactical command and control. Perhaps of greatest concern, though, is that both appear intent on being first to learn early and learn fast in the operating environment.39 

The U.S. Navy’s Choice: Rebuild or Reinvent 

“The future cannot be predicted, but futures can be invented.”40

-Denis Gabor

With peers and rivals racing to define their futures, the U.S. Navy is presented with a choice for its own — rebuild or reinvent?

Some will read this as a retread of the classic force planning calculus of capacity versus capability, and they will claim it’s nothing new. Others will say that it is a false choice, with the decision already made to do both.  The Service has committed to grow its force structure, reconsider its force posture, and upgrade its systems and personnel. Either argument misses the point. Before the Navy strikes for new capacity, new capabilities, or both, Navy leaders must decide what kind of enterprise the Navy will be for the contests they see ahead. Even if the targets for capacity and capability are clear, what is not is the lens through which the Navy will sight them. And that lens matters immensely. It will shape the assumptions from which its leaders depart, the questions its planners ask in charting the course, and the criteria for prioritizing decisions along the way.

A choice to rebuild is a choice to retain current paradigms or adapt incrementally from those of the past. It is a choice to keep strategic focus on a fight for control of territory and infrastructure, knowing that rivals have shifted their focus to a fight prioritizing control of digitized information as much – or more – than the physical geography it passes through. It is a choice to grow the force within current fleet structure, expand concepts rooted in current functions and missions, innovate within current program and budgetary decision processes, and adjust current personnel models – all of which were designed for contests in a pre-digital world. Ultimately, it is a choice to return to the type of force that America knows how to build and how to fight.

How would a rebuilt Navy look? It would be a Navy of digitally augmented Carrier Strike Groups and Air Wings to sustain manned power projection missions, digitally enhanced submarines to sustain predominately nuclear deterrence missions, digitally assisted surface action groups to re-attain capacity for sustained geo-spatial sea control, and maritime security missions with more and better data but still processed through human constraints on how to use it. It would be a Fleet with new digital resources, but still postured to defend and secure maritime infrastructure, trade routes, and allies prioritized within a pre-digital terrain where maneuver and coercion played by different rules. Finally, it would be a workforce of Sailors and civilians enabled by digitized resources such as AI and robotics to execute today’s requirements, but not necessarily teamed with them to define and explore new frontiers – frontiers such as fully or semi-autonomous long-endurance strike groups, offensive sea-based cyber operations, or non-nuclear deterrence forces for digitized coercion. 

A rebuilt Navy is fine if the fight the Navy sees ahead is the fight it sees behind. The challenge is that the Navy’s peers and rivals, embracing new paradigms, are assuring that won’t be the case. The rebuilt Navy may be suited for the fight the U.S. wants to fight, but how well can it secure victory in a materially-enabled fight for digitized information? As important, how well does it deny rivals their access to this new strategic commodity?

In the end, a rebuilt Navy in contest with reinvented navies could be precisely the right Navy for precisely the wrong fight. If Russia and China are right, and victory in a digitized world rests as much – or more – on command of digitized information as it does material resources, then this approach cedes strategic aperture to rivals choosing to reinvent instead of rebuild. Even if hypothetical, this is a mistake the U.S. Navy cannot afford.                 

The Navy Should Aim to Reinvent – Here’s How

“For 240 years, the U.S. Navy has been a cornerstone of American security and prosperity.  To continue to meet this obligation, we must adapt to the emerging security environment.”41

-Admiral John Richardson, CNO

The U.S. Navy should set its sights beyond rebuilding and aim to reinvent itself as a digitized enterprise for a digitized world. Fortunately if it does, there are initiatives already underway that move in the right direction.

The quote above shows Navy leadership has a healthy appreciation for the need to not just grow, but to change along the way. They also acknowledge the imperative to leverage digitized information as it does. Over the past decade, the Navy has developed an Information Warfare Community, stood up Fleet Cyber Command, established a Digital Warfare Office, and founded a Center for Cyber Studies at the U.S. Naval Academy. It has established Navy Information Forces, created a Navy Information Warfighting Development Center, and issued a Strategy for Data and Analytics Optimization. Alongside these, the Service has promoted a series of strategic plans and roadmaps for science and technology as well as directives and initiatives to promote a data savvy workforce. Moreover, there is a growing voice that further efforts are warranted to ensure these efforts deliver faster – even “exponential” operational effects.42

However, the Service has yet to progress from individual calls to action and policy initiatives toward driving the type of holistic campaign it will need to truly reinvent itself. The Navy’s functions and missions remain defined by a maritime strategy rooted in paradigms and assumptions of the 20th Century. Its program management, budgetary decision processes, and doctrine development remain confined within an organizational construct of “N-codes” largely static for the past two decades. Finally, the majority of its people – both civilian and military – continue to be led, organized and trained with personnel models and mindsets built for pre-digital contests between pre-digital navies.  

To reinvent, the Navy must move beyond piecemeal programs and calls for change. The Service needs a campaign to holistically rethink force strategy, design, and culture for competition in a digitized world; a roadmap to guide every N-code, every program, and every fleet through a decisive and conclusive migration to a new paradigm. Judging from peers and rivals around it, three lines of effort would offer a solid start:    

(1) Reshape strategic perspectives with a new maritime strategy for the digitized world. 

Navy leadership should promote efforts to aggressively rethink 20th Century paradigms of sea power. This should start with a new maritime strategy focused on defining new national-level ends and means for maritime contests in which digitized information is a global and strategic commodity. A component of this should be an analysis of how sea power itself may be changing, addressing hard questions head-on about the evolving nature and character of the Navy’s traditional functions. What is the nature of deterrence in a digitized and automated multi-rival competition? How do definitions of power projection shift with new options for digitized escalation that precede the traditional material kill-chain? How does the Navy balance spatial, temporal, and cross-spectral dynamics of sea control in a digitized fight? What types of maritime security regimes should the United States promote in a digitized maritime domain populated with ever-growing numbers of both humans and machines? Should the Sea Services pursue a U.S. version of interagency Information Confrontation or Low-Intensity Coercion? Most importantly, the strategy should not evade a blunt assessment on which of today’s naval missions will endure, which could become superfluous, and what new potentially unprecedented missions our Navy and Sea Services will need in order to fight and win as a digitized enterprise in a digitized world.

(2) Redesign the Fleet around platforms and journeys of a digitized fight

Navy force strategists and planners should be encouraged to re-envision Fleet missions, structure, and posture as operational components of a digitized Fleet. This implies moving past benchmarking approaches toward digital solutions as either an enabler or alternative to existing programs. Instead, the Navy needs to think of the future Fleet as a system of digital platforms for the future and experiment with ways to fight that system in new missions and innovative ways. It should then align and prioritize its investments and analytic processes to optimize the digitized missions – or journeys – of its future forces and Sailors on those platforms. This should prompt Navy force planners to invert traditional planning inquiries and collaborate toward optimizing both digital and material solutions between, and not just within, their programs. For example, instead of asking, “how can the Navy employ AI to improve program ‘X’?”  They should ask, “how can the Fleet as a system of digital platforms leverage AI to counter the Russian undersea cable threat or Chinese drone swarming?” Then, in building architectures for these solutions, they should think through the journey of each applicable weapon or payload along the kill chain, each Sailor or system along the deployment cycle, and each ally or partner that could interphase for the mission. A key part of this should also be experimentation on precise levels of velocity and veracity of information that commanders will need to conduct future Fleet missions, whether they be at the strategic, operational, or tactical level of maritime contest. Existing Navy initiatives to build a Fleet Tactical Grid and define a Future Fleet Design and Architecture for 2045 are notable steps in the right direction. But they need to be linked to a broader effort for Service-wide reform of operational doctrine, programs, and structures for the digitized contests ahead. 

(3) Evolve a digital culture of human-machine teams, and equip them to lead the digitized Service. 

Navy personnel, both military and civilian, should be cultured to embrace the digitized force they will comprise – a force for which command and employment of digitized resources is more than just a means to win the fight at and from the sea; it might well be what the fight is all about. This means accepting that the optimal mix and dispersion of human and machine tasks within a digitized architecture may change dramatically from traditional models. How will the Navy recruit, train, distribute, evaluate, and ultimately co-evolve a workforce of human-machine teams? How will it tailor access and use of digital information for digitized operations? How will it grow and retain a cadre of symbolic analysts and innovators to drive it through the exponential change it seeks? And can they make use of digitized solutions to improve and accelerate learning and thinking along the way? In short, reinvention into a digitized force cannot give short shrift to the need to invest deliberately in tomorrow’s Navy Sailors, civilians, and the machines with which they will fight. 

For a Navy steeped in traditions, reinvention will not be easy. Even more challenging, it must beat two maritime rivals in a race to the future. It will therefore need to be deliberate, it will need to be fast, and it will need to be decisive. That calls for Navy leaders to launch a holistic campaign to guide the Service to the future it seeks to invent for itself and for its nation, without a moment to lose.    

Frank Goertner is a U.S. Navy Commander serving as a Strategic Planner in the Office of the Chief of Naval Operations, Future Strategy Branch. The views and opinions expressed are the author’s alone and do not represent the official position of the U.S. Navy, U.S. Department of Defense, or U.S. Government.

[1] Thomas Kuhn, The Structure of Scientific Revolutions: 50th Anniversary Edition (The University of Chicago Press, Chicago) 2012, 111.

[2] “Fuel of the Future:  Data is giving rise to a new economy,” The Economist, 6 May 2017

[3] Chris Anderson, Free: How Today’s Smartest Businesses Profit by Giving Something for Nothing (New York: Hachette Books, 2015), 12-13.

[4] Andre McAfee and Erik Brynjolfsson, Machine Platform Crowd: Harnessing Our Digital Future (W.W. Norton & Company, New York, 2017), 137.

[5] Michael E. Porter and James E. Heppelmann, “How Smart, Connected Products are Transforming Competition,” Harvard Business Review, November 2014

[6] Jacques Bughin, Laura LaBerge, and Anette Mellbye, “The Case for Digital Reinvention,” McKinsey Quarterly, February 2017.

[7] Jeff Bezos, “2016 Letter to Shareholders,” Amazon.com, 12 April 2017.

[8] Jacques Bughin, Laura LaBerge, and Anette Mellbye, “The Case for Digital Reinvention,” McKinsey Quarterly, February 2017.

[9] Thomas M. Siebel, “Why Digital Transformation is Now on the CEO’s Shoulders,” McKinsey Quarterly, December 2017.

[10] Jaques Bughin Nicholas Van Zeebroeck, “Six Digital Strategies, and Why Some Work Better than Others,” Harvard Business Review (online), July 31, 2017.

[11] Gerald C. Kane, Doug Palmer, Anh Nguyen Phillips, David Kiron, and Natasha Buckley, “Achieving Digital Maturity,” MIT Sloan Management Review, Summer 2017.

[12] McAfee and Brynjolfsson, Machine Platform Crowd, 166.

[13] Andrew Bollard, Elixabete Larrea, Alex Singla, and Rohit Sood, “The Next-generation Operating Model for the Digital World,” Digital McKinsey (online), March 2017.  

[14] “Building Your Digitial DNA: Lessons from Digitial Leaders” Deloitte MCS Limited, https://www2.deloitte.com/mk/en/pages/technology/articles/building-your-digital-dna.html.

[15] McAfee and Brynjolfsson, Machine Platform Crowd, 32-85.

[16] Robert Reich, The Work of Nations: Preparing Ourselves for 21st-Century Capitalism (Alfred A. Knopf, New York) 1991.

[17] “Marriott International, Inc. 2016 Annual Report,” Marriott International 2016.

[18] IBID

[19] Peter High, “Marriott’s Digital Chief On The Advantages Of The Digital Immigrants.”  Forbes (online) 15 May, 2017

[20] Ted Colbert and “Data as jet fuel: An interview with Boeing’s CIO” McKinsey Quarterly, January 2018.

[21] Franklin Roosevelt, “Letter to W. W. Norton, Chairman of the Council on Books In Wartime”, December 1942

[22] Linton Wells, “Prepared for the Battle but Not the War,” U.S. Naval Institute Proceedings Magazine. 143/11 Nov 2017.

[23] Kimberly Underwood, “Cognitive Warfare Will Be Deciding Factor in Battle.” The Cyber Edge (online), 15 August 2017

[24] Patrick Tucker, “The Next Big War Will Turn on AI, Says The Pentagon’s Secret-Weapons Czar.” DEFENSE ONE (online), 28 March 17.

[25] Sun Tzu, The Art of War, Translated by Thomas Cleary (Shambala, Boston, 2003), 108.

[26] Jim Rutenberg, “RT, Sputnik and Russia’s New Theory of War.

How the Kremlin built one of the most powerful information weapons of the 21st century — and why it may be impossible to stop.” The New York Times Magazine, Sep 13, 2017.

[27] “Russia Military Power: Building a Military to Support Great Power Aspirations.” Defense Intelligence Agency, 2017 www.dia.mil/Military-Power-Publications


[28] IBID

[29] “Annual Report to Congress: Military and Security Developments Involving the People’s Republic of China 2017.” Office of the Secretary of Defense, May 2017, 12.

[30] James Stavridis, “Growing Threats to the U.S. at Sea:  With Russia and China Expanding Their Naval Capabilities, What Can the U.S. Do to Prepare?” THE WALL STREET JOURNAL, June 2, 2017

[31] Elsa B. Kania, “Battlefield Singularity: Artificial Intelligence, Military Revolution, and China’s Future Military Power.” Center for New American Security, Nov 2017, 4-5

[32] Russia Military Power: Building a Military to Support Great Power Aspirations.” Defense Intelligence Agency, 2017

[33] IBID

[34] Rishi Sunak, “Undersea Cables: Indispensable, Insecure.” Policy Exchange, 2017.

[35] Elizabeth Wise, “Mysterious GPS glitch telling ships they’re parked at airport may be anti-drone measure.” USATODAY, Sept. 26, 2017

[36] Ronald O’Rourke, “China Naval Modernization: Implications for U.S. Navy Capabilities—Background and Issues for Congress.” Congressional Research Service, December 2017.

[37] “Putin: Leader in artificial intelligence will rule world.” AP News (online) 1 Sep 2017

[38] Kania “Battlefield Singularity: Artificial Intelligence, Military Revolution, and China’s Future Military Power,” 4-5

[39] Tom O’Connor, “U.S. Is Losing To Russia And China In War For Artificial Intelligence, Report Says,” NEWSWEEK (Online), 29 Nov, 2017.

[40] Dennis Gabor, Inventing the Future. (Alfred A Knopf, New York), 1963, 207.

[41] John Richardson, “Design for Maintaining Maritime Superiority,” U.S. Navy (online) , Jan 2016 www.navy.mil/cno/docs/cno_stg.pdf

[42] John Richardson, “The Future Navy,” Navy.mil (online), 17 May 2017.

Featured Image: United States Navy sailors monitoring radar and other instruments aboard the guided-missile cruiser Chancellorsville in the South China Sea. Bryan Denton for The New York Times)

Capability Analysis

Cyberphysical Forensics: Lessons from the USS John S. McCain Collision

3 Comments

By Zachary Staples and Maura Sullivan

The 2017 back-to-back collisions of two Navy destroyers led to much speculation about the role of cyberphysical interference in the disasters. As the senior officer representing the U.S. Navy engineering community during the USS McCain cyber assessment, it is clear that we do not yet have the basic tools to definitively answer the question, “were we hacked or did we break it?”

Cyberphysical systems are the backbone of the global infrastructure we rely on for transportation, power, and clean water, and are growing at an exponential rate. The deep integration of physical and software components is not without risks and most industries are technically and organizationally unprepared to conduct forensic examinations. The ability to trust cyberphysical systems is dependent on our ability to definitively identify and remedy cyber interference, which is dependent on our understanding of how data flows impact the physical world.

There are broad lessons from the USS McCain cyber assessment that highlight the type of forensics needed to build and sustain cyberphysical infrastructure around the globe. In order to prevent and respond to future cyberphysical events, whether malicious or accidental, the Navy and organizations dependent on cyberphysical systems must establish post-event procedures for cyber forensic investigations, develop trusted images, and integrate threat intelligence with engineering teams.

Post-event Procedures

Post-incident shipboard forensic examination is a unique activity that is separate and distinct from cybersecurity evaluations or responses to network intrusion or malware. Typically, when cybersecurity operations centers observe malicious communications or indications of compromise within their operating network, they have a clear map of the network and key pieces of information, such as an initiating IP address or malware signatures, from which to begin the forensic mission. They start by identifying and classifying malware on the offending endpoint and can take immediate actions to observe the adversary in their system and identify what is being targeted, while simultaneously acting to clean and quarantine the network.

In stark contrast, post-incident cyberphysical assessment requires an undirected baseline on a variety of media, including hard drives from voyage management systems, machinery control stations, and IT network endpoints. Greatly complicating post-incident response is the fact that many segments of the network will likely be shut off by design or physically destroyed by the casualty itself. The task of cyber forensic teams is essentially the equivalent of trying to determine why a building collapsed without blueprints, physical access to the structure, or any data on what happened immediately prior to the collapse.

The technical understanding and research required to define standard operating procedures for shipboard cyber forensic investigations do not currently exist. While the task of developing a comprehensive approach to shipboard cyber forensics is daunting, the military has experience developing specialty training paradigms, such as submarine navigation and tactical aviation. Hunting a cyber adversary in industrial control systems is a complex task requiring unique operational and tactical expertise. An achievable near-term milestone would be to create procedures for an attack surface assessment for a routine pre-planned mission, which could provide a test-bed for developing more comprehensive procedures, as well as a better understanding of capabilities and gaps.

Trusted Images

All ships operate three main networks: the voyage network that supports the safe navigation of the vessel, the engineering network that controls propulsion along with material handling and auxiliary systems, and the administrative network that supports business operations and crew welfare needs. U.S. Navy vessels also have a combat systems network. The interconnectedness of operational and information technology networks means that traditional information technology tools and perimeter-based security solutions are inadequate for cyberphysical systems. For example, the addition of even simple PKI security can overwhelm the processing power of installed cyberphysical processors and cause a system crash instead of preventing unauthorized access. Additionally, in order for systems like GPS to function, the system must allow access to all properly formatted traffic, rendering perimeter defense insufficient. Security for complex cyberphysical systems requires capturing data flows and developing contextually aware algorithms to understand the dynamics during shipboard operations.

To generate network situational awareness sophisticated enough to do cyber forensics, the team will need to search for electronic anomalies across a wide range of interconnected systems. A key component of anomaly detection is the availability of normal baseline operating data, or trusted images, that can be used for comparison. These critical datasets of trusted images do not currently exist. Trusted images must be generated to include a catalog of datasets of network traffic, disk images, embedded firmware, and in-memory processes.

1. Network Traffic: A common attack vector is to find a computer that has communications access over an unauthenticated network, which issues commands to another system connected to the network (i.e. malware in a water purification system issuing rudder commands). Cyberphysical forensics require network traffic analysis tools to accurately identify known hosts on the network and highlight anomalous traffic. If the trusted images repository contained traffic signatures for every authorized talker on the network, it would allow forensic teams to efficiently identify unauthorized hosts issuing malicious commands.

2. Disk Images: Every console on the ship has a disk that contains its operating system and key programs. These disks must be compared against trusted images to determine if the software loaded onto the hard drives contains malicious code that was not deployed with the original systems.

3. Embedded Firmware: Many local control units contain permanent software programmed into read-only memory that acts as the device’s complete software system, performing the full complement of control functions. These devices are typically part of larger mechanical systems and manufactured for specific real-time computing requirements with limited security controls. Firmware hacks give attackers control of systems that persist through updates. Forensic teams will need data about the firmware in the trusted image repository for comparison.

4. In-memory Processes: Finally, advanced malware can load itself into the memory of a computer and erase the artifacts of its existence from a drive. Identifying and isolating malware of this nature will require in-memory tools, training, and trusted images.

In addition to the known trusted images, future forensic analysis would benefit from representative datasets for malicious behavior. Similar to acoustic intelligence databases that allow the classification of adversary submarines, a database of malicious cyber patterns would allow categorization of anomalies that do not match the trusted images. This is a substantial task that will require constant updating as configurations change. However, there are near-term milestones, such as the development of shipboard network monitoring tools and the generation of reference datasets that would substantively improve shipboard cybersecurity.

Organizational Integration

As future shipboard assessment teams work to confirm or refute the presence of cyber interference, they will need the assistance of a cyber intel support team to validate assumptions about their findings aboard the vessel. The basic flow established in the USS McCain investigation was to look at the physical systems involved in causing the collision (i.e. propulsion, steering) and then begin looking for cyberattack vectors to those systems.

Ruling out cyber interference requires evidence of absence, which can be uniquely challenging. In order to refute a particular attack vector, coordination with a cyber intel support detachment is essential to understanding the range of possible cyberattack scenarios for a particular physical effect. For example, advanced cyber effects could be delivered over a radiofrequency pathway. Therefore, cyber investigators will need to understand the electromagnetic environment the ship is operating within, as recorded in national systems, and give access to analysts capable of identifying anomalies in the signal pathway.

Shipboard assessment and cyber intel support teams each have specific sets of expertise necessary to understand the full suite of cyberattack vectors and their potential impacts on shipboard systems. Cyberattack tactics are constantly changing and the highest levels of technical expertise and security clearance are required to keep abreast of the potential methods to penetrate networks and attack industrial control systems. Cyber intel teams will never have the engineering expertise to understand the full range of potential physical impacts on shipboard systems. As was demonstrated with Stuxnet and the attack on the Ukrainian power grid, the most successful cyberphysical attacks exploit the organizational gap between engineering and cyber teams.

Organizational constructs for cyberphysical systems will never be straightforward because cyber risk cuts horizontally across engineering systems and traditional intelligence activities. Organizational integration between the cyber and engineering communities must be practiced and continually refined in order to prevent and respond to cyberphysical interference. A near-term milestone would be to execute joint training exercises between the cyber intel and engineering communities in order to promote cross-disciplinary understanding and begin to build out the template for future organizational integration.

Conclusion

Network connectivity in industrial control systems has revolutionized the way humans interact with physical systems and ushered in a new era of capabilities from energy generation to manufacturing to warfighting. These advancements are not without risks, and to avoid cyberphysical catastrophe, the development of tools to ensure resilience, security, and safety must keep pace. Shipboard forensics provide a prime example of the current gaps in our ability to understand, monitor, and protect cyberphysical systems. The lessons learned from the forensic examination of the USS McCain can provide the foundation for the procedures, data, and organizational constructs required to create modern tools to monitor and protect cyberphysical systems.

Zac Staples had a 22-year career in the United States Navy as a surface warfare officer specializing in electronic warfare. His final tour was as the Director of the Center for Cyber Warfare at the Naval Postgraduate School, where he led inter-disciplinary research and development teams exploring cyber capability development. Zac holds a B.S. in engineering from the U.S. Naval Academy, a Masters in National Security Affairs from the Naval Postgraduate School, and is a distinguished graduate of the Naval War College.

Maura Sullivan specializes in systemic risks and data-driven emerging technologies. Maura was the Chief of Strategy and Innovation at the U.S. Department of the Navy, where she developed and implemented the strategic roadmap for emerging cyberphysical technologies. Previously, Maura led a start-up within the global catastrophe risk company, RMS, developing software and consulting solutions for managing systemic risks for financial and insurance markets. She was a White House Fellow, has a Ph.D. in epidemiology from Emory University and a B.S and M.S. in earth systems from Stanford University.

Zachary Staples (USN, Retired) and Maura Sullivan, PhD are the co-founders of Fathom5, a maritime cybersecurity company.

Featured Image: Operations Specialist 3rd Class Daniel Godwin, from Milton, Fla., stands watch in the Combat Information Center aboard the aircraft carrier USS Enterprise (CVN 65). (U.S. Navy photo)

Cyber War

Port Automation and Cyber Risk in the Shipping Industry

Leave a comment

CIMSEC is committed to keeping our content FREE FOREVER. Please consider donating to our annual campaign now so we can continue to provide free content.

By Philipp Martin Dingeldey 

Introduction

To stay ahead of competing ports and technological developments, automation has been heralded as inevitable. Major transshipment hubs and aspiring ports bet their future on automation, which raises the impact  cyber risks could have in the long-run.

Singapore’s Port Modernization

One example of port modernization is Singapore’s Tuas Port Project. To stay ahead of competing ports in Southeast Asia, PSA International and the city state have bet their future on the fully automated port on the western side of the island. The project is set to almost double the port’s current throughput capacity of twenty-foot equivalent units (TEUs) and consolidate all its container operations by 2040.

Singapore’s port is ranked second, behind Shanghai’s mega port, by total TEUs handled. Nevertheless, Singapore’s port is the world’s busiest transshipment hub, and therefore immensely important to global supply chains. The port’s volume growth of 6.4 percent for the first half of 2017 indicates that its investments in modernized berths and joint ventures with liners paid off.

While this is great news for the short term, container vessels on Asia-Europe trade routes will inevitably increase in size, requiring higher handling efficiency to achieve fast turn-around times. By the end of 2018, ultra large container vessels (ULCVs) are expected to gain a share of 61 percent of total capacity, pushing established hubs like Singapore to automate its terminals to stay relevant.

At the same time, next generation container vessels will not only be bigger, but also increasingly automated and even autonomous. As ports and the shipping industry are integral parts of global and regional supply chains, their automation and technological modernization raises the impact and potential of cyber risk.

How Good is Automation?

For Singapore’s port, automation is seen to not only strengthen its position as a transshipment hub well into the future, but also helps it keep up with technological developments and industry trends.

The shipping industry has generally been slow in adapting new technologies, due to its conservative nature and the large number of players involved. Currently, only a fraction of global container volume is handled by fully automated container terminals. In 2016, it was estimated that only 4-5 percent of container volume will be handled by fully automated terminals once ongoing projects were completed. Nonetheless, industry pressure and competition have heightened the need for ports to invest and automate, indicating that the number of automated terminals will increase.

Automated terminals allow ports to handle containers more efficiently by using operating systems to plan storage in accordance with collection and transshipment times. This reduces unnecessary box moves, shortens cycle times, and enables consistent and predictable throughput numbers.

Fully-automated terminals have the advantage of low operating costs and reliable operations, but require higher upfront costs, longer development, offer only low productivity increases at peak times, and have the general difficulty to fully automate a working terminal. On the other hand, semi-automated terminals offer the possibility for greater productivity increases at peak times, are generally understood to have the best overall productivity with less upfront costs, but require higher operating costs and are inconsistent when it comes to handling ULCVs.

While full automation gives large ports like Singapore’s the advantage of reliable, full-time operations at low operating costs, it requires long development times to fix bugs and offers only gradual productivity increases at peak times. On top of that, full automation also increases their vulnerability to cyber risks. This is due to the use of technologically advanced and networked systems.

The investment threshold to enter automation for ports is high, while not necessarily offering major increases in productivity. What automation does offer major port hubs is better predictability and consistency of container moves per hour. Additionally, automation reduces the room for human error, making operations safer. At the same time, automation reduces the environmental impact since terminals are mostly electrified, giving ports an additional competitive edge in an industry increasingly focused on sustainability.

Cyber Risks

The shipping industry and ports are seen by many insiders as underprepared for cyber threats. Even though major players in the shipping industry have recognized and acted on the risks posed by cyber threats, the majority have been slow to recognize potential business risks. Even though awareness has grown, the need for better information sharing persists. Automation further increases the exposure and impact of cyber threats for ports, highlighting the importance of data and system integrity.

The reality of cyber threats to automated terminals was demonstrated in the “NotPetya” cyber-attack in June 2017. The attack forced Maersk to interrupt operations at multiple terminals worldwide, causing logistical havoc for weeks after the attack. Overall, it cost Maersk roughly US$300 million, even though the attack was not specifically directed at the company. The “lucky hit” against one of the industry leaders showcases that even well-prepared firms can suffer financial losses due to cyber threats.

The difficulty with protecting automated terminals from cyber risks lies with their complexity. These terminals use industrial control systems that translate sensorial data and commands into mechanical actions. The network links between mechanical equipment and sensors are exposed to the same threats as data networks. The complexity is further increased by the months and years it can take to figure out and fix bugs and weaknesses in automated systems. In an automated system, different system components have to effectively work together as one, stretching the time needed to figure out and fix bugs. This involves mainly software issues that have to be fixed while also moving boxes of cargo at the terminal.

While ports have to secure themselves from a broad range of risks, cybercriminals can choose from a number of entry points. For example, external vendors, terminal operating systems, and unaware employees may be vulnerable to phishing attacks. Operational systems and data networks are not always up-to-date or properly secured, allowing criminals to gain comparatively easy access to information. To prevent the ports and shipping industry from most attacks, regular operating system updates, stronger passwords, secure satellite connections, resilience exercises, information sharing, and employee awareness campaigns should be practiced.

On top of that, modern ships bear the risk of spreading viruses onto port systems simply via Wi-Fi or other data networks. Industrial control systems are not designed with cyber risks or active network monitoring in mind. This is especially true for ships’ control systems, but can also affect the system components of ports.

Nevertheless, this is only addressing the technical side. The human factor still plays a major role in mitigating cyber risks. Personal details of ship crews can still be easily accessed, making them more vulnerable to social engineering via phishing or other techniques, unknowingly granting access to systems.

Human factors can take the form of criminals, terrorists, competitors, disgruntled employees, and more. Workers at mostly manual terminals, for example, generally do not like automation because it makes their jobs largely redundant. To reduce the chance for cyber threats stemming from or aided by disgruntled employees, ports can offer training and job guarantees to their workforce to make the transition to automation more incremental.

Port authorities, registries, and all major organizations in the shipping industry are increasingly aware of cyber threats and are responding through raising awareness or offering training courses. These are simple steps to better protect information and navigation systems on board ships. For example, BIMCO, the world’s largest international shipping association, made cyber security an important issue for the shipping industry three years ago via an awareness initiative. The association has further advocated the need for guidelines to evolve with the threats, launching the “Guidelines for Cyber Security Onboard Ships” in July 2017, which was endorsed and supported across the industry.

In addition, the Liberian ship registry started a computer-based two-hour cybersecurity training program in October 2017, offering a comprehensive overview of cybersecurity issues aboard ships. Nevertheless, it is unlikely that these courses and campaigns are enough to protect the industry. While it is a step in the right direction, more needs to be done through regulations.

Conclusion and Policy Recommendations

Since 2016, the International Maritime Organization (IMO) has put forward voluntary guidelines regarding cyber risks. Only after 2021 does the IMO plan to enforce a set of binding regulations on cybersecurity. This might be too late for many companies in the industry. Shipping companies should not wait until 2021, but should begin now to implement simple measures, like using firewalls and stronger passwords, to deter criminals from trying to exploit current weaknesses.

Further, even though the IMO adopted guidelines on maritime cyber risk management into the International Safety Management Code this year, ports and the shipping industry still need to establish a stronger culture on cybersecurity.

Major shipping hubs are part of large and less resilient supply chains, which are essential for regional and international trade. These supply chains depend on a small number of key ports, which are vulnerable to shocks from other ports. To make supply chains and port hubs more resilient to cyber risks, the shipping industry as a whole will have to adjust and prepare.

Companies will have to work together and share information on previous or ongoing attacks, so that experiences and best practices can be shared directly. Unfortunately, this has been difficult to achieve due to worries about how competitors may use the shared information. Singapore has set up the Port Authorities Focal Point Correspondence Network to further the exchange of information on past and current incidents. It remains to be seen if this network has worked to encourage the sharing of information.

Ports are logistical hubs where many companies compete for business, making information sharing naturally difficult. Currently, port security is based on the International Ship and Port Facility Security (ISPS) Code, which is heavily focused on the physical aspects of security. In order to make cyber risks a much more important issue for port security, the whole sector needs to step up and make it a priority.

Cyber risks are not just a technological matter, but require adequate awareness and planning to strengthen a port’s resilience. Training employees actively in security protocols and procedures with information systems is one way of achieving this. At the same time, ports need to engage in contingency and scenario planning to be better prepared should an attack occur. On top of all this, national bodies (e.g. institutes of standards) need to give better guidance on security testing and planning for ports, which should be supplemented by binding guidelines on reporting and information sharing mandated by global bodies like the IMO.

Philipp Martin Dingeldey is a Research Analyst with the Maritime Security Programme at the Institute of Defence and Strategic Studies (IDSS), S. Rajaratnam School of International Studies (RSIS), Nanyang Technological University (NTU), Singapore. For questions and follow-ups he can be reached at research.pmdingeldey@gmail.com.

Featured Image: Port of Singapore (XPacifica/Gettyimages)