In recent years, and significantly since the 2011 Syrian uprising, the Russian Navy’s presence in the Eastern Mediterranean and Syria has expanded dramatically. The increasing Russian presence in Syria is part of Russia’s updated naval doctrine, which was first published in 2012, and revised in July 2016. This doctrine was called the Revised Russian Naval Doctrine up to 2030.
As in the case of previous strategic doctrines, it defines the navy’s role as part of Russia’s security policy, its goals, its main directions for the buildup of naval forces, and the geographic areas of naval operations. The doctrine also includes and specifies an assessment of threats to Russian maritime security up to 2030.
The doctrine states that the maritime domain’s main threat originates from the U.S. and NATO forces, which endeavor to dominate the ocean and achieve absolute superiority at sea. It also states that the Russian Navy must be ready to deal with technologically advanced adversarial navies, which are equipped with high-precision weaponry and missiles, and that Russia must strive for a situation in which its navy remains in second place regarding warfare capability.
This aspiration expresses the Russian understanding that the U.S. Navy is the most advanced globally and that Russia does not intend to build a navy similar in size or quality.
The new doctrine relates in a general way to the need for operational capability in all regions and ensuring the ability to maintain Russian naval forces’ long-term presence in strategically critical maritime arenas. It explicitly emphasizes the strategic importance,from the Russian government’s perspective, of naval presence in the Black Sea, the Mediterranean, and the Arctic.
The Russian strategy in the Mediterranean Sea becomes more strategically important because of U.S. naval forces’ reduced presence in the Mediterranean arena in the last decade. It began under President Obama’s administration and continued with even greater intensity under President Trump’s administration.
The reduction of the U.S. naval presence in the region results from a strategic decision made by the two U.S. presidents to transfer the bulk of its naval forces to Asia to view China and North Korea’s growing threat.
The primary objective of Russia’s increased involvement in the region is to reposition itself as a world power. Through its focused and determined intervention in Syria, Russia demonstrated that it is a key player whose involvement is essential to resolving international issues. For more than four years, the West, which had failed to resolve a steadily exacerbating problem in Syria, was now forced to consider the Russian positions even more carefully and involve Moscow in resolving the crisis.1
The second objective of Russia’s involvement was to leverage the Syrian issue to resolve problems in other areas vital to it, mainly Europe in general and Ukraine in particular. Russian involvement in Syria intended to pressure the West to remove the sanctions imposed by the United States and Europe following Russian operations in Ukraine.2
The Russian naval presence in Syria is one of the significant ways in which Russia implements its maritime strategy. In practice, the implementation of the Russian maritime strategy in the Mediterranean is manifested in the expansion and upgrade of the Russian naval port at Tartus, the deployment of strategic weapon systems along the Syrian coast, such as the advanced S-300 and PANTSIR (SA-22) air defense systems, the SS-N-26 Yakhont shore-to-sea anti-ship missile systems, SS-26 Iskander short-range ballistic missile, long-range detection systems, and advanced electronic warfare systems.
The reinforced presence of Russian military forces in the Mediterranean and particularly in Cyprus and Syria also include the deployment of corvettes, submarines (equipped with Kalibr cruise missiles), fighter aircraft squadrons, and helicopters.
The Russian aircraft squadrons, which are deployed at the Khmeimim base near Tartus’ port, are intended to provide an air ‘umbrella’ to the Russian Navy operating in the Mediterranean.
In January 2017, Russia signed an agreement with the Syrian regime to lease a naval base within the Tartus port and the Khmeimim airport for 49 years with automatic renewal for another 25 years. Russia began constructing the port and its expansion to station 10 to 20 ships there and to provide maintenance capability. As part of the agreement, the defense of the base from sea and air attack is under Russian responsibility, while its physical protection on land in Syria’s commitment.
The Russian maritime strategy’s implementation can be seen in the prolonged campaign in Syria, during which the Russian Black Sea Fleet demonstrated an intensive presence in the arena. The Black Sea Fleet performed patrols and was also responsible for supplying weapons systems and munitions from Russia to Syria using supply and auxiliary ships, which brought cargo from its base in the Black Sea to Tartus.
Furthermore, during 2016-17 the Russian Navy carried out several attacks on high-quality ground targets in Syria using submarines and surface vessels firing cruise missiles from the Mediterranean, the Black Sea, and the Caspian Sea.
In this context, it is worth mentioning the demonstration of power by the Russian aircraft carrier Admiral Kuznetsov in the Mediterranean and notably opposite the Syrian coast from November 2016 until late January 2017. The aircraft carrier, which was accompanied by a large task force (and perhaps even a submarine), was the platform from which attack aircraft took off for missions in Syria.
Even though two aircraft that took off from its deck crashed and its exit from the Mediterranean was accompanied by black smoke seen coming out of the ship’s funnels, the Kuznetsov’s presence in the Mediterranean and primarily off the Syrian coast had significance from the perspective of Russia’s ability to project power and its desire to be an influential and dominant player in the Mediterranean arena.
The Russian Navy’s presence in Syria enables Russian strategic and critical capabilities such as power projection with an air-defense umbrella, logistics basing for operations in the region, and securing oil transportation from Iraq or Syria to Russia.
Russian Mediterranean Activity Impacts on the Israeli Navy
For many years, the Israeli Navy operated secretly and discreetly in the Mediterranean as one of the area’s strongest navies. The Israeli Navy operated in this arena and executed its missions during peace and war times almost freely. However, the Israeli Navy is affected by the Russian Navy’s presence and operations in the arena on several operational levels.
First, Russian intelligence gathering on Israeli naval activity affects the freedom of executing routine secret operations and will also affect the ability to perform them in crisis times. The intelligence gathered enables the Russians to build a maritime picture and evaluate the Israeli Navy’s routine operational activity (from this, it can also identify any non-routine activity it carries out).
The first of four new Saar 6 ships, left, is docked in Haifa, Israel, on Dec. 2, 2020. (Photo via Heidi Levine/AP)
It can be assessed with high probability that intelligence gathered by the Russian Navy is also conveyed to Syrian and Iranian troops and indirectly even to the Hezbollah terror organization.
Second, the presence of Russian vessels not only threatens the secrecy of Israeli navy operations in the arena but also exposes its ships to Russian forces (including Russian Navy firepower). This causes an inability for the Israeli Navy to maneuver freely in the arena where Russian vessels are present without prior coordination (deconfliction).
The threat to the secrecy of Israeli naval operations will make it difficult to carry out intelligence missions and special operations both in peace and in war. In addition, it is reasonable to assume that in the case of war or conflict, the Israeli Navy will be highly challenged in attacking its adversaries’ vessels and coastal targets (both in Lebanon and in Syria) by the presence of Russian Navy vessels and aircraft.
The Russian Navy’s presence and maritime control in the Mediterranean region threaten Israel’s vessels and aircraft operations, essentially constituting access denial operations carried out by the Russian Navy in the Mediterranean arena towards the Israeli Navy.
Eyal Pinko served in the Israeli Navy for 23 years in operational, technological, and intelligence duties. He served for almost five more years as the head of the division at the prime minister’s office. He holds Israel’s Security Award, Prime Minister’s Decoration of Excellence, DDR&D Decoration of Excellence, and IDF Commander in Chief Decoration of Excellence. Eyal was a senior consultant at the Israeli National Cyber Directorate. He holds a bachelor’s degree with honor in Electronics Engineering and master’s degrees with honor in International Relationships, Management, and Organizational Development. Eyal holds a Ph.D. degree from Bar-Ilan University (Defense and Security Studies).
Endnotes
1. Yadlin Amos, “Russia in Syria and the Implications for Israel,” Strategic Assessment, Volume 19 No. 2 (7/2016): 9.
2. Ibid.
Featured Image: Russian Navy Captain Alexander Shvarts stands near the main gun system on the Russian missile cruiser Moskva as it patrols in the Mediterranean Sea, off the coast of Syria, on December 17, 2015. (Max Delany/AFP)
“Cyber War does not take place in the present, and […] it is unlikely that Cyber War will occur in the future,”1 stated German political scientist Thomas Rid several years ago, arguing that no cyberattack can be viewed as an act of war on its own. It does indeed seem difficult to imagine a war waged just by way of cyberattacks, although the quick development of new technologies makes predicting the possibilities of cyberattacks in the future increasingly difficult. What is already noticeable, however, is the sharp increase in attacks related to cyber incidents worldwide, with the maritime area being particularly affected. By the end of July 2020, cyber-attacks targeting the maritime sector had already risen by 400 percent since the outbreak of the coronavirus. The number of attacks in 2021 is likely to be much higher.
The maritime sector is especially vulnerable to cyberattacks because of its dependence on well-functioning technology for navigation, its communication requirements, and the logistics involved. The problem with cyberattacks is the multitude of challenges they present at different levels, requiring a multidimensional approach. It is insufficient to see cyberspace as a standalone domain. Even though NATO declared cyberspace as a fourth operational domain, stating that NATO “must defend itself [in cyberspace] as effectively as it does in the air, on land, and at sea,”2 this domain has the crucial feature of not only heavily affecting other domains but being directly linked to them. As the digitization and automation of systems progresses, this linking of cyberspace and all other classical operational domains will deepen even further. Moving from the technical to a more geographical and political perspective, cyber threats confront present even more problems that call for multidimensional analysis.
What Makes Cyberattacks so Harmful?
The irrelevance of geographical borders in cyberspace is connected to the dissolution of the linkage between attacks and a defined territory. Cyberattacks are not limited to defined geographical or political borders, and at the same time, no physical presence is needed for the execution of an attack. At the same time, increasingly wide range of possible actors are capable of performing cyberattacks, and cyber skillsets and capabilities are proliferating. While more sophisticated attacks require large financial and organizational resources and especially time, which makes them exclusive to state actors or their proxies, other types of attacks are becoming easier to perform for a range of actors. These factors can pose a challenge in how attacks can originate from even supposedly safe and stable regions. Military strategists know that attacking at the source of strength or the center of gravity is a viable approach, but even so, they might find it difficult to obtain political top cover for retaliation once they properly attribute cyber aggression.
The lack of a clearly identifiable actor in the cases of some cyberattacks presents states and private stakeholders with several problems. One of the most urgent difficulties is determining the consequences for such an attack. Without knowledge of the origin of the attack, possible responses, such as sanctions or counterattacks, are very difficult if not entirely impossible to implement. There is a lack of international contracts that define what kind of cyberattack is actually an act of war. The declaration of the need for immediate national defense of a country would be without real meaning without knowing the source of the attack.
The need for attribution is crucial because the consequences of such an attack vary depending on the attacker and their aim. While criminal groups may launch cyberattacks mainly for financial benefit, state actors could try to gain access to closely-held military-technological secrets, and competing business firms could launch attacks for the purpose of commercial espionage. Knowing the the origins of an attack establishes options for responses.
The attribution and retaliation problem varies in its actionability for the private maritime sector. While state actors, especially national navies, should remain capable of answering an attack, private actors are often unable to answer a cyberattack appropriately, except for improving internal defenses. They usually cannot conduct offensive cyberattacks in retribution without fear of prosecution.
The indirect and often surprising nature of cyberattacks make any defense other than preemptive defense rather difficult. Even if an attack is detected, questions remain over when and how to respond to it. Should defenders try to deny access to a specific portion of a system, or should the whole system be taken offline? What should be done if an attack is only noticed when a system is already down? These are only some of the dilemmas that have to be taken into consideration and which are especially crucial for seaborne operating systems that cannot be easily shut down without major consequences.
The Vulnerability of the Maritime Domain to Cyberattacks
The key issue of maritime cybersecurity is the systemic need for reliable cyber technology while vessels’ onboard systems are aging as technology advances. While a cargo vessel is deeply dependent on communication systems while operating, it is challenging to reliably ensure a vessels’ cybersecurity during its whole lifespan. This is especially true when the average service life of a cargo vessel lies between 25 and 30 years, during which technology could have advanced greatly without the vessel’s own technological assets being updated to keep pace.
The maritime domain consists of multiple additional gateways for cyber threats, especially related to critical infrastructure, such as facilities for energy, resource extraction and transportation, undersea cables and communications, as well as harbor and port infrastructure. Cyber threats are also becoming increasingly crucial for military purposes in the maritime domain, which cannot necessarily be neatly separated from the civil context of commercial maritime infrastructure. This is particularly evident when assessing the possibilities of blocking a critical geographic chokepoint, such as a canal, by manipulating the systems of a vessel in such a way that it physically blocks the channel, or manipulating the controls for the canal itself.
Another method would be the direct manipulation of the propulsion system of a vessel by either deactivating the propulsion or, for example, activating the bow thruster to maneuver a vessel crosswise to block a waterway. Another possibility, especially in canals or harbors that rely on locks, would consist of either manipulating these directly or causing a vessel to damage or obstruct locks, making these facilities even more predisposed to disruption. While the risk of attack against these structures are not new and the consequences are severe, asthe blockagesof the Suez Canal between 1967 and 1975 demonstrate, the key difference with cyberattacks is the lack of proximate physical presence of a perpetrator.
The implication that such attacks would have for both civilian and military actors can also be illustrated by the Kiel Canal in Northern Germany. By ship numbers it is the busiest artificial waterway of the world. The canal connects the North Sea with the Baltic Sea, and reduces the distance for vessels travelling from one region to the other by up to 250 nautical miles. Up to 140 million people live in the area. The importance of the canal for commercial shipping is evident, but a cyber-related closure of the canal could have major consequences strategically. It would make it more difficult for allied navies to enter the Baltic Sea in case of a crisis or conflict, thereby threatening timely access for potentially upholding alliance guarantees.
Proposals for a Multidimensional and Multi-Stakeholder Approach to Maritime Cyber Threats
These linkages between a broad set of actors that come together in the maritime domain, all depending on reliable cyber infrastructure, makes it indispensable to create a multidimensional cross-stakeholder approach to cyber threats. Multidimensional in this case means consisting of different defensive elements against cyberattacks, combining political, strategic, and legal components, while also keeping in mind the ability of cyber threats to compromise also all other domains. This makes it essential to cooperate with non-maritime stakeholders as well. Such an approach will require a considerable effort and will confront difficulties regarding the ever-changing technical conditions and the ambiguity over the question of responsibilities in the defensive and offensive aspects of cyberspace.
International law shall be implemented to define rules regarding the offensive and defensive use of cyber operations. The Tallinn Manual 2.0, a broadly recognized publication on the relationship between international law and cyber operations, could inform the possibility of incorporating cyber operations into international maritime law.
Apart from the law itself, implementing cyber operations into international law would create a certain degree of consent between international actors regarding the handling and use of cyber operations. These measures will not solve illegal cyberattacks, but they might provide actors a common ground of action in terms of defending against such attacks or initiating consequences or counterattacks.
Efforts should be made to clarify responsibilities for cybersecurity both within state and non-state levels. Cooperation between maritime stakeholders regarding cybersecurity is a major challenge, not because there is an unwillingness to cooperate, but because the structures and responsibilities for cybersecurity are often too complex, not clarified enough, or widely different, for example due to varying laws in different countries. A major reason for complexity is the outsourcing of cybersecurity, which is not as problematic in itself, but complicates the process of coordinating cybersecurity between stakeholders. Subsequently, the role that the state must play in ensuring cybersecurity for important maritime players should be examined critically.
This is of major importance for the naval forces of a state, which should have enough capability to defend themselves against cyberattacks and engage in cyberattacks themselves. The role of the state is also important for private operators of harbors, critical infrastructures or energy suppliers, where service outages or interruptions would have a direct effect on national security. Therefore, reliable cybersecurity for key stakeholders of the maritime industry, infrastructure and naval forces is of high importance for the state itself, which should assess implementing methods of control or minimum standards to ensure its own national security.
One possibility of effectively connecting private and state, as well as multinational-actors, would be to conduct joint exercises or simulations. These would firstly encourage all stakeholders to ensure a comparable level of cybersecurity and secondly ensure a more efficient way of cooperative defense in case of an actual maritime cyberattack.
Joint exercises are already a key component for naval forces and ensure a level of professionalism and readiness. Some of the best examples are the numerous exercises that the Standing NATO Maritime Groups conduct year-round. Naval forces can become the prime victim of cyberattacks in case of a conflict, which makes it inevitable to include cyber defense measures into exercise programs. Such exercises would not need whole new structures since NATO has already created the basis for them by establishing its Centers for Excellence. While there are three different Centers for Excellence (COE) based on the maritime domain, there is a COE for Cyber Operations. Joint exercises between the two domains could therefore be conducted by the coordination of these Centers.
There are several ways a cyberattack can be aimed against naval forces. While some of them only affect a vessel in a non-physical way, like stealing intelligence-data, many cyberattacks will at some point affect the physical factors of a vessel. By manipulating a vessel’s systems directly, the propulsion, navigation, or weapons systems could be affected. A third-party vessel could also be attacked to cause harm to a target military vessel. This option is especially dangerous in frequently used waterways, canals, or even for vessels operating in civilian convoys or naval task groups. In a cyberattack conducted against a multinational aircraft carrier strike group, the vessel with the weakest cyber defenses could be attacked, such as a logistics vessel, even if the actual target would be the carrier. Gaining access to a target network through the weakest link could enable attacks against its strongest link.
While training against a solely non-physical attack may be of great difficulty, especially for smaller crewed vessels, it is possible to train for a cyberattack that culminates in a physical action. Since many cyberattacks can be classified as support operations to a physical attack, like manipulating a propulsion system to compromise navigation and safety, preparing for such attacks would be more feasible. At the same time, these exercises are becoming more and more urgent. More than a decade ago a computer virus was already able to ground French Navy fightersby simply compromising flight data downloads.
While the U.S. Navy is training its sailors in astronomic navigation again, which can indeed be very helpful in case of a cyber-related failure of digital navigation, the solution is not to return to pre-cyber era systems. Earning serious proficiency in offensive and defensive cyber capabilities will become fundamental. Especially in the maritime domain, with its vast interdependencies, cyber threats must be faced cooperatively to ensure a resilient and reliable cyberspace, which has become indispensable for the functioning of the global maritime commons.
Henrik Schilling is a research assistant at the Center for Maritime Strategy and Security (CMSS) at the Institute for Security Policy at Kiel University (ISPK), Germany. He is currently earning his Masters in International Politics and International Law and has recently published the German Navy Fleet Tracker Report for 2020 together with Dr. Sebastian Bruns.
References
1. Rid, Thomas: Cyber War Will Not Take Place. In: The Journal of Strategic Studies Vol. 35, No. 1, 5-32, February 2012
Maritime digital transformation is in its most rapid and turbulent era. Such a transformation offers substantial advantages and benefits, but with commensurate risks in the cyber domain.
On June 16, 2017, the International Maritime Organization (IMO) adopted Resolution MSC.428(98) that “encourages administrations to ensure that cyber risks are appropriately addressed in existing safety management systems (as defined in the ISM Code) no later than the first annual verification of the company’s Document of Compliance (DOC) after 1 January 2021.” The same year the IMO developed related guidelines (MSC-FAL.1/Circ.3). While the resolution is a formal acknowledgement of the importance of cybersecurity by the UN agency, the guidelines highlighted that effective cyber risk management should start at the senior management level.
But even smart and elaborate risk management will not be effective until appropriate cyber awareness arises among all those engaged in the maritime world. The human element is the most valuable but also the most vulnerable in maritime cybersecurity. While modern technology affords a measure of protection against direct hacking, social engineering has become the most prevalent vector for cybercrime.
There is a popular opinion that the direct targeting of senior leaders (known as whaling attacks, or CEO fraud), is the most probable scenario for a lucrative cyberattack. In cases of success, offenders can get access to sensitive data or even entire networks and affect many processes within the system. In some cases, attackers could even get options to direct groups of ships. On the other hand, such a “whaling attack” is a complicated process with disputable chances of success. The obligation senior executives have toward cyber risk management is fast becoming a standard assumption. These leaders are becoming more and more aware of these hazards and are better maintaining prudent behavior to reduce cyber risks to themselves personally. Much simpler is the method of attempting to socially engineer other types of maritime workers, who at first sight appear less significant than executives, but who also enjoy broad access to maritime systems and networks.
There are two main groups that can be distinguished as desirable targets. The first group includes crewmembers onboard commercial vessels and naval ships, especially those who have direct access to the ship’s control systems or important elements of shipboard systems, like communications, engines, or cargo handling equipment and storage areas. The second group includes shore-based personnel, including technicians and advisors, third party contractors, especially those who have remote access to seaborne networks and contacts.
There are three critical areas attractive to attackers, including navigational systems and sensors, cargo handling and storage, and propulsion and power. In most cases the latter two elements require direct physical access to effectively access critical systems. In contrast, navigational systems are perhaps among the most advanced networked and digitally accessible systems onboard.
If cyber intruders got access to ECDIS (the Electronic Chart Display and Information System), they would be able to attempt offensive options such as jamming or corrupting signals received from external sensors (GPS, AIS, Radar/ARPA, Navtex), gathering critical hydrographic information, and tampering directly with the Electronic Navigational Chart (ENC). While official ENCs often feature highly protected data, unauthorized access to the ENC’s manual correction option can be disruptive. Hackers could also go for the simpler option of disabling the operating systems of the ECDIS workstations, where in the majority cases this is a commonplace Windows operating system, and not necessarily the latest version. With the highly integrated bridge navigational systems of modern chemical tankers and passenger ships, attackers could even target the ship’s auto-steering algorithm.
Unauthorized access to such an important navigational system can be obtained with malware accepted by equipment operators via their email client and personal social media profiles. Today, with the internet widely available onboard modern commercial vessels, shipboard personnel can freely use their personal mobile devices or laptops for web access and private communications. At the same time, cybersecurity hygiene and best practices are often neglected, and the same personal devices can be used for operational data storage and transfer, including transferring data to and from ECDIS workstations.
Imagine a scenario where a chemical tanker was chosen as a target by a hacking group. Information regarding the vessel’s static and dynamic (course/speed/position) data, crew composition, type and quantity of cargo, destination, captain’s name, and other items of interest could be collected from the web. Attackers could search and exploit the social media networks of crewmembers, preferably the targeted vessel’s bridge team member. The task is made easier by social media networks and websites focused on professional groups and employment.
During the second stage, the stage of evaluation, the opted profile is carefully examined by the offenders for weakpoints. Nowadays, the majority of social media users are registered across several platforms, such as those focused on personal and professional connections, as well as entertainment preferences. Therefore adversaries can gain information not only about the mariner’s place of service but also about their family, hobbies, places visited, and other information that could be relevant to designing a socially engineered attack.
Their objective will be to obtain unsanctioned admittance into the vessel’s systems. The targeted person can either be blackmailed or contacted by a fake profile of a trusted contact with the aim of dispatching malware via the victim’s access. An untrained and unaware navigational officer could install the malicious software to the navigational computer, under the guise of ‘colleague’s friendly tip.’
A socially engineered attack can be made to seem more credible when shore personnel, such as technicians or support desk members, are targeted. With almost the same measures in searching, evaluating, targeting, and hacking, perpetrators can infiltrate and attack even larger groups of ships due to how shore professionals often have access and jurisdiction over many vessels.
More nefarious intentions could include causing a chemical spill, setting a ship on a collision course with a naval ship or a passenger vessel, or damaging critical shore-based infrastructure. In respect of these scenarios, maritime cyber threats should be considered as a matter for the International Ship and Port Facility Security Code (ISPS), and not only the International Safety Management Code (ISM). The ISPS code consolidates various constructive requirements so that it can achieve certain objectives to ensure the security of ships and ports.
There are some important requirements under the ISPS. The security-related information exchanges among the appropriate contracting agencies, both government and private, include collecting and assessing the obtained information and further distributing it. Correspondingly, definitions are included for the relevant communication protocols for vessels and port facilities for uncomplicated exchanges of information. Another important element is attempting to prevent any unauthorized access on a vessel, port facility, or other important restricted areas. Even if unsanctioned entry is not a threat, it is always regarded as a potential danger.
The ISPS also regulates provisions of different options for alarm-raising in case a security-related incident is encountered or potential danger is evaluated. It seems logical enough to apply similar requirements for maritime cybersecurity. There are several main tasks to consider: cybersecurity information collecting, evaluation and exchange between concerned parties; prevention of unauthorized access; malware and spyware installation or transfer; and appropriate training of personnel.
Eventually, regulation should be introduced regarding the human element. Specifically, trainings and exercises should be introduced for vessels’ crew and port facilities’ staff to ensure their awareness with the security plan and that there will be no delay in procedure execution in case of a real threat. Advanced cybersecurity training and education should be encouraged, especially for critical staff like watchkeeping officers or engineers. The purpose of such an education would be to gain knowledge and develop skills in cybersecurity in order to anticipate threats at early stages. Trained personnel should also be ready to prevent unauthorized access to critical equipment and systems and be vigilant for particular malfunctions that could be caused by illicit infiltration. In cases of potential penetration, staff should be skilled enough to insulate affected areas of the system without losing control of the vessel. Their proficiencies should include the ability to manage a transition to emergency manual control and utilizing classic techniques in seamanship and communication.
Maritime security, through cybersecurity, will become a much more complex endeavor. It will require a considered combination of the human element, technical innovation, management procedures, security protocols, and classical maritime know-how. Considering the lack of cyber-awareness among some mariners, a transfer of malware from a personal device to a ship’s navigational system is just a matter of time. The international maritime community should accelerate and strengthen efforts to develop adequate measures to withstand future challenges in the maritime cyber domain.
Leonid Vashchenko is a professional mariner, currently serving as a chief officer on board ocean-going commercial vessels. He holds a Masters Degree in Marine Navigation from the National University “Odessa Maritime Academy,” Ukraine, and is a active member of the Nautical Institute, London. His views are his own and do not necessarily represent the official views or policies of the organization or companies he is employed with.
Just as the sextant enabled celestial navigation of ships far from shore, and signal flags and lights allowed ships to communicate with one another more effectively, the adoption of digital technology has allowed sailors to shoot, move, and communicate even more rapidly. While this technology allows seafarers to navigate more precisely and communicate and coordinate with others more easily, it introduces new vulnerabilities to modern warships. Just as these systems assist personnel onboard ships, they potentially offer nefarious actors an attack vector to introduce malicious code into these systems.
Cyber is the ultimate domain for threat actors, providing strategic and regional adversaries alike with an effective way to target otherwise formidable platforms. We should expect to see more activity in the coming years from aspiring regional actors who aspire to project power, elevate their geopolitical stature – and perhaps make some money while they are at it – without incurring the major expenses of maintaining or surging military forces and materiel.
Advanced threat actors have proven their ability to take advantage of domestic and international supply chain complexities and dependencies, exploiting governments’ troubling dependencies on legacy information technology infrastructure and bureaucratic inefficiencies. In short, attackers will remain quicker and more adaptable than defenders for the foreseeable future. While we have traditionally envisioned naval engagements with ships, planes, and missiles interacting with one another, we need to expand our aperture to anticipate adversary efforts to attack our shipboard systems through cyber operations.
Data Explosion and the Future of IoT
A core mission of most western navies is to protect shipping lanes for energy and commerce. Given global commerce’s increasing reliance on digital technology, then surely navies will see their mission set expand to include protecting—or exploiting—global digital transmissions and understanding what all that data means. Further, with information and operational technologies converging rapidly, the United States and its allies must rethink traditional mindsets that separate investments in physical infrastructure and fleets from the underlying technologies that will increasingly power and manage them, and the associated mission systems on board. With the need to forward-deploy computing power and infrastructure around the world, often on short notice, vessels may in the future be better characterized as floating datacenters that happen to hold traditional weapons systems. As maritime operations evolve around technology futures that increasingly rely on computing systems and data, and as long as data remains attractive to adversaries, the need for cybersecurity defenders will only grow.
Data, as we hear, is the ‘new oil.’ Over 90 percent of the world’s data has been created in the last five years. We are using terms like ‘zettabytes’ now, and organizations are creating ‘chief data officer’ roles and data-specific enterprise strategies. Depending on the specific study, the growth rate for Internet of Things (IoT) devices is far exceeding that of traditional laptops, cell phones, and tablets. Over 30 billion devices are projected to be deployed by the end of 2021. IoT devices are used for specific applications that span many industry segments. As we look for the public sector application, a vast majority are in the “Industrial IoT” device segment below. There are many reasons for this growth, but the cloud increases application-specific value at a tremendous rate. There are other terms like Digitalization, Industry 4.0, and the Fourth Industrial Revolution, but they all embody the following characteristics that digitalization is creating:
more complex systems to support the growing efficiencies needed to protect critical infrastructure through automation
the ability to respond much quicker, and with greater accuracy, to operational threats
We are already seeing the introduction of autonomous drones, body-worn devices such as HoloLens augmented reality headsets, predictive maintenance sensors on engines or manufacturing devices, physical security and life control devices, and even connected installations. It is not science fiction to envision an operating environment where everything is connected and where all data contains hidden meaning that, left uncollected, constitutes an intelligence or mission failure. It is already happening.
Internet of Things (IoT) connected devices installed base worldwide from 2015 to 2025, in billions (Graphic via Statisa)
The Cyber Workforce
Success or failure in leveraging data and devices will depend upon humans, especially our information technology and cybersecurity defender teams. Because humans maintain and interact with these systems, we will long remain the primary target of adversaries. It is imperative that future technology adoption begins with recognizing the foundational importance of workforce readiness.
Commercial enterprises and governments alike are struggling to properly prepare their cyber defender workforce to adapt to new threats and take advantage of new security technologies. Many cyber defense teams grew up in an exclusively on-premises environment and are only now developing the beginnings of a cloud-native skillset. In addition, and of greater concern, we are not positioned to close the talent shortage in cybersecurity which some analysts estimate to be between two and three million unfilled positions. Technology providers are making impressive advances in creating cyber tools and solutions, but in doing so we have created what Gartner calls a “digital dexterity gap” where we are innovating at a much faster rate than customers—especially governments and warfighters—can absorb.
There is also an inverse relationship in play, according to one global CISO (Chief Information Security Officer) survey, where humans account for 95 percent of data loss incidents, while only around 1.5 percent of CIO (Chief Information Office) budgets is allocated to workforce cybersecurity readiness. We simply are not investing enough in teaching the workforce—from leadership to the newest recruit—how to operate safely online. Role-based readiness is critical to help users fully understand the risks of phishing and other attacker activities.
We are also dealing with the troubling signs of analyst fatigue where cyber defenders are simply burning out. If we see the future of maritime operations and cybersecurity as built around cloud-powered big-data systems and ubiquitous computing, then we must do better at providing the right proactive learning and onboarding experiences to give our people, especially cyber defenders, a fighting chance.
The future of maritime operations, much like other public sector and commercial endeavors, is where information technology, data, and devices converge. We should expect continued cyber-attacks against national infrastructure and military platforms. This will be happening amidst continual technological innovation designed to capture and make use of massive amounts of data, which will be protected by outnumbered and beleaguered security practitioners who will often not be properly trained to employ emerging technologies to counter threats.
Gamified Learning
Due to a variety of factors, including perceptions of slow technology adoption and the spartan demands of military service, defense ecosystems are particularly vulnerable to the cyber workforce talent shortage and readiness challenge. Building tomorrow’s cyber workforce is a fundamental societal challenge that requires governments, industry, academia, and communities to work together to attract and prepare individuals for cybersecurity careers.
One potential solution to this challenge lies in taking advantage of cloud-hosted cyber ranges. Providers in this sector are currently ahead of the market, but they are on to something that will be increasingly critical for military cyber defenders: force-on-force training in a gamified learning environment.
A cloud-based cyber-range provides an immersive, scenario-driven training environment that mimics real-life threats, responses and has proven applicability to Red and Blue team training, security awareness training, certification-path training, and proficiency examination. This learn-by-doing approach offers students a realistic experience to think like attackers while competing against one another in a gamified cyberspace environment. Simulated breach environments, sandboxed from operational enclaves but modeled to resemble real environments, help prepare an enterprise’s workforce for the stress, panic, and communication barriers they will face during a real cyberattack.
This sort of gamified learning introduces interactive, video game-like experiences that naturally attract younger talent and competitive personalities, and this approach has already been shown to improve student retention compared to traditional classroom learning. Intuitively, this is obvious: we must make learning fun and competitive. Independent studies reveal that students retain only around 10 percent of what they learn in a traditional classroom. After one month, by contrast, gamified learning flips that number, with retention at around 80-90 percent.
For defense organizations that may struggle to attract and retain talent, these cyber ranges demonstrate a commitment to investing in employee education and career advancement and meeting younger people where they live—online, using devices. Since future force development will require some level of IT acumen, this is an excellent chance to address hiring profiles and optimize recruitment pipelines. Cloud-based cyber range platforms are also highly scalable and will allow defense organizations to reach many more personnel globally than what can be done with traditional learning programs and exercises
Workforce Readiness for Tomorrow’s Defenders
Modern cyber-range platforms are designed to support a broad range of scenarios that may range in user experience from a walkthrough, ‘choose your own adventure’ scenario to ‘open world’ exploration. Naval organizations can create and map skills development themes to operational and IT focus areas to nurture employee interest, gauge readiness, and advance career paths in areas with critical skillset shortages such as:
Threat hunting
Capture-the-flag
Incident investigation
‘Live’ incident response and containment
Failure analysis and cloud troubleshooting
Malware and memory forensics
Red-teaming and penetration testing
In addition to practical cybersecurity learning, cloud-based gamified learning can also address more specific naval warfighting and maritime use-cases:
Wargaming and engagement simulation: run through many different variables and scenarios at much quicker speeds and with more predictive capabilities based on data inputs
Combat Information Center drills: improve analysis of incoming datapoints and communications
Systems deployment and maintenance: allowing technicians and other personnel to learn and practice tasks with equipment before actual installation and servicing
Virtual technology evaluation: accelerating product security evaluations and efficacy for IT and operational teams.
Gamified learning can just as easily be tailored to general IT users and leadership teams, for example with phishing, online safety, and command and control exercises. Everyone can find a role to play. Some cyber range companies are developing very promising avatar or concierge features where advances in ML (Machine Learning) and AI (Artificial Intelligence) provide new employees and seasoned veterans alike with a virtual assistant to help personnel make the right decisions.
Cloud computing offers significant cost and performance advantages for gamified learning. Currently, most training environments are on-premises, requiring significant up-front capital investments in infrastructure and servicing, sometimes over $500k/month for an exercise; and they do not easily scale. Moving range infrastructure to the cloud will allow range providers to focus less on maintaining IT systems and more on providing the actual cyber learning, flipping training budgets from capital investments toward operational investments. Range providers need to get out of managing training infrastructure and environments and focus on providing high-quality, dynamic simulations.
Cloud-based cyber range technology platforms bring scenario-based immersive training and skills development experiences. Developer and IT teams will be able to focus on creating actual learning scenarios that are specific to attacker activities or user-defined use-cases and advance employees’ professional development.
Tomorrow’s Security Operations
The Department of Defense has spent the better part of the last year endorsing and directing components to start adopting Zero Trust architectures as part of a larger fundamental redesign of its networks to better handle modern collaboration demands, such as SaaS applications. This welcome development implicitly acknowledges a pragmatic ‘assume compromise’ posture that managing the usage of technology is inherently a risk management exercise. Zero Trust architecture allows an organization to implement proactive and centralized controls over users, devices, applications, infrastructure, and networks, all with the goal of protecting the most critical asset—data.
When incidents occur, Zero Trust helps minimize the ‘blast radius’ by containing attackers before they can compromise more of the environment. This topology is like a naval vessel, where one will house specific operations in certain compartments and limit access to those by role. Conversely, one can limit the spread of damage to other parts of the ship by sealing access to compartments during emergencies.
Due to the central role that IT will continue to play in a modern warfighting or workplace environment, staying offline is not tenable. In fact, the trends are clearly moving in the opposite direction: more devices, more data, more flexibility, particularly for younger individuals whom constant access to technology is an expectation and therefore a recruitment and retention issue. This is particularly relevant when some analysts suggest that 99 percent of usable intelligence collection will be OSINT, coming from commercial providers.
Cloud-First Platforms
The U.S. Navy’s rapid move toward adapting Zero Trust architecture is encouraging, particularly as it may serve as sort of a reference architecture for maritime partners and allies. It is even more opportune when we factor in the convergence of IT and operational technologies. Most net-new devices that will be deployed in the coming years will not be personal or organizational cellphones or other hand-held devices: they will be operational devices, part of the larger internet of things ecosystem, which will expand into billions of connected devices, all constituting points of intelligence and vulnerability.
From a cybersecurity perspective these devices must be protected, and we must control how we interact with these devices and how they interact with each other. These are already forcing a modernization of traditional security, incident, and event management (SIEM) and security orchestration, automation, and response (SOAR) platforms. Traditional on-premises SIEM/SOAR systems will not be fast or flexible enough to process and analyze incoming data with the exponential increase of data that is already occurring, and which will only accelerate. Technology providers are already moving security appliances to the cloud, and companies like ours—Microsoft—are rapidly deploying cloud-first SIEM/SOAR capabilities. The sooner a user adopts these, the better able they will be to get ahead of the curve on securing and monitoring their data estate. The ML/AI-backed automation built into these platforms will be a huge force multiplier for cyber defenders, taking more mundane tasks off their hands, and allowing analysts to focus more on the alerts and events that really matter.
Supply Chain Futures and Vulnerabilities
The Solorigate incident is a reminder that we as an ecosystem are collectively vulnerable to supply chain compromises. Defense organizations are at particular risk due to the vast networks of suppliers and subcontractors, and because of the long development and operational lifecycles of weapons and other systems, including fleet assets. While we are seeing promising investments in this area, for example around rapid development lifecycles such as ‘comply to connect’ and steady adoption of Platform-as-a-Service software-defined weapons system development, addressing and remediating supply chain dependencies will take years, and will require more flexible attitudes from procurement and contracting.
From a cybersecurity perspective, CISOs are increasingly focused on reducing complexity within their environments, for example by making specific commitments to corporate boards or management committees to standardize more of their security budgets around a core set of (cloud-native) technologies. Complexity is inimical to cybersecurity, meaning legacy and one-off cybersecurity providers will better serve their customers by aligning to large cloud providers’ multibillion-dollar investment strategies. Standardizing around these platforms and deprecating older and more customized tools will also ease the burden on cyber defenders.
Conclusions
Technology and data are agnostic: we use technology to advance mission objectives and we find meaning in ones and zeroes to advance our missions. We are already experiencing fundamental change in how we interact with data and devices, with existential implications for global security and international commerce. We in industry must and will continue to ‘shift left’ and build more cloud-powered and automated cybersecurity capabilities into our larger platforms and ensure that they are interoperable so that allied forces can properly communicate globally. These technologies must also be intuitive and usable so that they enable security operations and not add to the workload.
At the same time, we must work harder and more creatively to attract tomorrow’s cybersecurity talent who we will ultimately rely on to protect the confidentiality, integrity, and availability of national security systems and data. Fortunately, we can harness the same technologies that we will rely on to advance our missions to create more experiential learning that we will need to prepare tomorrow’s cyber workforce.
Mark McIntyre is a Chief Security Advisor in Microsoft’s Security Solutions Area, where he advises US government CISO teams on moving securely to the Cloud and cybersecurity modernization, focusing on areas like Zero Trust, modern identity, and modern security operations. Mark helps CISOs understand Microsoft’s perspectives on the evolving cyber threat landscape and how Microsoft defends its enterprise, employees, and users around the world.
Joe DiPietro has more than 25 years of leadership and hands-on experience with enterprise security leaders including Microsoft, CyberX, IBM, Guardium, and Check Point Software. Within Microsoft, he leads the Global Black Belt team for IoT Security. At CyberX, he was the VP of Customer Success and included both presales and post sales responsibilities.
The opinions in this paper are entirely those of the authors and should not be construed as official Microsoft positions, assessments, or recommendations. Customers are wholly responsible for ensuring their own compliance with all applicable laws and regulations. Information provided in this post does not constitute legal advice, and customers should consult their legal advisors for any questions regarding regulatory compliance.
Featured Image: Sailors stand watch in the Fleet Operations Center at the headquarters of U.S. Fleet Cyber Command/U.S. 10th Fleet at Maryland’s Fort Meade. (Photo by Mass Communication Specialist 1st Class Samuel Souvannason/U.S. Navy photo)
