All posts by Guest Author

Podcast

Sea Control 222 – TOPGUN’s Leadership Lessons with Guy Snodgrass & Graham Scarbro

Leave a comment

By Jimmy Drennan

Retired Navy pilot and author Guy Snodgrass joins CIMSEC President Jimmy Drennan and TOPGUN grad Graham Scarbro to discuss his latest book, TOPGUN’s Top 10: Leadership Lessons from the Cockpit

Download Sea Control 222- Top Gun Leadership Lessons with Guy Snodgrass and Graham Scarbro


Links

1. TOPGUN’S TOP 10: Leadership Lessons from the Cockpit, by Guy Snodgrass, Sep 15, 2020.
2. “Take a Seat at the Campfire: TOPGUN’s Top Leadership Lessons from the Cockpit,” by Graham Scarbro, CIMSEC, January 10, 2021. 

Jimmy Drennan is President of CIMSEC. Contact him at [email protected]. Contact the Sea Control podcast team at [email protected].

Book Review

Take a Seat at the Campfire: TOPGUN’s Top Leadership Lessons from the Cockpit

Leave a comment

Commander Guy M. Snodgrass, TOPGUN’s TOP 10: Leadership Lessons from the Cockpit, Center Street, 2020, $17.99/hardcover.

By Graham Scarbro

The image is an iconic one in American culture: after a long day on the range, a group of cowboys settles in for the night at the campfire. Under a starry sky and over chow, they regale each other with stories of gunfights, lost loves, strange sights and sounds, cantankerous horses, and lessons learned from a life on the plains.

In naval aviation, pilots and flight officers have a similar tradition. Around a wardroom table or in the squadron ready room, aviators gather around one or a group of storytellers and discuss the same topics as their Wild West forebears. Gunfights are replaced with dogfights, and horses with fighter jets, but “cowboy time” is a revered institution in the Navy’s fighter squadrons. Cowboy time can sometimes yield nothing more than an embarrassing story or two, but more frequently it involves valuable lessons and mentorship, true confessions of lessons learned through trial and error (mostly error), and occasional (quixotic) attempts to fix the Navy’s myriad problems.

Out of these discussions may come life lessons, new policies, and even war-winning tactical innovations like the World War II “Thatch Weave,” but most often cowboy time is a way to connect with each other and share experiences with colleagues and friends.

Enter Commander Guy “Bus” Snodgrass, retired, an FA-18 pilot who upended the Beltway apple cart last year with his memoir Holding the Line: Inside Trump’s Pentagon With Secretary Mattis. Bus’s first book (I will address him by his callsign, the mark of respect between aviators for whom first names are reserved for their mothers and friends from high school days) was a solemn pondering of the highest levels of military bureaucracy, a look at the uncertainty surrounding the relationship between Secretary Mattis and the President. When I read the book, I picked up on the subtext of Bus’s writings: the Pentagon was a long way, physically and spiritually, from the cockpit of a fighter jet. Bus alluded to his time in the jet several times in Holding the Line, mostly to contrast it with the Pentagon, and there was the sense that he was straining to make sense of the byzantine world of the “Five Sided Circus” through the lens of decades in the cockpit.

A year later, and the lessons seem to have crystalized for Bus in his newest book, part leadership lesson and part cowboy time. TOPGUN’s Top 10: Leadership Lessons from the Cockpit (“TOPGUN” written as it should be: one word, all caps) represents a return to Bus’s roots in the jet, perhaps a natural consequence of a tumultuous year of self-reflection, following the publication of Holding the Line after an equally unpredictable stint at the Pentagon.

Bus illustrates his top ten leadership lessons with a series of anecdotes that recall nothing more than an evening in the ready room with shipmates. Stories of screwups big and small that, repeated and examined over the years, shape the course of a career and yield the life lessons learned in the fast-paced community that is naval aviation.

The book is a quick read, and Bus’s facility with speechwriting comes through as each leadership lesson only needs a few pages to make the point. This is typical of strike-fighter culture, in which flight briefers have limited time to communicate essential data before taking to the skies to execute the mission. Another aviation staple, the flight debrief, informs Bus’s use of bold-faced, succinct lessons to punctuate each chapter. After a long flight in which a thousand variables yield incalculable discreet results, identifying and examining key takeaways is a prime skill in aviation, used to good effect in the book. Bus follows his own advice to “Put the bottom line up front,” and despite it being the reviewer’s least favorite military aphorism, he uses the technique to good effect, explaining the intended lesson succinctly, illustrating each with a story, and wrapping up the chapter with a quick revisiting of the main point.

True to his title, Bus draws lessons from the everyday world of strike-fighter aviation and avoids an over-reliance on his days as a squadron commanding officer as a source for lofty words of inspiration. A common trope in leadership tomes is to pick stories designed to underscore the writer’s credibility as a commanding officer: the maneuvering of a billion-dollar warship, the ordering of a thousand troops into danger, the left hook into the Iraqi desert, and so on.

Instead of this approach, Bus chooses stories primarily from times when he was not in command, underscoring that leadership is a function of how one acts, and not necessarily the job one holds. This approach was thoroughly refreshing and a marked difference from many military leadership lessons that begin and end with: “Well, when I was in command…” and despite the fact that Bus was by all accounts a successful commanding officer. Bus’s connection of leadership with the daily grind of life in the cockpit as a junior or mid-level officer makes the stories more relatable. A reader can picture him or herself in so many similar situations, whether confronted with small decisions to do the right thing, the need to prioritize the important over the interesting, or being in need of a wingman.

From the personal: “Don’t Wait to Make a Friend Until You Need One,” to the professional: “Don’t Confuse Activity with Progress,” Bus’s advice applies beyond the cockpit to the boardroom, the office, and, ideally, to the Pentagon. Bus eschews complex acronyms and jargon for the sake of explaining in plain voice what he means. The result is understandable prose that remains accessible to all readers.

Readers with aviation backgrounds will recognize the book as a published version of cowboy time in the ready room, although Bus chooses stories that are more chaste and makes the lessons learned more obvious than in a typical aviator’s sea story. TOPGUN’s Top 10 gives readers a glimpse at why the Navy’s TOPGUN culture sets the standard for honest critique, self-reflection, and progress in the face of challenges both external and internal, large and small.

Commander Graham Scarbro is a Naval Flight Officer on active duty. The views expressed here do not represent those of his chain of command, the U.S. Navy, or the Department of Defense.

Featured Image: ATLANTIC OCEAN (Aug. 1, 2020) An F/A-18F Super Hornet attached to the “Gladiators” of Strike Fighter Squadron (VFA) 106 prepares to launch from the flight deck of the aircraft carrier USS Gerald R. Ford (CVN 78) during flight operations, Aug 1, 2020. (U.S. Navy photo by Mass Communication Specialist Seaman Aimee Ford)

Cyber

The IMO’s 2021 Cyber Guidelines and the Work that Remains to Secure Ports

Leave a comment

By CDR Michael C. Petta

Introduction

The coming of a new year often holds promise for the future. With the coronavirus pandemic dominating center-stage last year, many have their eyes keenly focused on new beginnings with the start of 2021. For some in the maritime industry, especially owners and operators of commercial vessels involved in international trade, 2021 brings a new set of guidelines for protecting vessels—the International Maritime Organization’s (IMO) guidelines on maritime cyber risk management.

These new guidelines, a milestone for maritime safety and security, are the product of collaboration and hard work among shipping industry leaders and IMO Member States. Some in the shipping industry consider this development to be game changing. Whether game changing or not, implementation of this new model is a vital step toward forging a uniform approach for combating cyber threats against vessels.

Notably, however, the 2021 guidelines leave an equally vital, and maybe just as vulnerable, part of the shipping industry—port facilities—without a similar set of principles. Now that the IMO’s vessel guidelines are in the implementation phase, Member States and maritime industry leaders should again prioritize cybersecurity and collaborate at the IMO to develop uniform cybersecurity standards for port facilities.

The IMO and International Maritime Regulation

Before exploring the need for port facility cybersecurity standards, it may be useful to review the IMO’s role in developing international regulations. In 1948, the Member States of the United Nations created the IMCO, which changed its name to IMO in 1982, to facilitate global cooperation with regulation and practices of shipping engaged in international trade. The IMO’s goal is to ensure safe, secure, and sustainable shipping, facilitating trade and friendly relations among all states. Because shipping is historically and inherently an international endeavor, the IMO depends on and promotes cooperation among its 174 Member States to build uniform regulations that support this essential goal. The IMO construct has remained durable and inclusive since its inception.

Few maritime regulatory regimes exemplify the IMO’s impactful work across the globe more than the International Convention for the Safety of Life at Sea (SOLAS). SOLAS is a treaty from the early 1900s drafted in response to, among other things, the infamous sinking of the RMS Titanic. After its initial adoption in 1914, SOLAS further evolved via multiple conventions over many years with the last convention adopted in 1974. Consequently, the treaty is commonly referred to as SOLAS 1974.

In general terms, SOLAS establishes minimum safety standards related to ship construction, equipment, and operation. Countries party to the treaty ensure vessels under their flags comply with SOLAS’s terms by way of nationally administered certification programs. At the time of this writing, 166 countries, representing about 99 percent of the world’s shipping tonnage, were contracting parties to SOLAS 1974.

Although the last SOLAS convention was adopted in 1974, the treaty has been amended various times since then via the IMO’s “tacit acceptance” procedures. And like SOLAS itself, these amendments often followed tragedy, such as when the International Safety Management (ISM) Code was added as a chapter of SOLAS after a 1987 ferry accident in Belgium killed nearly 200 people. Because casualty investigators found the company’s poor safety culture contributed to the accident, IMO Member States developed the ISM Code, a global safety management standard, to combat what one investigator called the “disease of sloppiness” on ships and ashore. Entering into force in 1998, the ISM Code has made “shipping safer and cleaner” for more than two decades.

The IMO’s 2021 Cyber Guidelines

The ISM Code serves as the foundation upon which IMO Member States have built the 2021 guidelines for cyber risk management. The guidelines were consigned in 2017 via three key declarations. First, in Resolution MSC.429(98), Maritime Cyber Risk Management in Safety Management Systems, the IMO affirmed a view that the ISM Code already requires mitigation of cyber risks. Per this view, cyber risk management is already encompassed in the code’s existing general requirement that companies establish safeguards against all risks to ships, personnel, and the environment.

Resolution MSC.429(98) also contains a second important declaration. In it, the IMO encouraged countries to “appropriately address” this preexisting requirement no later than January 1, 2021. Put in more practical terms, now that the anticipated deadline for IMO’s cyber guidelines has arrived with the start of this new year, the IMO encourages Flag States not to issue compliance documents to vessels if cyber risks are not appropriately addressed in the respective safety management system.

The third important IMO declaration is in a July 2017 circular, in which the IMO announced that its Maritime Safety Committee (MSC) and its Facilitation Committee jointly approved specific cyber risk management guidelines. Member States developed these non-mandatory guidelines in partnership with shipping industry leaders to promote compliance with the aforementioned preexisting ISM Code requirement to mitigate cyber risks. In the July 2017 circular, the IMO recommends vessels and Flag States utilize the guidelines during compliance checks to assess whether cyber risks have been appropriately addressed.

As a risk management regime, the ISM Code is expected to adapt well to the management and mitigation of cyber risks. Government officials and maritime industry leaders, experienced from roughly 18 years of ISM Code practice, are expected to rise to the challenge of applying the code in the emerging cyber arena. Moreover, by identifying in the ISM Code a preexisting, albeit seemingly dormant, cyber requirement and then complementing that requirement with non-binding industry guidelines, Member States avoided the lengthy process of amending SOLAS 1974 and the ISM Code.

This is all to say, harnessing the ISM Code’s risk management framework to mitigate cyber threats was an efficient approach. In 2021, Flag States will begin to utilize this approach and work toward global uniformity.

The Work that Remains to Secure Ports

SOLAS 1974 has been amended numerous times, often to implement subsidiary regulations such as the ISM Code. Another subsidiary regulation within SOLAS is the International Ship and Port Facility Security (ISPS) Code, the IMO’s comprehensive mandatory security regime developed after a different tragedy—the 9/11 attacks. Interestingly, as the IMO’s new model for addressing cyber threats was being considered, the MSC reported, via MSC 97/22, that some Member States felt ISPS might be more suitable for addressing cyber threats. Nonetheless, seemingly moved by the United States’ 2017 assertion that the ISM Code’s “application is sufficiently wide to include emerging risks associated with cyber-enabled systems,” the IMO chose to harness the ISM Code, not ISPS, to promote global maritime cyber standardization.

While tapping into the ISM Code’s wide framework was efficient, such resourcefulness also came with a major limitation. Unlike the ISPS Code that covers certain ships and the port facilities that serve them, the ISM Code, even with its broad risk management concepts, applies only to vessels. This limitation means owners and operators of port facilities around the world will not reap the protective benefits realized with 2021’s implementation of IMO’s new cyber guidelines.

Port facilities play a vital role in global trade and rely heavily on technology to operate. As the May 2020 incident at Iran’s Shahid Rajaee port terminal demonstrates, a cyberattack at a port facility can be crippling. Since 2017, each of the four biggest maritime shipping companies in the world have been the victim of a cyberattack, with a recent attack taking place only a few months ago in September 2020. Considering these events, one should have no doubt that port facilities across the globe are presently vulnerable to cyber threats and the potential that these vulnerabilities will be exploited is undeniably real.

With the reality of cyber threats in mind, Member States and maritime industry leaders should collaborate at IMO to develop uniform cybersecurity standards for port facilities, just as they did to protect vessels. Coincidentally, in 2016 the Islamic Republic of Iran offered this exact proposal to the MSC. In MSC 97/4, Iran stressed the critical need for cyber risk management guidelines specific to ports. This proposal, somewhat prophetically considering the 2020 events at the Port of Shahid Rajaee, underscored the serious consequences a cyberattack could have on a port and on critical infrastructure.

While the MSC did not act on Iran’s proposal, in December 2016 the MSC expressly thanked Iran for its recommendation and “invited interested Member States to submit a proposal” for consideration at a future MSC session. No record has been found that any Member State has submitted such a proposal. Now is the time for Member States to accept the invitation.

Conclusion

The IMO’s guidelines for managing cyber risks on vessels are a key development for the shipping industry. Flag States and shipping companies worldwide now have an industry-sponsored framework from which to recurringly assess cyber safeguards on ships. There is more work to be done, however, to appropriately protect the rest of the maritime transportation system. Like Flag States and their vessels, Port States and their ports require guidelines to ensure cyber risks are uniformly addressed at maritime facilities. With 2021 finally ushering in cyber standards for vessels, now is the time for Member States, in partnership with the maritime industry, to assemble at the IMO and develop similar standards to secure ports across the globe.

Commander Michael C. Petta, USCG, serves as Associate Director for Maritime Operations and professor of international law in the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the policy or position of the U.S. Coast Guard, the Department of Homeland Security, the U.S. Navy, the Naval War College, or the Department of Defense.

Featured Image: CMA CGM’s Benjamin Franklin at the Port of Los Angeles, December 26, 2015. (Photo via Wikimedia Commons)

Call for Articles, Project Trident

Project Trident Call for Articles: The Future of Maritime Cybersecurity

Leave a comment

By Jimmy Drennan

Submissions Due: Extended to February 22, 2021
Week Dates: March 1-5, 2021
Article Length: 1000-3000 words
Submit to: [email protected]

CIMSEC is partnering with Cyber Nation Central to launch the latest Project Trident call for articles, this time on the impact of cybersecurity on future international maritime security. Cyber Nation Central “focuses on industry and government leadership in cyberspace defense, and its mission is to create cyber-secure renditions of physical nations for the U.S. and its global partners.” Cyber Nation Central seeks to spur cybersecurity innovation and bring practical transformation, think tank expertise, and strategic advice to corporations and governments to solve the most pressing problems in national cybersecurity infrastructure, specifically the autonomous and connected systems in transportation, defense, and healthcare sectors.

The December 2020 reveal of a major cyberattack on U.S. federal networks reaffirmed the ever-growing importance of cybersecurity. The need to defend computer networks against attack now influences almost every aspect of the global political and economic landscape, and the maritime sector is no exception.

Maritime networks are inherently distributed and vulnerable to attack. One cybersecurity firm noted after a year of investigation that “shipping is so insecure we could have driven off in an oil rig.” Criminals, terrorists, and nation-states are taking note. In the last three years, cyberattacks on maritime infrastructure and shipping have increased 900 percent. Norwegian Cruise Line and Carnival Corporation each suffered network breaches in 2020; the cruise industry is a particularly desirable target due to the amount of personal and financial data they carry. Shipping companies have already incurred hundreds of millions of dollars in losses resulting from computer virus infections, and some speculate that the financial impact of coordinated attacks on certain ports could rise into the billions.

Cybersecurity has rapidly become an essential element of naval warfare as well. Not only must navies be able to defend their own networks, but they must also maintain offensive and maneuver capabilities in the cyber domain. Given the dependence of modern warships on electronic data and networks, achieving maritime superiority in conflict may soon be impossible without first achieving cyber superiority.

Authors are invited to write on any topic related to maritime cybersecurity, particularly the following:

1. What investments, infrastructure, and technological innovation should governments and private entities pursue to achieve maritime cybersecurity

2. How could cybersecurity shape future naval conflict and naval force development?

3. Given the global rise in cyber whaling,1 what measures should be taken to “cybersecure” maritime senior leaders and executives from threats specifically targeting them as the holders of the most sensitive “digital crown jewels” (data, access, etc.)? What domino effect could this method of cyber warfare cause in maritime security?

4. Is cyber “security” even possible in the burgeoning cyber “arms race”?

5. With cyber-hacking becoming less and less prevalent as a technical problem and, instead, 97 percent of hacking crimes done via social engineering, what behavioral training should maritime entities undergo to foster a culture of cybersecurity?

6. What maritime cybersecurity policy areas should lawmakers rethink or consider introducing, and to what end?

7. What improvements could be made in cybersecurity technology distribution speed and effectiveness? How can the cyber supply chain be improved?

8. What cybersecurity recruitment and talent management strategies should maritime entities pursue?

Authors are invited to answer these questions and more as we consider the future of maritime cybersecurity. Send all submissions to [email protected].

Jimmy Drennan is the President of CIMSEC. Contact him at [email protected]

Endnotes

1. Phishing that targets the most senior stakeholders of organizations through their (1) professional networks/devices, (2) personal networks/devices containing professional information, and (3) families’ home networks/devices, allowing hackers to exploit the information to breach the broader organizational network.