All posts by Guest Author

Fiction

Unexpected Victory

Leave a comment

By Ryan Hilger

            Excerpted from the forthcoming Unexpected Victory: The U.S. Navy in the Sino-American War, 2034-2036 by Fred Goures, to be published by Random House in December 2039.

            …Several Chinese admirals agreed to speak on the condition of anonymity on the following question, among others: “What surprised you most about the war?” Their answers were remarkably similar: the Yukon-class corvettes. Named after American rivers, the Navy built and deployed more than 60 Yukons in three years from 2033-2036. One Chinese admiral’s remarks are typical:

Admiral [redacted]: The Yukons caught me and the PLA leadership completely by surprise. When we started the war in October 2034, we thought we would have the American Navy sunk in a few weeks. We knew the submarine threat would take time, but we did not consider their surface forces much of a threat.

Goures: Why was that?

Admiral [redacted]: It was clear from decades of industrial espionage and intelligence collection that the American Navy had not managed to introduce much in the way of new technologies in decades, despite the focus on innovation. Thus, the introduction of the Yukons did not draw much attention from us.

Goures: Why not?

Admiral [redacted]: They were much smaller and seemed simpler than the American mainstay, the Arleigh Burke-class. We did not see how they could have posed much of a threat to us. We were very wrong on this.

Goures: How so? What made the Yukons different?

Admiral [redacted]: In retrospect, their simplicity was pure elegance. The Americans seemed to be able to upgrade and repair them so rapidly, even while at sea. We never seemed to fight the same ship twice. It may have been the same hull, but each encounter demonstrated new capabilities that we did not anticipate, usually without the ship ever pulling into a port. We could not keep up…

______________________________________

                       Admiral Peter Malone, the Program Executive Officer (PEO) for Ships in 2031, recalled sitting in a meeting with senior Navy leadership when the idea of what would become the Yukon class was born:

Things were not going well at all. The Large Surface Combatant program had not panned out in the 2020s like we thought. Apparently, we did not learn the lessons of the Zumwalt or Littoral Combat Ship programs sufficiently, because we repeated many of the same mistakes. After the fourth year of Congressional cuts to the program and reductions in planned numbers of hulls, the Secretary of the Navy called for a meeting to discuss options.

I had only been in the PEO Ships job for a few months, but I did not see how we could recover. My mind drifted from the conversation to the problems the Navy overcame to deliver both a ballistic missile submarine and a submarine-launched ballistic missile in less than five years in the 1950s – and with an immense amount of new technology to boot. I wondered how we had managed to drift so far from such incredible origins.

I snapped back from my daydream and saw the Chief of Naval Operations glaring at me. “Do you have any ideas, Pete?” I nodded and thought for a moment, but I already knew what I needed to say.

“Kill the program.” There were a lot of shocked expressions.

“Clearly what we have done in the past has not been working. Let’s throw out the playbook and try something completely new. I’ve got some ideas on ship construction, digital engineering, and how to develop products differently. Give me six months and I will come back to you with a proposal for a new ship class and how we will deliver them to the fleet.”

After a few moments of incredulous silence, he looked at Admiral Higgs, the Commander of U.S. Pacific Fleet, “Dan, what do you think?”

“Well, I don’t see anything to lose from this. Most of my requested capabilities were dropped in last year’s budget cuts anyway. This at least may get me more ships sooner, which is really what I need to balance against China.”

The CNO let the tension hang in the air before replying. “We have everything to lose if we fail this time. Let’s get it right.” Off we went.

_______________________________________

                     The Yukon-class had a very interesting beginning. It was the first government-designed and built ship in decades. Many questioned the government’s sanity in taking on the challenge of designing a ship after contractors had done it for so many years, but the government was left with little choice. Captain Lucius Walker, the Program Manager of the LSC program, recalls the day their hand was forced. On May 25, 2031, Captain Walker and his team held an Industry Day to discuss the radical new ideas they had.

We thought we had a really awesome set of ideas for industry. My team had spent a lot of time doing futuring exercises, talking with operators, looking at the case studies of Fitzgerald and John McCain from a damage control perspective, reviewing the failures of the Littoral Combat Ship program, and culling the new technologies to see what could meet the mission needs in the threat environment of the 2030s and beyond. The environment was very missile-centric, which amounted to a huge departure from traditional gun damage-tolerant designs. Those had not changed much since World War II.

The shock came right away. Both Lockheed Martin and General Dynamics said that we could not do what our Industry Day proposal requested. Too much of it relied on proprietary information and lead integrator efforts and products. We had a heated discussion in the Gooding Center on the [Washington Navy] Yard, but they weren’t going to budge. I could understand their position. They had spent decades cultivating an integrated set of systems; you simply could not break them apart the way we were talking about. It was then that I knew we had to bring the design in-house.

_______________________________________

            After the collapse of the Industry Day in May 2031, Captain Walker’s Ship Design Manager, Austin Corleone, spoke with Captain Walker outside the Gooding Center:

I decided to go for it. “Do you have a few minutes, Captain?”

“Sure, why not? I don’t really want to go back in there at the moment.”

“Ever since we finalized the Industry Day proposal, I’ve been thinking about different ways to bring the ideas into a ship.”

“Shoot.”

“I think we can design a simple ship in-house.”

“Come again?”

“Bear with me. It doesn’t have to be complex. We can design the hull and space allocations for all the major systems: radars, combat systems, weapons, etc. We work with other program offices to deliver those subsystems to the strict interfaces that we provide. Remember in 2002 when Amazon forced their internal programs to communicate only through certain interfaces or be fired? We don’t need to design the entire ship, just require programs to provide models to fit into the spaces and interfaces we give them. We make the mechanical and electrical systems very simple and easy to replace—no more rats’ nests of cables everywhere. In that way, we can use the digital models to see how all the parts fit together into a coherent whole. Software standards in industry have moved to the extreme in terms of modularity with service mesh architectures, and I see no reason why we can’t do the same with ship designs.”

“You’re serious, aren’t you?”

“Absolutely. I’ve got a few friends who think along the same lines in other program offices that think it would be feasible. What do you think?”

“Can you get your friends together at our office tomorrow to map out what this might look like? I’m curious.”

“I’ll get it set up.”

            The Yukon program office exploited the fast, inexpensive, restrained, and elegant criteria to the letter in designing the ships. The use of model-based engineering techniques stemming from the Digital Engineering Strategy combined with a confederation of program offices allowed the Yukon program to design a ship in record time. They approached allowed individual program offices to be the experts in their area, freeing the Yukon team to design an overmatch of hull, mechanical, and electrical services for the programs to use. The result was a simple, elegant ship that was easy to build, upgrade, repair, and operate.

_______________________________________

            The Yukon program embraced its new role as a lead systems integrator. Once the hull design and its associated services had been finalized, they contracted to start hull construction, without any of the major subsystems ready. Captain Walker made the key decision to revert to a historical norm: outfitting at the pier. The Navy had gotten away from it as ship designs increased in complexity, but it briefly resurfaced with the Zumwalt-class, though more by accident than planning. Designing the ship for ease of access allowed the pier-side outfitting to be conducted rapidly by both sailors and contractor teams. Ships were commissioned at an unheard of rate with the latest gear that the confederation of program offices could deliver.

            As the ships deployed, the various program offices continued to support the ships by providing for over-the-air delivery of software to give the ships the maximum capability possible against the adversaries. The independence of hardware and software allowed designers to consider sensors in fundamentally new ways, and the surface fleet saw radically new capabilities from the same hardware as a result. The independent, digitally-engineered design allowed for rapid upgrades to the ships while deployed, in some cases with new hardware even being delivered via small drones in the South China Sea. The seamless integration that digital engineering and DevSecOps created allowed the programs supporting Yukons to achieve update and repair speeds that were orders of magnitude faster than the Navy had ever thought possible. As a result of these design decisions, the ships performed remarkably well in combat, earning rave reviews from the sailors operating them to the adversaries fighting against them.

Lieutenant Commander Ryan Hilger is a Navy Engineering Duty Officer stationed in Washington D.C. He has served onboard USS Maine (SSBN 741), as Chief Engineer of USS Springfield (SSN 761), and ashore at the CNO Strategic Studies Group XXXIII and OPNAV N97. He holds a Masters Degree in Mechanical Engineering from the Naval Postgraduate School. His views are his own and do not represent the official views or policies of the Department of Defense or the Department of the Navy.

Featured Image: “Dreadnought 2050” by Rob McPherson (via Artstation)

Wargames

Revamping Wargaming Education for the U.S. Department of Defense

9 Comments

By Jeff Appleget, Jeff Kline, and Rob Burks

Introduction

The U.S. Department of Defense has failed to educate generations of military officers on the skills of wargaming. Wargaming creates the environment in which uniformed leaders practice decision-making against an active, thinking adversary. Wargaming is also required by the Department of Defense’s planning process to create sound and executable plans, is inherent to designing new doctrine and operational concepts, and is a vital element in the cycle of research.1

For these reasons, military leaders must have the ability to create and conduct wargames. However, the current military education process does not impart this critical knowledge.

Background

Ed McGrady, distinguished Center for Naval Analyses wargamer, opened a recent commentary on wargaming by saying, “There is a widespread misunderstanding of what wargaming is…” and we agree wholeheartedly. Too many in the Department of Defense believe wargames are computer-based combat simulations used to produce quantitative analyses, but they are not. Wargaming is about human decision-making. Joint Publication 5-0 Joint Operation Planning’s wargaming definition makes this clear: “Wargames are representations of conflict or competition in a synthetic environment, in which people make decisions and respond to the consequences of those decisions” (emphasis added).

Most defense wargaming practitioners recognize three purposes for wargames: educational, experiential, and analytic. Educational and experiential wargames are focused on the player. The primary output of these types of wargames is a better educated or experienced player. For example, success might lead to an officer who now knows how a new weapon system is employed or has experienced fighting against a threat in a different region of the world. There are usually no other ‘results’ to demonstrate the wargame’s value.

On the other hand, analytic wargames focus on producing findings and recommendations in response to a sponsor’s tasking. Therefore the product of these wargames is not player-focused but sponsor-focused. Planning wargames, as outlined in Joint Publication 5-0 (Step 4: Course of Action analysis and wargaming), are specific analytic wargames with the task of analyzing courses of action, which then inform the development of a plan. Other analytic wargaming activities include developing new concepts of operations, doctrine, Tactics, Techniques, and Procedures (TTP) for emerging and future technologies, and front-end wargaming for experimentation and exercises to ensure that these expensive endeavors are properly focused and can achieve a high return on investment. We can learn much about new technologies and concepts through wargaming without burning a penny’s worth of fuel.

Current Status

Department of Defense wargaming is at a crossroads. It seems self-evident that the Department of Defense should own the responsibility to improve its wargaming. While Federally Funded Research and Development Centers (FFRDCs), educational institutions, and defense contractors may have roles to play in wargame improvement, only the Department of Defense can choose to lead and embrace a comprehensive end-to-end cycle of research construct. This construct includes wargaming, computer-based combat simulations, and other quantitative and qualitative analytic techniques that, when properly leveraged, provide quality decision support to the department’s leadership. It must begin by addressing the shortcomings in wargaming education.

The 2015 call to reinvigorate wargaming has inspired the reintroduction of wargaming into some service school classrooms. Hence, a portion of uniformed field grade officers have an appreciation for, and may have actually played, wargames. However, the inability of the Department of Defense’s uniformed members to design and conduct their own wargames still has not been addressed in professional military education. Today, the Department of Defense relies on FFRDCs, educational institutions, and defense contractors to design and conduct wargames on their behalf. While these organizations produce useful wargames, the sheer number of wargames that should be executed across the department cannot all be performed by these organizations—they simply do not have the capacity, nor does the department have the budget.

However, there is a far more fundamental problem on the department’s reliance on these organizations. This reliance is, in effect, outsourcing the intellectual underpinnings of the nation’s defense strategy, officer professional development, and the department’s acquisition process.

Wargaming should become an integral part of the military officer corps’ professional education. The skills required to design and conduct wargames go hand-in-hand with the skills required to plan and execute military operations. 

The lack of wargaming skills and experience in our field grade and senior officers should be a warning to the department’s leadership. Wargaming was once the primary venue for the exchange of ideas, debates on tactics and doctrine, the sharing of lessons learned from previous operations and experiences, and the operational and doctrinal education of junior officers.2 Now it has largely disappeared from officers’ professional development. The 38th Commandant of the Marine Corps’ Commandant’s Planning Guidance states this concern very succinctly:

“In the context of training, wargaming needs to be used more broadly to fill what is arguably our greatest deficiency in the training and education of leaders: practice in decision-making against a thinking enemy. Again, this requirement is inherent in the nature of war. In modern military organizations, it is, along with the fear of violent death, precisely the element of real war that is hardest to replicate under peacetime conditions. Wargaming historically was invented to fill this gap, and we need to make far more aggressive use of it at all levels of training and education to give leaders the necessary ‘reps and sets’ in realistic combat decision-making.”

Phil Pournelle, Senior Operations Analyst and Game Designer at Group W, points out a 2018 National Defense Strategy Commission finding that the military struggles to “link objectives to operational concepts to capabilities to programs.” Linking of objectives to operational concepts to capabilities is basic military planning. Yet our combatant commands and joint task forces struggle to conduct the planning wargames that Joint Publication 5-0 requires.

According to Joint Publication 5-0, each course of action should be wargamed against the enemy’s most likely and most dangerous course of action for a given plan. Assuming a modest number of three friendly courses of action to analyze, that is a requirement for six wargames per plan. And every plan that has sat on a digital shelf for more than a year needs to be dusted off and wargamed again, as the facts and assumptions that underpinned the plan’s development 12-plus months ago have undoubtedly changed, often significantly.

Unfortunately, due to time, staff capability, and capacity constraints, at best there may be one wargame conducted per combatant commander’s plan: the commander’s favorite Course of Action against the enemy’s most likely Course of Action. Insufficient time is allotted to conduct the wargame, resulting in poor design, less thorough execution, and results that fail to illuminate the plan’s operational risks or propose contingencies. This lack of time inspires the quick application of seminar games that devolve into BOGGSATS – a Bunch of Guys and Gals Sitting Around a Table.

As recent commentary from Peter Perla, author of the seminal book The Art of Wargaming, and Phil Pournelle3 have pointed out, wargaming should also be an integral part of analysis, experimentation, exercises, and the broader cycle of research. Far too often this is not the case. Instead, the department relies on analysis methods such as cost-benefit analysis, capabilities-based assessments, and analysis of alternatives that provide technical rationales for procurement decisions. However, in the Department of Defense, these analyses must be tempered with a thinking adversary in mind. Our potential adversaries in the future are concurrently developing new doctrine and concepts, fielding new technologies and force structures, and procuring new systems that increase our risk or limit our military options. Wargaming is necessary to gain an appreciation for our competitors’ capabilities, options, and objectives.

Wargaming has always been an integral part of the Army’s analysis to support their department’s acquisition of new technology and weapons systems. Army analytic organizations, such as the Center for Army Analysis and the Training and Doctrine Command’s Analysis Center, integrated wargaming with their computer-based combat simulations to provide comprehensive qualitative and quantitative analysis to support key acquisition programs several decades ago. Both tools are still used together, productively, today.

This approach’s benefit is two-fold. First, the warfighters brought into the wargame’s concepts of operations (CONOPS) that employs units equipped with new technologies provide input into the analysis process and gain a better appreciation for the quantitative analysis products that the combat simulations could provide. Second, the analysts gain a better understanding of how a new force would fight differently and use that knowledge to inform the instantiation of the schemes of maneuver required by their combat simulations, which in turn improves their quantitative analysis products. To do this properly, operations research analysts must create the wargaming environment, conduct the wargames, and determine how to best integrate the wargame’s qualitative output into the computer-based combat simulations so that the study produces both qualitative and quantitative analysis.

Unfortunately, some of the department’s more senior analysts that cut their analytical teeth using computer-based combat simulations believe that wargames provide little or no analytic value. This view completely misses the fact that counterinsurgency, hybrid warfare, the gray zone of conflict, and competition short of war are not well addressed by the millions of dollars the department invests in the maintenance, staffing, and running of kinetic-focused combat simulations and the organizations that support them.

In a recent Naval War College Review article, Capt. Robert Rubel (ret.), professor emeritus of the U.S. Naval War College and former chair of its Wargaming Department, stated, “Two-sided gaming should be a widespread and essential part of the professional education process from pre-commissioning through senior service colleges and even flag level courses.” He went on to describe several virtues of wargaming:

  • “A routine diet of two-sided gaming can generate and hone the ability to reason competitively.”
  • “Making two-sided gaming the default PME vehicle will help to re-create a sandbox in which innovative reflexes can be developed.”
  • “Repeated struggling in competitive situations is more likely to produce new ideas and insights, especially if such experience is widespread in the officer corps.”

Rubel also goes on to caution: “Two-sided gaming is not easy. The design of such games must take care to channel competitive instincts properly.”

In summary, the Department of Defense’s need for increased capacity to conduct quality wargaming starts by educating its officer corps on how to design, conduct, and assess analytical, educational, and experiential wargames.

The Way Ahead

We propose jumpstarting wargaming education in the Department of Defense with a two-pronged approach. First, the Department of Defense needs wargame designers at an apprentice level. Any officer who is a candidate to serve on a general or flag staff (most field grade line officers) should complete a basic analytic wargaming course to enable them to bring value to a wargaming design team. We do not advocate for a specialty track for wargamers. Instead, all military leaders should be wargamers (such as the Navy’s flag ranks at the onset of WWII). The Army and Marine Corps do a decent job of introducing their young officers to some of the building blocks of wargaming. While sand table discussions, table-top exercises, and rehearsal of concept drills incorporate several of the elements of wargaming, they are typically missing the conflict or competition that a thinking adversary produces. These events provide a wargaming-like basis from which to build. A logical place for such a course is in the command and general staff college level of Joint Professional Military Education. 

Second, there needs to be an executive-level wargaming course for senior leaders. Senior officers who supervise and consume the results of wargaming today, such as primary staff officers on Combatant Command or other flag officer commanded staffs, need to understand what wargames are, how they are different from computer-based combat simulations, what to expect from well-designed wargames, and the level of resource investment required from them and their staff to obtain quality wargaming results. They also need to realize that their younger charges must couple their wargaming education with playing and designing wargames to become proficient wargamers. They must give their subordinates enough time to game. Moreover, senior leaders should lead by example, participating in and encouraging wargaming activities in their commands.

Over time, the wargaming apprentices, through playing, designing, and conducting wargames, will mature in their wargaming skills and take on wargaming leadership roles. Note that the goal is not to identify a pipeline to create wargaming masters. Such masters are rare individuals, and some may emerge from the ranks of military wargamers produced. But, just as most officers will never achieve flag rank, most uniformed wargamers will never become wargaming masters. The FFRDCs, educational institutions, and Department of Defense contractors have wargaming masters, and their expertise will still be needed to support the department. However, many good wargames can be designed without requiring the supervision of a wargaming master.

Since 2009, the Naval Postgraduate School’s Operations Research Department has offered an 11-week Wargaming Applications course to its resident students that focuses on the design, conduct, and analysis of wargames for Department of Defense, allied, and partner sponsors.4 The faculty designed the course recognizing that the Naval Postgraduate School’s Operations Research graduates – our military’s newest Operations Research analysts–needed to be able to design, conduct, and analyze a wargame. Acquiring these skills enables them to participate in, lead, and eventually supervise the end-to-end campaign analysis that incorporates wargaming, computer simulations, and other qualitative and quantitative analytic tools as future analytic assignments will require. The course organizers did not fully recognize the added benefit of this education until some of the Operations Research graduates started serving at Combatant Commands. These graduates, now staff officers, reached back to the Naval Postgraduate School to report how useful their wargaming design skills were in helping the Combatant Command staffs design and conduct useful planning wargames. They asked if the Wargaming Applications instructors could come to their location and teach a cadre of the Combatant Command personnel the same basic wargaming design skills they had internalized at the Naval Postgraduate School.

In response, NPS developed the week-long Mobile Education Team Basic Analytic Wargaming Course around the same philosophy as our resident wargaming course: learn by doing. The objectives for this course were two-fold.

First, it builds a cadre of personnel who can initiate, design, develop, conduct, and analyze a wargame. Unified Combatant Commands have leveraged this opportunity by having personnel from their operational planning teams and staff sections attend the course and work in teams to learn how to design, develop, and execute a wargame.

Second, since the sponsoring organization chooses the wargaming topic used in the course’s practical exercises, the organization can have the core foundation of a wargame created and demonstrated that can then be further built out and used by the organization to meet other organizational wargaming requirements. NPS has conducted over 20 week-long Mobile Education Team Basic Analytic Wargaming Courses around the world, including five at Combatant Commands. Today, NPS conducts 6-8 Mobile Education Team events annually, and demand remains high.

The philosophy in teaching wargaming is that it requires a hands-on, learn-by-doing approach. Both the resident and Mobile Education Team courses are over 70 percent practical exercises, where the students are applying the techniques that we illustrate in the lectures. In both courses, a Department of Defense, ally, or partner sponsor provides the wargaming topic that serves as the impetus behind the practical exercises. Student groups design, conduct, and then analyze wargames for their sponsors as the course’s graduation exercise. Since 2009, the Naval Postgraduate School resident student wargaming teams have conducted over 70 wargames for 35 Army, Navy, Marine Corps, Joint, International, and Industry sponsors. NPS views the wargaming course graduates as wargaming apprentices. They have enough knowledge and experience to make useful, often significant, contributions to any wargaming effort required in the department. Several recent graduates have actually led wargaming design initiatives at their respective organizations soon after graduation.

Conclusion

If the Department of Defense is serious about improving its wargaming capability, it needs to invest in its people through wargaming education. That education needs to be practical and applied at the company and field grade level, preferably as part of their Joint Professional Military Education or graduate school opportunities. If it is a priority to emphasize wargaming’s role in Department of Defense decision-making, simply “doing more wargames” is insufficient. Preparing warfighters to employ wargaming to the full extent of their purposes must be a necessary element.

Colonel (Retired) Jeff Appleget, Ph.D., spent 20 of his 30 years in the U.S. Army as an Operations Research/Systems analyst where he participated in and supervised acquisition and analysis studies using wargaming and computer-based combat simulations. Since 2009, Jeff has been a Senior Lecturer in the Operations Research Department at the Naval Postgraduate School where he teaches wargaming and combat modeling courses. Jeff has mentored over 70 wargames that have been created, conducted, and analyzed by NPS resident Operations Research and Defense Analysis student teams for DoD, Defense partner and allied nation sponsors, and the defense industry. He has led 20 NPS Mobile Education Teams to teach his week-long Basic Analytic Wargaming course in DoD and around the world, to include STRATCOM, CENTCOM, AFRICOM, MARFORPAC, Marine Corps Warfighting Laboratory (two courses), NATO Special Operations Forces, the Australian Defence Force (four courses), the Canadian Air Force, the Indonesian Navy, the Taiwan Armed Forces, and a Tri-lateral course for the Swedish, Norwegian, and Finnish Defence Research Agencies. He holds a Ph.D. in Operations Research from the Naval Postgraduate School, an M.S. in Operations Research and Statistics from Rensselaer Polytechnic Institute, and a B.S. from the United States Military Academy. His major awards include the 2016 Richard W. Hamming Faculty Award for Interdisciplinary Achievement, the 2011 Army Modeling and Simulation Team Award (Analysis), 2003 Dr. Wilbur B. Payne Memorial Award for Excellence in Analysis, 2003 Simulation and Modeling for Acquisition, Requirements, and Training (SMART) Award, 2001 SMART Award, 1993 Instructor of the Year (At Large), Department of Mathematical Sciences,  U.S. Air Force Academy, 1991 Dr. Wilbur B. Payne Memorial Award for Excellence in Analysis, and 1990 Concepts Analysis Agency Director’s Award for Excellence. Along with Dr. Rob Burks, Jeff directs the activities of the NPS Naval Warfare Studies Institute Wargaming Center.

Colonel (Retired) Robert E. Burks, Jr., Ph.D., is an Associate Professor in the Department of Defense Analysis of the Naval Postgraduate School (NPS) and with Jeff Appleget, directs the activities of the NPS Naval Warfare Studies Institute Wargaming Center. He holds a Ph.D. in Operations Research from the Air Force Institute of Technology, an M.S. in Operations Research from the Florida Institute of Technology. Rob is a retired Army Colonel with more than thirty years of military experience in leadership, advanced analytics, decision modeling, and logistics operations. He spent 17 years in the U.S. Army as an Operations Research/Systems analyst and has led multiple analytical study teams responsible for Army Transformation and organizational restructuring and design efforts using wargaming and computer-based combat simulations. Since 2015, Rob has taught multiple educational, historical, and analytical wargaming courses at NPS. He has taught the NPS week-long Basic Analytic Wargaming Course 14 times to the Department of Defense and other organizations around the world, to include CENTCOM, AFRICOM, MARFORPAC, Marine Corps Warfighting Lab (two courses), NATO Special Operations Forces, the Australian Defence Force (four courses), and the Taiwan Armed Forces.

Captain Jeffrey E. Kline (ret.) served 26 years as a naval officer, including two sea commands. Jeff is currently a Professor of Practice in the Naval Postgraduate School Operations Research department. He directs the NPS Naval Warfare Studies Institute. He teaches campaign analysis, systems analysis, and executive programs in strategic planning and risk assessment. Jeff supports applied analytical research in maritime operations and security, tactical analysis, and future force composition studies. He has served on the U.S. Chief of Naval Operations’ Fleet Design Advisory Board and several Naval Study Board Committees of the National Academies. His faculty awards include the Superior Civilian Service Medal, 2019 J. Steinhardt Award for Lifetime Achievement in Military Operations Research, 2011 Institute for Operations Research and Management Science (INFORMS) Award for Teaching of OR Practice, 2009 American Institute of Aeronautics and Astronautics Homeland Security Award, 2007 Hamming Award for interdisciplinary research, 2007 Wayne E. Meyers Award for Excellence in Systems Engineering Research, and the 2005 Northrop Grumman Award for Excellence in Systems Engineering. He is a member of the Military Operations Research Society and the Institute for Operations Research and Management Science. He earned a Bachelor of Science in Industrial Engineering from the University of Missouri, a Master of Science in Operations Research from the Naval Postgraduate School, and a Master of Science in National Security Studies from the National Defense University’s National War College.

References

1. Peter Perla et. al, “Rolling the Iron Dice: From Analytical Wargaming to the Cycle of Research” October 21, 2019; https://warontherocks.com/2019/10/rolling-the-iron-dice-from-analytical-wargaming-to-the-cycle-of-research/

2. Matthew B. Caffrey, Jr., “On Wargaming” (2019). The Newport Papers. 43. https://digital-commons.usnwc.edu/newport-papers/43

3. Phil Pournelle, “Can the Cycle of Research Save American Military Strategy?” October 18, 2019, WOTR, https://warontherocks.com/2019/10/can-the-cycle-of-research-save-american-military-strategy/

4. Jeffrey Appleget, Robert Burks and Frederick Cameron, “The Craft of Wargaming: A Detailed Planning Guide for Defense Planners and Analysts,” Naval Institute Press, Annapolis, MD, 2020.

Featured Image: EIELSON AIR FORCE BASE, Alaska (Oct. 22, 2020) – A U.S. Army M142 High Mobility Artillery Rocket Systems (HIMARS) launches ordnance during RED FLAG-Alaska 21-1 at Fort Greely, Alaska, Oct. 22, 2020 (U.S. Air Force photo by Senior Airman Beaux Hebert)

Cyber

Cybersecurity at Port Facilities: Making Rules Requires Rulemaking

Leave a comment

By CDR Michael C. Petta, USCG

Following the September 11, 2001 attacks, the U.S. Coast Guard led the way on maritime security by shaping new international rules, national laws, and domestic regulations to protect maritime shipping and infrastructure. These changes set the standard in the global fight against threats to port facilities and served as the template for new regimes negotiated at the International Maritime Organization (IMO).

Yet in recent years, U.S. domestic regulations have not kept pace with the ever-expanding risks posed by emerging threats at sea—especially with cyber risks. As a result, American maritime infrastructure has become more vulnerable to disruptive and destructive threats in the cyber domain.

In February 2020, the U.S. Coast Guard published guidelines for port facilities to address these threats. The new guidelines were needed, but they are not enough. The U.S. Coast Guard should, to carry out its legal duty to safeguard the maritime transportation system, energize the domestic rulemaking process to adopt uniform and enforceable cybersecurity rules for maritime facilities.

The Port Facility Cyber Problem

Before turning to the need for U.S. Coast Guard rulemaking, it is important to underscore the problem at hand—cyber threats to port facilities are both significant and real. Unfortunately, the maritime industry remains unprepared. Scholars, industry leaders, and government officials have long sounded the alarm and repeatedly warned of threats, vulnerabilities, and adverse consequences associated with cyberattacks. These long-recognized risks persist, and they are likely to grow in the future as malicious cyber capabilities become more available as a low-cost tool to subvert commercial and governmental systems.

In 2011, the European Union (EU) studied the rising menace of cyber threats and the general lack of cybersecurity awareness in the maritime sector. Pointing to the disastrous consequences a significant cyber disruption would have on international trade, the study recognized an increasing need to secure maritime infrastructure. The EU study was validated in a 2017 IMO resolution, which expressly recognizes an “urgent need to raise awareness on cyber threats and vulnerabilities to support safe and secure shipping.”

For years, leaders in the United States have also warned of the growing cyber threat. Most prominently, former President Barack Obama cautioned in a 2013 Executive Order that “[r]epeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity.” President Obama continued on to say that, “[t]he cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.” Four years later, Chairman of the U.S. House Committee on Homeland Security, Michael McCaul (R-Texas), explained during a field hearing that port facilities “find themselves in the crosshairs of international hackers and rogue nation-states,” and he declared that the United States “must do more to strengthen cybersecurity and these essential maritime hubs.”

Maritime agency officials have been similarly cautious. For example, the 2015 U.S. Coast Guard Cyber Strategy warns of “real and growing” cyber threats in the maritime community. Like the 2011 EU study, the U.S. Coast Guard Cyber Strategy explains that cyber disruptions in maritime trade could have serious consequences for local, regional, national, and global economies. To protect maritime transportation and reduce cybersecurity vulnerabilities, the Cyber Strategy avows to “incorporate cybersecurity into existing enforcement and compliance programs.”

Despite years of discourse, preeminent maritime officials continue to believe port facilities remain vulnerable to and unprepared for cyber threats. For example, in a March 2020 Federal Register Notice, the Commandant of the U.S. Coast Guard, Admiral Karl L. Schultz, offered warnings similar to those in the agency’s five-year-old Cyber Strategy. Admiral Schultz describes cybersecurity as “one of the most serious economic and national security challenges for the maritime industry.” More recently, during a September 2020 webinar on maritime security, Rear Admiral Mark H. Buzby, U.S. Navy (ret.), the Administrator of the U.S. Maritime Administration, acknowledged the longstanding struggle to resolve cybersecurity risks, explaining, “What has become quite apparent over the last several years is that [maritime cybersecurity] truly needs an operational focus… truly needs a strategic approach to a very vexing and growing problem.” Rear Admiral Buzby further explained that solving the problem of maritime cybersecurity “is absolutely vital not only to our economic security but really to our national security.”

The Physical Security Focus of U.S. Regulations

Even more enduring than the maritime cybersecurity problem is the U.S. Coast Guard’s resolve to protect the maritime transportation system, particularly following the tragic events of 9/11. After the terrorist attacks, the U.S. Coast Guard established new global maritime security requirements. Internationally, the requirements were expressed in the IMO’s International Ship and Port Facility Security (ISPS) Code. Domestically, the requirements were codified in the Maritime Transportation Security Act (MTSA) of 2002, which the U.S Coast Guard implemented through regulations found in Title 33 of the Code of Federal Regulations (CFR). Developing and enacting such a comprehensive governance regime took herculean efforts and affirmed the U.S. Coast Guard’s leading role in safeguarding maritime facilities.

The 9/11 attacks generated the energy needed to establish comprehensive security laws and regulations. However, because of the kinetic nature of the attacks, the focus of these laws and regulations was largely limited to physical security measures designed to control access to facilities and to protect personnel and property from physical damage and harm. As one scholar wrote in 2013, the United States’ requirements could “loosely be summed up as guns, gates, guards, and identification cards.” In other words, when the ISPS Code, the MTSA of 2002, and the U.S. Coast Guard’s domestic regulations were authored, they did not address today’s cybersecurity challenges. Because cyber risks operate in a relatively new, non-physical domain, mitigating cyber risks calls for renewed energy and strategy.

Although the ISPS Code and MTSA regime do not openly contemplate cybersecurity, the U.S. Coast Guard has not been powerless to produce cyber standards. To the contrary, with the MTSA of 2002 and the Maritime Security Improvement Act (MSIA) of 2018, the agency’s power to regulate cybersecurity at port facilities is clear. Such authority could be used to modernize U.S. Coast Guard regulations and incorporate cybersecurity-centric rules into its enforcement and compliance programs. Rather than taking that authoritative step, the agency made a more subtle move in February 2020 by offering a modern cyber-centric interpretation of the agency’s 17-year-old regulations. Perhaps more should be done.

The Dormant Cyber Rule

The United States’ maritime facility security regulations, as implemented under the MTSA of 2002, reside in Part 105 of Title 33 of the CFR. As alluded to earlier, the word “cyber” is absent from these regulations. To some, this absence might indicate that U.S. Coast Guard regulations omitted cybersecurity. In its February 2020 Navigation and Vessel Inspection Circular (NVIC), “Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities, NVIC 01-20,” the U.S. Coast Guard announced a new interpretation of Part 105 in which it ostensibly takes the position that cybersecurity requirements were not omitted from Part 105—they were dormant.

A brief description of Part 105, entitled “Maritime Security: Facilities,” helps bring context to the seemingly latent cyber rules. The U.S. Coast Guard enacted Part 105 in October 2003 to harmonize domestic regulations with security measures adopted by the IMO (i.e., ISPS Code). Combining international requirements and existing domestic policy, Part 105 is extensive. It consists of five separate subparts, 54 individual sections, and just over 100 pages of regulatory text. Put plainly, Part 105 is the U.S. Coast Guard’s rulebook for security at U.S. maritime facilities.

A critical mandate in Part 105 is a requirement that port facilities periodically conduct a Facility Security Assessment (FSA). Generally, the FSA evaluates a facility’s threats, vulnerabilities, and protective measures in order to inform the development of a facility’s Facility Security Plan (FSP). The Facility Security Officer (FSO) is responsible for developing and implementing the FSP. When preparing the FSP, the FSO must analyze certain factors enumerated in Part 105. While Part 105 does not expressly require the FSO to consider cybersecurity vulnerabilities, among the listed factors the FSO is required to consider are “[m]easures to protect radio and telecommunications equipment, to include computer systems and networks.” This provision is the source of Part 105’s seemingly dormant cyber rules. In short, NVIC 01-20 interprets the provision on “radio and telecommunications equipment” to encompass cybersecurity because it uses the phrase “computer systems and networks.” Under this interpretation, Part 105 has required FSOs to assess and address cybersecurity vulnerabilities since it was enacted in 2003.

The Path Forward: Holistic and Affirmative Cyber Requirements

Recognizing this tacit cybersecurity provision is a meaningful step, but the dormant cyber provision recognized by NVIC 01-20 is too ambiguous and inoperative to embody the degree of governance sufficient to mitigate known cyber risks. The U.S. Coast Guard should explore whether it could do more to integrate cybersecurity into its maritime security regime. If the Service aims to better incorporate cybersecurity into existing enforcement and compliance programs, it could leverage domestic rulemaking to implement enforceable and uniform standards.

An FSO must consider measures to protect radio and telecommunications equipment, including computer systems and networks, when developing an FSP. Although this requirement seems clear at first, closer examination reveals an ambiguity that may confuse those trying to understand its scope and application. Considering how vital Part 105’s assessment requirement is to mitigate potentially catastrophic cyber threats, any amount of confusion is undesirable. Fortunately, ameliorating this confusion may be relatively easy.

As the U.S. Coast Guard recognizes in NVIC 01-20, the maritime industry presently uses cyber systems for various critical functions (e.g., administration, operations, engineering, safety, security, and navigation). IMO Guidelines on Maritime Cyber Risk Management also recognize that modern cyber systems are used for an array of Information Technology (IT) and Operational Technology (OT) purposes. The IMO considers this variety of cyber functions “essential to the operation and management of numerous systems critical to the safety and security of shipping and protection of the marine environment.” Of note, IMO’s 2017 guidelines identify “communication systems” as only one of the many types of cyber systems. Despite the variety of integral cybertechnologies, Part 105, on its face, implicates computer systems and networks used for just one purpose—radio and telecommunications. This is all to say, based on a plain reading of Part 105’s text, one may reasonably conclude that the FSO is only required to consider vulnerabilities with cyber systems used for communication, not cyber systems used to perform the variety of other critical IT and OT functions at maritime facilities.

Highlighting this ambiguity in Part 105 is more than an academic, textual critique. Doing so underlines a fundamental regulatory problem—a lack of clear standards—that undermines effective enforcement and compliance. This ambiguity is significant enough that Canada brought it to the attention of the IMO over five years ago and recommended an update to the ISPS Code.

The U.S. Coast Guard already has the authority to remedy enforcement and compliance problems brought on by the ambiguity in Part 105’s dormant cyber language. Through the domestic rulemaking process, the agency can amend Part 105 to create a distinct cybersecurity requirement that encompasses a variety of cyber systems. Coincidentally, in the MSIA of 2018, U.S. Congress provides a sample of a modern-day cyber requirement. Specifically, the MSIA, codified at 46 U.S.C. § 70103(c)(3), expressly requires FSPs to “include provisions for detecting, responding to, and recovering from cybersecurity risks…” and violating this rule subjects the facility to a civil penalty. This 2018 mandate in the law is clear and enforceable. Its express use of the common, up-to-date term “cybersecurity” without limiting itself to any one cyber system avoids any confusion caused by innovative interpretations. U.S. Coast Guard regulations could be amended to achieve a degree of clarity equal to that in the law.

Ambiguity aside, the dormant requirement recognized by the NVIC is also largely inoperative. As NVIC 01-20 states, although FSOs must assess and address cybersecurity vulnerabilities, the facility has discretion to decide how it identifies, assesses, and addresses those vulnerabilities. In light of this discretion, there is essentially no regulatory framework on which to base uniform enforcement and compliance decisions. The United States’ current port facility cybersecurity model is akin to a safe speed law that allows drivers discretion to set and clock their own speeds. This approach may be suitable for certain regulatory areas, but it is an insufficient approach for guarding against such a serious threat to the global economy and national security. Contrasting the quantity of effort expended governing physical security at ports with the meager scope of governance now envisioned for cybersecurity illustrates the point.

The kinetic attacks on 9/11 led to comprehensive rules, both domestically and internationally, on maritime physical security. Pioneering those rules took colossal effort by the U.S. Coast Guard. Today the agency has a similar opportunity with cybersecurity. Twenty years ago, Part 105 could have been distilled into a single line—FSOs must assess and address physical security vulnerabilities when developing FSPs. Obviously, the U.S. Coast Guard opted for a more comprehensive approach, choosing a holistic, affirmative governance model. This approach might be applied today to cybersecurity. There are too many contrasting examples of physical security requirements to list here, but a summary of Part 105’s Subpart B is useful.

Subpart B consists of 25 regulatory sections collectively entitled “Facility Security Requirements.” These sections contain, among other things, requirements on staff responsibilities; personnel knowledge and training; recordkeeping; physical searches; drills and exercises; controlling access; hiring employees; screening individuals; arming guards; designating restricted areas; policing grounds; equipment maintenance and testing; handling cargo; delivering stores; and receiving passengers, dangerous cargo, and barges. Importantly, across these requirements, Subpart B includes about 175 provisions unique to physical security.

As for cybersecurity, even with NVIC 01-20 on the books, existing regulations seemingly establish no explicit requirements. There are no unique cyber requirements related to staff responsibilities (e.g., security responsibilities of IT or OT personnel). Likewise, there are no distinct cyber training or knowledge requirements (e.g., requiring the FSO to be familiar with IT and OT terminology or requiring employees to take a basic computer hygiene course). There are no affirmative rules related to cyber drills, cyber exercises, or cyber recordkeeping. Unlike with systems used for physical security, there currently are no maintenance or testing requirements unique to IT or OT systems. Most importantly, in contrast with the unequivocal governance over elements fundamental to physical security (e.g., access controls, restricted areas, personnel screening), Part 105 is silent about any element associated with and tailored for effective cybersecurity programs.

Conclusion

Returning to the metaphor of the safe speed law, some might contend the current cyber model is not only akin to empowering drivers to set and clock their own speeds, it also affords them such discretion, but without requiring them to possess any driving experience, complete driver education classes, maintain or test vehicle systems, consult traffic reports, or obtain drivers licenses.

Effective cybersecurity, in this age of pervasive and expanding cyber threats, benefits from holistic and explicit governance. Just as it did with physical security after the 9/11 attacks, the U.S. Coast Guard could again leverage the domestic rulemaking process to implement a clear, uniform, and more rigorous cybersecurity regime. In so doing, the U.S. Coast Guard would again be the standard-bearer, leading the way in the global fight to protect port facilities. 

Commander Michael C. Petta, USCG, serves as Associate Director for Maritime Operations and professor of international law in the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the views of the U.S. Coast Guard, the Department of Homeland Security, the U.S. Navy, the Naval War College, or the Department of Defense.

Featured Image: Evergreen container ships in the port of Los Angeles (Wikimedia Commons)

Podcast

Bilge Pumps Episode 23: Lessons of Maritime Rome

1 Comment

By Alex Clarke

Bilge Pumps, Episode 23. The Bilge Pumps Crew is joined by Dr. Simon Elliot (@SimonElliott20) the expert on all things Roman navy history and archeology, plus Julius Caesar. Visit his book list here.

With such a wide area of history to draw from where could Bilge Pumps go? Well, we start off with the Classis Britannica and work out from there, through the designs of the ships and the wars Rome fought as a Republic and an Empire. We also of course consider the defense of islands and coastlines with forts, the infrastructure and realities of economics and logistics, and the importance of a good public relations effort.

#Bilgepumps is still a newish series and new avenue, which may no longer boast the new car smell, in fact decidedly more of pineapple/irn bru smell with a hint of jaffa cake and the faintest whiff of cork– but we’re getting the impression it’s liked, so we’d very much like any comments, topic suggestions or ideas for artwork to be tweeted to us, the #Bilgepump crew (with #Bilgepumps), at Alex (@AC_NavalHistory), Drach (@Drachinifel), and Jamie (@Armouredcarrier). Or you can comment on our Youtube channels (listed down below).

Download Bilge Pumps Episode 23: Lessons of the Maritime Rome

Links

1. Dr. Alex Clarke’s Youtube Channel
2. Drachinifel’s Youtube Channel
3. Jamie Seidel’s Youtube Channel

Alex Clarke is the producer of The Bilge Pumps podcast.

Contact the CIMSEC podcast team at [email protected]