Category Archives: Cyber

Paralyzed at the Pier: Schrödinger’s Fleet and Systemic Naval Cyber Compromise

By Tyson Meadors

In the spring of 2019, then-Navy Secretary Richard Spencer publicly released the “Navy Cybersecurity Readiness Review.”1 Conducted in the tradition of earlier reviews commissioned by Navy Secretaries such as the Chambers Board and the General Board Studies of 1929-1933, this report, led by the now-Under Secretary for Intelligence Ronald Moultrie, concluded that the Navy’s cybersecurity shortfalls were “an existential threat.”

Following its release, Secretary Spencer summarized the review’s findings during Congressional testimony: “…[O]ne of our battles is going to be just getting off the pier because [of] cyber…” After over two years in the position, the civilian leader of the Navy and Marine Corps had become convinced that the cyber-related reforms and force structure changes outlined in the Review were required to remain a viable naval power.

Due to his untimely dismissal in November of that same year, however, Secretary Spencer was never afforded the opportunity to see his proposed cyber reforms through. In his wake, the “existential” cyber matters described in the report have been largely left unaddressed. Three years later, Congress started to demand significant reforms to Navy cyber force structure in the 2023 National Defense Authorization Act (NDAA). These NDAA mandates suggest that Congressional defense committee leadership has concurred with Spencer’s conclusions—so much so, in fact, that they are willing to force the matter on Navy leadership.

While the 2019 report, prompted by over a decade of cyber incidents resulting in the “loss of significant amounts of Department of the Navy data,” makes it clear that the Navy is “losing the current global, counter-force, counter-value cyber war,” it never describes the strategic or operational naval implications of losing this “war.” The report notes that “[cyber] war is manifested in ways few appreciate, fewer understand, and even fewer know what to do about it.” But it leaves translating such proclamations into tangible guidance to the imagination of the (presumably “few”) readers capable of doing so. High-profile cyber warfare events over the last five years, however, have made understanding the strategic implications of the Navy’s cybersecurity readiness shortfalls far more apparent. The “how” and “why” of Spencer’s “battle to get off the pier”—and what it means for the Navy’s strategic reality—demands the attention of more than just Congress.

Introducing Schrödinger’s Fleet

The strategic reality described by the 2019 Cybersecurity Readiness Review is best analogized by Erwin Schrödinger’s “cat” thought experiment, which describes a situation where it is impossible to know whether a cat—imperiled by the superposition aspect of quantum dynamics—is either alive or dead until someone goes to observe the state of the cat. In this way, the cat is effectively both alive and dead prior to direct observation.

In the case of Schrödinger’s Fleet, the uncertainty is the unclear combat readiness of a naval fleet whose supply chains have suffered a thorough and prolonged period of cyber exploitation by sophisticated adversary actors. Given an indefinite period of access to the key portions of the defense industrial base responsible for the provisioning of all U.S. Navy platform and weapon systems, these actors are afforded countless opportunities to insert malicious code into software and firmware that eventually is built into one or myriad platforms, systems, and networks. The added code then lies effectively dormant until such a time or condition that it is activated to disrupt the availability of a weapon system, network, and/or platform. From a readiness perspective, the naval fleet appears operationally ready in peacetime, but the adversary knows that at the intended moment of action, the imperiled fleet will struggle to “just get off the pier.”

Had the 2019 Review been written 18 months later, it would have benefitted from the ready example of the SolarWinds cyber breach that made the term “software supply chain compromise” common parlance. The SolarWinds2 event was revealed by the cybersecurity firm FireEye, which discovered malicious cyber activity on its own network in December 2020.3 Further analysis revealed that beginning in the spring of 2020, this Russian cyber campaign had first compromised the software development environments of a prominent vendor of IT management tools, SolarWinds. They then modified code in its products to allow themselves access to its customers, leveraging SolarWinds’ otherwise legitimate software update processes to spread ‘poisoned’ updates across the networks of approximately 18,000 entities. Amongst the victims were the Departments of Defense, Homeland Security, Energy, and State, as well as defense-linked Fortune 500 companies such as Microsoft, Cisco, Deloitte, and Intel.4

SolarWinds was nowhere near the first supply-chain compromise used by adversary cyber actors. The NotPetya cyberattack by Russian military cyber units in 2017, for example, used a similar supply-chain infiltration tactic to infect Ukrainian accounting software updates to pre-position the virus across Ukraine before activating its worming and data destruction capabilities on the eve of Ukrainian Constitution Day. Once activated, its global spread and effects were the results of automatic spreading and attack processes in pre-positioned malicious code causing at least $10 billion of damage—the most financially destructive cyberattack ever.5,6

China is also a prolific software supply chain compromiser. In 2017, Chinese cyber actors compromised the development environments of the company responsible for the CCleaner software utility, subsequently inserting malicious code into software updates for that product, eventually spreading to over 2.3 million computers worldwide.7 This campaign lasted about six months, and subsequent analysis revealed that the Chinese ultimately only leveraged access to 40 organizations in the pursuit of further targeted activities against dissident groups and other Chinese security priorities.

Taken in totality, SolarWinds, NotPetya, and CCleaner represent the wavetops of what has now become a go-to tactic for nation-state and criminal actors alike—subvert the software supply chain to get to higher value targets with latent, malicious code. Then, at a time and place of the adversary’s choosing, activate the malicious code.

Adversary actors need two things to leverage such capabilities: First, they need ready access to a target’s supporting supply chains—the type of prolonged access to the Navy’s supporting vendors that prompted the commissioning of the 2019 Cyber Readiness Review. Second, the adversary needs to have some advanced idea of what type of outcomes it wishes to achieve with such operations. Adversaries with focused strategic or operational objectives—an invasion of a nearby island, for example—for which they control the notional timing and tempo, can engage in prolonged supply chain subversion campaigns to ensure that opposing forces are disadvantaged at the outset of a conflict. In the opening hours of Russia’s invasion of Ukraine, for example, (presumably Russian) hackers brought down satellite communications run by Viasat, upon which the Ukrainians were operationally reliant.8 While not decisive due to Russia’s conventional military failings, this type of cyberattack demonstrates that peer competitors can use pre-positioned cyber capabilities as part of a combined arms assault.

The 2019 Cybersecurity Readiness Review suggests—but did not state outright—that at least some of the Navy’s myriad acquisition programs may have been victim to this class of long-term compromise. The risk to an unknown number of Navy platforms and weapon systems remains critical. As recently as this year, “nearly nine out of ten US defense contractors fail to meet basic cybersecurity minimums,” as defined by the Defense Federal Acquisition Regulation Supplement (DFARS).9 Even generously assuming perfect contractor cyber defense thereafter, when the updated DFARS cybersecurity requirements finally are enforced (via the oft-delayed implementation of the Cybersecurity Maturity Model Certification [CMMC]), whatever latent compromises that Spencer alluded to in his Congressional testimony—as well as at least four additional years of continued near-peer cyber activity against Navy supply chains will remain. And the U.S. Navy will be left operating Schrödinger’s Fleet through the duration of the so-called Davidson Window and beyond.10

Cousin Cats: “Schrödinger’s Infrastructure” and “Schrödinger’s ICS”

The Navy is not the only entity faced with strategic cyber uncertainty. In a recent speech at NATCON 3, Joshua M. Steinman, the senior-most cybersecurity official in the Trump administration, described what he called “Schrödinger’s Infrastructure”: “…[A]n industrial base that is simultaneously compromised and not compromised… We find out which it is once the [People’s Liberation Army (PLA)] departs for Taipei.”11

Steinman’s description is significant to the U.S. Navy for two reasons. First, it identifies that the threat of latent Chinese cyber capabilities embedded in U.S. industrial infrastructure may only be fully realized when it is leveraged in support of a major PLA operation such as invading Taiwan. Perhaps less obvious—but just as significant—is that Steinman identifies an issue with a class of technologies that are just as critical to naval operations as they are to U.S. critical infrastructure. Namely, Steinman’s comments specifically addressed the cybersecurity vulnerability of “Operational Technologies” (OT), which describes the class of computers, controllers, networks, and embedded systems associated with the control of physical things such as power grids, factories, ship propulsion plants, and weapon systems.

Just as relevant to understanding contemporary U.S. Navy cyber risk is a description of what Robert M. Lee, the founder of the OT cybersecurity company Dragos, calls “Schrödinger’s Industrial Control System (ICS).” In a 2019 blog post discussing the circumstances of a rumored cyberattack that had caused a fire at the Abadan Oil Refinery in Iran, Lee explains that “Schrödinger’s ICS” is a situation that exists when operators of operational technology are unable to do “root cause analysis of the event to include a cyber component.”12 Otherwise stated, another aspect of the cyber-Schrödinger condition is that any OT-controlled machinery or weaponry casualty may be a cyberattack unless an entity has the cyber forensic capabilities to “observe” otherwise.

Responding to a question in 2017 about the possibility of a cyberattack causing a ship collision involving the USS McCain, the then Deputy-Chief of Naval Operations for Information Warfare, VADM Jan Tighe, stated that “…what if we detect a cyber intrusion into one of those machinery systems, et cetera? We need to have expertise that can respond to that… and can look for any signs of cyber intrusion or cyber malicious – malware… we will… learn from the results of the McCain investigation and just make [cyber forensics] part of the normal process of how we do mishap investigations moving forward.”13 As other observers noted,14 however, in 2017 the Navy did not have the capabilities required to do a proper forensics investigation on the McCain’s OT. VADM Tighe’s remarks suggested, at least, that a Fleet cyber forensic capability was an identified naval requirement and was to soon come online.

A recent letter from Congress to CNO Gilday sent in the fall of 2022,15 however, expressed concern that “the Navy’s cyber resiliency budget [for fiscal year 2023] equated to less than 0.1 percent of service-requested funds,” and pointedly asked, “What unit(s) will respond to cyberattacks against shipboard systems and are those units sufficient to meet wartime need?” It appears that Congress is skeptical as to whether the Navy has sufficiently developed the expertise that VADM Tighe stated was necessary two years prior to the 2019 Cybersecurity Readiness Study—the type of expertise required to resolve whether the Fleet is “cyber alive” or “cyber dead.”

Schrödinger Fleet Strategy

From a naval strategy perspective, Schrödinger’s Fleet is effectively the opposite of Mahan’s “fleet in being.” Rather than an immobile fleet limiting an adversary’s maneuvers because of the risks of such a fleet mobilizing, an otherwise mobile Schrödinger’s Fleet no longer has to be respected in an adversary’s calculations. At the initiation of conflict, the antagonist can assume that an otherwise mobile fleet will be rendered moot via cyber effects, and the antagonist can maneuver their forces accordingly.

That said, because the actual efficacy of latent malicious cyber capabilities cannot be known for certain until time of activation, it cannot be expected that an adversary advantaged by such capabilities will necessarily conduct its ante bellum activity noticeably different than they would if they did not possess such advantages. It is worth considering, however, that having such cyber capabilities may incline adversarial leadership to perceive a decisive strategic advantage, further easing their path towards initiating hostile actions.

This risk—that cyber effects at the outset of conflict used to undermine the military capabilities of the opposite side will ultimately be destabilizing and make conflict more likely—is described by another former Navy Secretary, Dr. Richard Danzig, as “mutually unassured destruction” (“MUD”). In a 2014 essay, Danzig specifically points out that should nuclear command, control, and warning be degraded by cyberattack, this could lead to a situation where the strategic deterrence inherent to mutually assured destruction deteriorates, leading to strategic instability.16 Danzig’s point might be extended, however, to consider the advantages conveyed if only the conventional defense capabilities of an adversary are disrupted.

Danzig’s explanation of cyber-induced MUD suggests that there may be a fundamental strategic difference in degrading conventional rather than nuclear forces. Namely, whereas there may be destabilizing risks in placing nuclear forces into Schrödinger Fleet conditions, this does not necessarily hold true for conventional forces. Consider two adversaries who have both compromised the software supply chains of the conventional forces of the opposing side. Each is faced with uncertainty regarding what forces will and will not be impacted at the point of initial aggression and therefore face an incalculable risk toward their respective chances of success. This condition—when Schrödinger Fleet-conditions call into question the viability of conventional military success—can prove deterring and thus potentially stabilizing. And this form of cyber deterrence need not be symmetrical or mutual. Should one side be able to demonstrate that they have created Schrödinger Fleet conditions inside of the aggressing force, the aggressor may hesitate to act, especially if the aggressor’s theory of victory requires a full complement of combat-available forces.

Spencer’s Congressional statements suggest that he believed the Navy may be at such a conventional disadvantage—potentially deterring U.S. strategic or operational action at a future moment of crisis or conflict. A Navy composed of a Schrödinger’s Fleet is not merely a force in an “existential” crisis. It is a critical national security liability.

Resiliency and MUD: A Quantum of Solace

Assuming that the strategic implications of the U.S. Navy operating a Schrödinger Fleet are anywhere near as dire as what Spencer’s Review and further analysis suggest, what is to be done?

Commercial OT cybersecurity suggests two partial remedies. First, after the SolarWinds event, public and private sector cybersecurity leadership began calling for the use of “software bills of material” or “SBOMs.” These are lists of software components used to create applications or systems that are provided upon the delivery of a product or service. While not a defensive cyber capability per se, they do allow entities to understand the degree of risk incurred when a subverted IT or OT component is revealed via a breach disclosure or some other sort of reporting.

In 2021, the Biden administration tasked the Department of Commerce to develop government-wide guidance mandating SBOMs for all IT and OT used by the federal government.17 The Senate’s version of the 2023 National Defense Authorization Act also contained an SBOM mandate for the Department of Defense, but this language did not make it into the bill’s final form.18 It remains prudent, however, for the Navy to require SBOMs from all its IT and OT suppliers.

Second, as Rob Lee and VADM Tighe both suggested is required, the Navy needs a rapidly deployable expert forensics capability that it can deploy to its ships and platforms to quickly determine whether or not the root cause of a system failure or casualty is or is not cyber-related. As VADM Tighe noted in her 2017 comments about the USS McCain cyber investigation, one of the most urgent second-order questions the Navy would have had to determine was that, if the McCain collision had been revealed to have a precipitating cyber cause, were other ships – to include the earlier collision of the USS Fitzgerald – also liable to a similar notional cyber effect?

Some of this forensic capability can be provided by additional cybersecurity sensors integrated into platforms. In Congress’ 2022 letter to Admiral Gilday, for example, Congress notes the existence of two Navy programs that address some of this risk. Some of this enhanced forensics capability will also require the types of teams that Congress inquired about in the same letter. As the Navy considers how to implement the reforms mandated in the 2023 NDAA, manning and equipping these sorts of teams should be top of mind.

A notional Navy cyber response team. (Artwork created via Midjourney AI)

While SBOMs and operational forensic capabilities reduce the uncertainties associated with Schrödinger’s Fleet, they do not meaningfully address the waxing strategic risk of systemic platform and weapon system casualties caused by latent malicious code. For this, two further compensatory mechanisms are necessary.

First, the Navy must have the capacity to recover compromised systems to secure baselines in operationally relevant timeframes. Assuming that the advance detection of latent malicious code is nigh impossible given the volume and complexity of the systems-of-systems in a naval platform and each of those systems’ respective supply chains, quickly recovering from the unpredictable impacts of such malicious code becomes a critical “fight through” enabler.

Finally, the Navy should pursue and maintain the ability to hold potential adversaries’ conventional naval capabilities at equivalent cyber risk. Expanding Secretary Danzig’s “MUD,” we should consider how much can be gained from developing an ability to call into doubt the wartime availability and reliability of an adversary’s conventional naval forces. This would create a credible, likely stabilizing deterrent that is not dependent on ensuring the cyber survivability of our own navy. This is a necessary approach when addressing the need to maintain strategic balance—if not outright advantage—over great naval powers.

LCDR Tyson B. Meadors is a Navy Cyber Warfare Engineer. He previously served both afloat and ashore as a Surface Warfare Officer and Naval Intelligence Officer. From 2017-2018, he was a Director of Cyber Policy on the National Security Council Staff, where he advised the President, Vice President, and multiple National Security Advisors on cyber operations policy, technology, and threats and helped draft multiple national-level strategies and policies. Prior to commissioning from the U.S. Naval Academy, he worked as a journalist and taught English in the People’s Republic of China. He is the only U.S. naval officer to ever defeat a guided missile destroyer in a real-world engagement and is also the founder and CEO of Ex Mare Cyber, a cybersecurity consultancy. The views expressed are those of the author and do not reflect the official policy or position of the U.S. Navy, Department of Defense, or other parts of the U.S. government.


1. No longer accessible via official Navy portals, but it remains accessible via that Wall Street Journal here:

2. While this event is commonly referred to as “SolarWinds” because the compromise of Solar Winds’ network administration suite allowed the malicious actors to compromise such a large number of government and commercial entities, product lines from both VMWare and Microsoft were also compromised during this event.








10. A period defined by ADM Phil Davidson as period between 2021 and 2027, which he identifies as the period when China is most likely to attempt to take military control of Taiwan; see





15. See Golden, et al., Congressional letter addressed to Admiral Gilday, which begins, “We write to express our significant concerns regarding the cybersecurity of combat systems utilized by the U.S. Navy on its surface ships and submarines…” dated 3 October 2022.




Featured Image: Artwork created via Midjourney AI.

In Cyberspace, No One Can Hear You Bluff

By Captain Tuan N. Pham, U.S. Navy

General Paul Nakasone – Commander, U.S. Cyber Command (USCC) and Director, National Security Agency (NSA) – asserts that “traditional military deterrence is binary in regard to conflict and a deterrence model…does not comport to cyberspace where much of the nefarious cyber activity plays out non-stop in an ambiguous strategic gray zone.” While this article is in agreement with the “futility of totally deterring adversaries from operating in cyberspace and instead actively disrupting those activities before they can inflict damage,” it takes the position of respectfully disagreeing that traditional deterrence is binary and the rules of traditional deterrence do not hold in cyberspace.

Deterrence centered around domain denial is neither desirable nor sustainable. Hindering access to cyberspace is not consistent with the enduring American values of individual liberty, free expression, and free markets. This encumbered access also runs counter to the U.S. national interest of protecting and promoting internet freedom to support the free flow of information that enhances international trade and commerce, fosters innovation, and strengthens both national and international security; and the universal right (global norm) of unfettered free access to and peaceful use of cyberspace for all. Restricting access to cyberspace is also not practical considering the cost to operate in cyberspace is modest, the barriers to entry low, and the ease of operating negligible. 

Deterrence, the “prevention of action by either the existence of a credible threat of unacceptable counteraction and/or belief that the costs of action outweigh the perceived benefits,” is more complicated and nuanced than a simple binary response of yes or no. Deterrence can create a delay or pause for transitory maneuvering space to mitigate the effects of the threat action, or better yet, take preemptive or preventive measures to disrupt (neutralize) the threat action. Deterrence, like warfighting (war), involves universal and immutable “human nature” that does not change over time or across nationality, demographic, culture, geography, and domain. Rational actors choose to act or not to act based on fundamental “fear, honor, and interest (Thucydides)” and are deterred to act or not to act by real or perceived “capability, intent, and credibility (deterrent triad).” Additionally, as Henry Kissinger once noted, “deterrence is a product of capability, intent, and credibility and not a sum…if any one of them is zero, deterrence fails.” Washington accordingly must do more and do better to ensure each factor succeeds as an aggregate deterrent triad for increased integrated deterrence, decreased strategic risk, greater strategic alignment, and lesser likelihood of conflict across all the interconnected and contested domains.

Deterrence works best when it is clear, coherent, uniform, and complementary across the fluid competition continuum (steady state to crisis to conflict); expansive instruments of national power (diplomatic, information, military, economic, financial, intelligence, and law enforcement – DIMEFIL); and interconnected and contested domains (physical and nonphysical) for strategic consistency, operational agility, and tactical flexibility. Last year in an article titled “In Space, No One Can Hear You Bluff,” this author made the policy case for a more active space deterrence to better manage the growing threats to the vulnerable U.S. high-value space assets. This article makes the same policy case now for a more active cyber deterrence to better address the exigent factors of time, space, and force in cyberspace. An attack in cyberspace can come from anyone, occur anywhere, and happen anytime with no warning to react and no opportunity to respond – an increasing real risk as the ongoing Russian invasion of Ukraine persists and President Putin becomes more impatient and desperate for victory while becoming at risk of dangerously perceiving a shift in U.S. policy from conflict containment (vertical and horizontal) to conflict escalation, or worse, regime change.

More Active Cyber Deterrence

Despite a considerable arsenal of sophisticated offensive and defensive cyber capabilities, American political and military systems still struggle at times with inconsistent strategic communications and a dogged credibility gap. The new deterrent framework in cyberspace must therefore focus more on communicating clear intent and building enduring credibility through redlines, deterrent language, and cross-domain options to impose further costs, deny added benefits, encourage greater restraints, and control more the narratives.


Declaratory redlines make clear the unwanted risks, costs, and consequences of specific actions. They are an important way to influence an adversary’s risk perception and rational calculus, lower the likelihood of misunderstanding, and encourage restraint. They also outline the conditions of and willingness to inflict unacceptable retaliatory damage or destruction. U.S. policymakers should therefore “privately” reinforce to strategic competitors (and potential adversaries) the deterrent public statements contained therein the 2018 National Cyber Strategy (NCS), 2021 Interim National Security Strategic Guidance (INSSG), 2022 National Defense Strategy (NDS), and (anticipated) forthcoming National Security Strategy (NSS). U.S. law enforcement officials should likewise continue to “publicly” warn cyber criminals of egregious illicit cyber acts. In doing so, they should make it clear to both state and non-state threat actors that any cyber attack or cyber act that threatens U.S. national security interests, U.S. economic prosperity, and U.S. political stability is unacceptable and will be met with severe and disproportionate consequences for them. If they attack or act, they should not expect a proportionate response. They should expect prompt and devastating force that will cause retaliatory damages much greater than what they intended to inflict. This clear warning should have the effect of causing malicious cyber actors to think twice before acting and consider that the real costs may be much greater than any intended benefits.

For cyber powers like China and Russia, it should be made unequivocally clear that any cyber attack on critical military space systems – missile warning, command and control of nuclear forces, and positioning, navigation, and timing – is an act of war and will be dealt with accordingly. Doing so interlocks the 2020 National Space Policy with the 2018 NCS, both of which acknowledge the imperative of and calls for improvements to space cybersecurity. Like any other increasingly digitized and networked critical infrastructure, space-based and ground-based space systems and their communication links are vulnerable to cyber attacks. A future space conflict will undoubtedly involve cyber attacks, and conversely, a future cyber conflict may also involve space attacks.

Policymakers should also declare a more assertive and explicit redline [for cyberspace] consistent with the extant public redline in the interconnected and contested space domain. The 2018 National Space Strategy and 2020 National Space Policy unambiguously declared that “any harmful interference with or attack upon critical components of our space [cyberspace] architecture that directly affects this vital interest will be met with a deliberate response at a time, place, manner, and domain of our choosing.” The 2020 Defense Space Strategy forcefully reasserted the White House redline, stating that “the United States will deter aggression and attacks in space [cyberspace] and, if deterrence fails, be capable of winning wars that extend into space [cyberspace].”

Some may contend that redlines only work against rational state actors. Non-state actors are not always rational, confidently hiding behind their anonymities like some state actors hiding behind their notions of sovereignty, and consequently are not easily deterred by redlines. However, this article puts forth the argument that both actors are rational thinkers governed by rational thinking driven by varying nuances of elemental “fear, honor, and interest.” State actors are more impelled by power (statecraft), while non-state actors are more motivated by money (business). Both have pressure points (critical vulnerabilities) related to fear and interest that are predisposed to deterrent actions.

Others might argue that Chinese and Russian nefarious cyber activities below the threshold justifying a traditional military response persist unabated despite the best deterrent efforts by the United States and international community. So why and how would redlines deter these continued gray zone operations in cyberspace? The short answer is that redlines are not necessarily only intended to deter threat actors from operating in the gray zone but to also deter them from escalating beyond the gray zone. For now, Beijing and Moscow appear disinclined to escalate beyond the gray zone since they have perceived advantage in cyberspace and may not want to invite the increased strategic risk. Redlines help maintain the unsatisfying status quo.

Still others, like Secretary of Defense Lloyd Austin, argue that it is “never a good idea to publish destabilizing redlines because they inflame tensions, inadvertently provoke reactions, and back policymakers into corners.” While this article agrees that redlines should not be made if one is not able and willing to carry them out, it respectfully disagrees that they are inherently destabilizing. Instead, this author contends that “credible” redlines demonstrate stabilizing political will if the deterrent language is consistently followed up with deterrent action when called to do so as evidenced by contemporary history.

In 2012, the Obama Administration warned Syria that the use of chemical weapons would draw U.S. retaliation. A year later, Washington did not follow through when Damascus disregarded that warning and launched chemical attacks on Syrian civilians. Although the reasons for President Obama’s policy change are complex, the net result was a perception that the administration backed down, and in deterrence, perception is reality. The Syrian regime did not believe the U.S. red line credible, despite the United States having more than enough DIMEFIL capabilities to threaten and undermine Syria’s national interests. When Syria again conducted chemical attacks on its citizens in 2017, Damascus encountered a much different U.S. response from the Trump administration. A U.S.-led coalition promptly launched punitive missile strikes against Syrian military targets and expanded U.S. military presence and activities in Syria. By the end of that year, President Trump released a new NSS, announcing that the United States would place U.S. national interests first and would not hesitate to protect and advance them. Washington followed up the bold words with bold actions through the maximum pressure campaigns against Pyongyang and Tehran, a trade war with Beijing, sanctions against Moscow, and the killing of Iranian General Soleimani. All in all, the say-do mismatch should be eschewed in favor of consistent words and actions, both of which matter in deterrence.

Deterrent Language

In cyberspace just like in space, offensive dominance scales up, which means “a power that strikes aggressively should be, in theory, able to get the upper hand, or at least get the greatest possible use of whatever offensive space [cyber] capabilities it has invested in.” There is therefore deterrent value to explicitly stating the willingness to use tactical cyber preemption and active cyber defense to keep all deterrent options on the table against all state and non-state actors that threaten U.S. national interests in cyberspace. Tactical cyber preemption employs cyber power to deny a specific outcome, by attacking potential or imminent cyber threats before they can be employed or disrupting possible or looming illicit cyber acts before they can be initiated. Active cyber defense is the interception and disruption of an imminent cyber attack before it reaches its intended target or a looming cyber act before it actualizes. When combined with proven offensive and defensive cyber capabilities and credible redlines, the threat of tactical cyber preemption and active cyber defense can give additional pause to a state actor contemplating a first cyber strike or a cyber criminal considering an illicit cyber act.

China, a strategic competitor (national security imperative) and major cyber threat to U.S. national interests, serves as a deterrent exemplar. The People’s Liberation Army’s (PLA) warfighting doctrine favors surprise and deception when conditions warrant. Hence, the United States should take active steps to introduce elements of doubt and uncertainty into the Chinese Communist Party’s (CCP) decision-making and discourage the PLA from acting on real or perceived advantageous political-military conditions. The CCP and PLA should be reminded of Sun Tzu’s famous dictum: “If not in the interests of the state, do not act…If you cannot succeed, do not use force.” In essence, this means not risking initiating a cyber conflict that one cannot win or that may result in a pyrrhic victory.

Some contend that cyber criminals are not easily deterred by deterrent language. Cyber criminals stay anonymous and nondescript in cyberspace, assured that they can overcome any cybersecurity measures while staying below the radar of state actors and avoiding state actions. Instead, the U.S. should take away their assurance by strengthening cybersecurity and operating more and deeper in “white (neutral)” cyberspace (persistent engagement) to increase the likelihood of attribution, disruption, and if needed, retaliation. This also necessitates encouraging and supporting the private sector to do the same by promoting, for example, more corporate cyber activities from the likes of Microsoft. Microsoft seizes domain servers used by hackers in China and leads industry-wide efforts to disrupt Russian cyber attacks. 

Cross-Domain Options

Responses need not be limited to the same domain as the provocation. They can occur in another domain or across multiple ones. The dilemma for the United States is where, when, and how best to deter, and if deterrence fails, where, when, and how best to respond. U.S. policymakers and defense planners should prepare a broad set of flexible and dynamic cross-domain responses to the threat of cyber attack or the cyber attack itself in accordance with the 2018 NCS, 2021 INSSG, 2022 NDS, and (anticipated) forthcoming NSS.

Some might contend that cross-domain actions are destabilizing and will escalate a crisis. This argument diminishes as Washington fully commits and prepares to respond in kind or over-respond to make a deterrent point. Future conflicts will be transnational, multi-functional, and multi-domain. Cross-domain deterrence is therefore the best policy option for the interconnected and contested battlespaces now and into the future.

Other still argue that cross-domain actions risk pushing state actors (and cyber powers) like China and Russia over an invisible red line drawn by “fear, honor, and interest.” To mitigate this strategic risk, the United States must retain escalation dominance, freedom of movement, and strategic initiative to impose its will on Beijing and Moscow. As Sun Tzu said, “the clever combatant imposes his will on the enemy but does not allow the enemy’s will to be imposed on him.” Washington should therefore holistically impose costs, deny benefits, encourage restraints, and control the narrative so that the only acceptable strategic calculus for Beijing and Moscow is to not initiate or escalate conflict in cyberspace.

Selective Disclosure

Selectively disclosing cyber capabilities and intent amplifies the deterrent effects of redlines, deterrent language, and cross-domain options. Decisions about what, when, how, and for how long to reveal or conceal play an important role in active cyber deterrence. In certain circumstances, cyber capabilities should be disclosed to targeted audiences to sow doubt and uncertainty, encourage restraint, and reassure allies and partners. In other circumstances, strategic ambiguity may be more advantageous with regards to the exact nature, scope, and extent of intended cyber actions. An adversary does not need to know what, how, when, and where the United States would act, only that it can and would do so. Nevertheless, the question of how Washington can gain the deterrent benefits of selective disclosure while maintaining operational and information security is a crucial one moving forward. Similarly, it is also worth thinking about how to selectively reveal or conceal cyber capabilities to induce favorable threat responses, such as the expenditure of resources on U.S. defensive efforts or countermeasures in cyberspace.

Strategic Deterrent Alignment

Like space deterrence, the character of cyber deterrence may change over time, but the nature of cyber deterrence remains constant. The United States should therefore strengthen the deterrent triad of capability, intent, and credibility by defining redlines, declaring a willingness to fight in cyberspace preemptively or preventively, and threatening to respond (or responding) proportionately or disproportionately not just in cyberspace but in any or all domains for strategic deterrent alignment across the fluid competition continuum, expansive instruments of national power, and interconnected and contested domains.

Captain Pham served at NSA and USCC (plank owner), and completed a fellowship at JHU/APL working on cyber and space issues. The views expressed here are personal and do not reflect the positions of the U.S. Government or U.S. Navy.

Featured image by DKosig/Getty Images

Port Cybersecurity: Incorporating the IAPH’s New Guidelines into the ISPS Code

By CDR Michael C. Petta


Port industry leaders recently submitted cybersecurity guidelines to the International Maritime Organization (IMO) for consideration. The IMO Member States should seize this opportunity and amend the International Ship and Port Facility Security (ISPS) Code to enact cybersecurity standards for ports and port facilities. Specifically, IMO Member States should amend the code, using the new industry guidelines as a model, to require port facilities to conduct regular cybersecurity assessments and develop distinct cybersecurity plans.

The IAPH’s Cybersecurity Guidelines for Ports and Port Facilities

Earlier this month the International Association of Ports and Harbors (IAPH), a trade association representing ports across the globe, announced the publication of cyber guidelines for ports and port facilities. With help from the World Bank, the IAPH developed these cybersecurity guidelines to mitigate, according to the publication’s executive summary, “the top risk for port authorities and the wider port community.” A review of the extensive list of cyber incidents occurring over the past year, as compiled by the Center for Strategic and International Studies, reinforces the IAPH’s view that cyberattacks are a preeminent global threat. Recently in a speech at the United Nations, President Biden recognized the immediacy of that risk, emphasizing the importance of “hardening our critical infrastructure against cyberattacks” and establishing “clear rules…for all nations as it relates to cyberspace.” Needless to say, the IAPH guidelines are a welcome move toward a nearly decade-old aspiration to improve cybersecurity resilience in the maritime sector.

The IAPH’s recent work toward cyber resiliency is not the only 2021 cyber milestone in the maritime transportation sector. Rather, at the start of the year the IMO’s guidelines for maritime cyber risk management, although adopted almost four years earlier, came into effect for parts of the Maritime Transportation System (MTS). It is no coincidence these two sets of guidelines emerged the same year. Indeed, the latter guidelines are a necessary consequence of the former because the earlier set, in fact, does not cover port facilities. Port leaders had no choice but to fill the gap, and they did so quickly.

The IAPH did more than jump into the breach. It also coordinated its effort with the IMO. This substantive coordination is evident in two 2021 submissions to the IMO’s Maritime Safety Committee (MSC). In MSC 103/92 of March, the IAPH, recognizing the port facility gap, stressed that “ports and port facilities would benefit” from a framework akin to that applied to vessels earlier in the year. The IAPH was motivated by cyber risks it considers to be “the most significant threats for ports today,” citing a “fourfold increase in cyberattacks in the maritime industry” over a four-month period last year. Equally motivating was an expected intensification of cyber threats from accelerated port digitalization, an ongoing modernization effort triggered by, inter alia, the coronavirus pandemic.

Driven by these long-standing and mushrooming risks, the IAPH declared to the MSC its intention to develop “a single comprehensive set of guidelines customized for Ports and Port Facilities.” Impressively, just four months later, via MSC 104/7/1, the IAPH reported completion of its work—the IAPH Cybersecurity Guidelines for Ports and Port Facilities.

The 73-page guide contains many valuable cybersecurity measures and instructs facility operators on many topics fundamental to security in the cyber domain. These include management buy-in, personnel training, risk assessment, proper staffing, threat detection, and incident response. While this article does not intend to explore each provision in depth, highlighting a few features is useful for illustrating the guidelines’ utility. For example, the guide expressly endorses port facilities conducting unique cybersecurity training, drills, and exercises. Also, it encourages facility operators to share cyber information with government regulators and industry partners. The guidelines further acknowledge the importance of planned cybersecurity incident response and reporting. Finally, and perhaps most importantly, the IAPH’s new guidelines favor port facilities conducting regular cybersecurity assessments and developing distinct cybersecurity plans.

To incorporate such measures into an international government framework, the IAPH asked the IMO to consider the new guidelines and measures at the next MSC session, which is scheduled to take place in the first week of October, next week.

Amending the International Ship and Port Facility Security Code

The IMO’s previous cyber guidelines, those adopted in 2017 and put into effect in 2021, were considered game changing. Certainly, they were a vital step toward a uniform approach for combating cyber threats in the shipping industry. Notably, IMO Member States relied on the International Safety Management (ISM) Code as the legal foundation for those guidelines. The ISM Code is a safety management system adopted in 1987 to help shipping industry leaders manage safety risks. Regardless of whether a safety management system is the best instrument for generally mitigating security threats, it is not the right tool for promoting cybersecurity at port facilities. This is because the ISM Code, fundamentally, applies only to ships, not port facilities.

Fortunately, there is an international instrument designed specifically to protect port facilities from attacks—the International Ship and Port Facility Security (ISPS) Code. Twenty years ago this month, subversive actors exploited vulnerabilities in the global transportation system and attacked civilian locations across the United States. The ISPS Code was developed in direct response to those attacks and has become the IMO’s “comprehensive mandatory security regime.” One of the code’s express objectives is to assess and detect “security threats to… port facilities… [and] to implement preventive security measures against such threats.” Ultimately, if IMO Member States intend to comprehensively secure port facilities against attacks from within the cyber domain, they must turn to the ISPS Code.

Even though the ISPS Code is the right tool to pull from the international toolbox, the instrument first needs calibrating. Indeed, the code’s existing, albeit implicit, cybersecurity provisions are soft law, non-binding instructive guidance that is unenforceable. Such soft cyber law makes port facilities soft cyber targets. Within the past few weeks, subversive actors backed by a foreign nation, according to the testimony of the Director of the U.S. Cybersecurity and Infrastructure Agency, breached servers and planted malicious code at a port facility in Houston, Texas. When discussing this recent breach, one cybersecurity expert predicted that such incidents would bring about a “much more regulatory” framework instead of the current “aspirational” model.

The ISPS Code has two parts: a mandatory Part A and a recommendatory Part B. Of note, there are no cybersecurity provisions, explicit or implicit, in Part A. Meanwhile, Part B hints at cybersecurity as it encourages port facilities to consider “radio and telecommunications equipment, including computer systems and networks” when they assess physical security vulnerabilities. Encouraging facilities to consider certain threats is a notable aspiration, but it is not a clear, enforceable cybersecurity rule. This is all to say, the ISPS Code, enacted for the specific purpose of preventing attacks on the MTS, is the right tool for the job, but to be an effective instrument against threats in the cyber domain, it must be amended.

Certainly, amending the ISPS Code will take careful consideration. One adjustment IMO Member States might consider is amending Part B Section 18 to encompass training, drills, and exercises specific to cybersecurity. Such cyber-specific requirements do not presently exist. Section 9 of the IAPH guidelines provides useful examples. Also, Member States might consider amending Section 15 of Part A and Part B to expressly require a cybersecurity assessment based on the factors in the IAPH’s model. The cybersecurity assessment would be separate from and a complement to the facility security assessment already required by Section 15 of the code.

Another adjustment to the ISPS Code worth earnest consideration is a change to Section 16 of Part A and Part B to require port facilities to prepare and governments to approve distinct cybersecurity plans. The IAPH provides a model as a baseline. Like the cybersecurity assessment, the cybersecurity plan would be an independent document, a supplement to the already required facility security plan. These are just a few examples of potential ISPS Code adjustments that can be used to effectively incorporate the work of the IAPH into international law.

In a 2020 Port Community Cybersecurity Note, the IAPH seems to recognize a need to amend the code. In chapter five of the note, the IAPH insightfully concludes “that the role of the [Port Facility Security Officer] must evolve to encompass cyber security… rather than being focused purely on physical threats.” Arguably, because the Port Facility Security Officer’s role is controlled by the ISPS Code, it follows that to evolve this role IMO Member States must evolve the code. Moreover, the IAPH seems to recognize that any adjustments should be comprehensive. As it asserts in the 2020 note, due to the “unpredictability and everchanging [sic] nature of cyber threats… a limited or partial approach probably will not suffice.”


The IMO’s MSC meets the first week of October. The IAPH provided the MSC with fully developed port facility cybersecurity guidelines and asked the MSC to consider them. This invitation should be dutifully accepted and used as a springboard to enact IMO standards internationally. The cyber threats and vulnerabilities are well known and expected to multiply with ongoing digitalization across the MTS. The time is ripe for IMO Member States to act. When they meet next week, they should build on the IAPH’s momentum and start the process to amend the ISPS Code, with strongest consideration given to mandating regular cybersecurity assessments and distinct cybersecurity plans.

Commander Michael C. Petta, USCG, is the Deputy Chair, the Director for Maritime Operations, and a professor of international law at the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the policy or position of the U.S. Coast Guard, the U.S. Department of Homeland Security, the U.S. Navy, the Naval War College, or the U.S. Department of Defense.

Featured Image: Container ship Houston Express in Hamburg, Germany. (Credit: Prosertek)

The IMO’s 2021 Cyber Guidelines and the Work that Remains to Secure Ports

By CDR Michael C. Petta


The coming of a new year often holds promise for the future. With the coronavirus pandemic dominating center-stage last year, many have their eyes keenly focused on new beginnings with the start of 2021. For some in the maritime industry, especially owners and operators of commercial vessels involved in international trade, 2021 brings a new set of guidelines for protecting vessels—the International Maritime Organization’s (IMO) guidelines on maritime cyber risk management.

These new guidelines, a milestone for maritime safety and security, are the product of collaboration and hard work among shipping industry leaders and IMO Member States. Some in the shipping industry consider this development to be game changing. Whether game changing or not, implementation of this new model is a vital step toward forging a uniform approach for combating cyber threats against vessels.

Notably, however, the 2021 guidelines leave an equally vital, and maybe just as vulnerable, part of the shipping industry—port facilities—without a similar set of principles. Now that the IMO’s vessel guidelines are in the implementation phase, Member States and maritime industry leaders should again prioritize cybersecurity and collaborate at the IMO to develop uniform cybersecurity standards for port facilities.

The IMO and International Maritime Regulation

Before exploring the need for port facility cybersecurity standards, it may be useful to review the IMO’s role in developing international regulations. In 1948, the Member States of the United Nations created the IMCO, which changed its name to IMO in 1982, to facilitate global cooperation with regulation and practices of shipping engaged in international trade. The IMO’s goal is to ensure safe, secure, and sustainable shipping, facilitating trade and friendly relations among all states. Because shipping is historically and inherently an international endeavor, the IMO depends on and promotes cooperation among its 174 Member States to build uniform regulations that support this essential goal. The IMO construct has remained durable and inclusive since its inception.

Few maritime regulatory regimes exemplify the IMO’s impactful work across the globe more than the International Convention for the Safety of Life at Sea (SOLAS). SOLAS is a treaty from the early 1900s drafted in response to, among other things, the infamous sinking of the RMS Titanic. After its initial adoption in 1914, SOLAS further evolved via multiple conventions over many years with the last convention adopted in 1974. Consequently, the treaty is commonly referred to as SOLAS 1974.

In general terms, SOLAS establishes minimum safety standards related to ship construction, equipment, and operation. Countries party to the treaty ensure vessels under their flags comply with SOLAS’s terms by way of nationally administered certification programs. At the time of this writing, 166 countries, representing about 99 percent of the world’s shipping tonnage, were contracting parties to SOLAS 1974.

Although the last SOLAS convention was adopted in 1974, the treaty has been amended various times since then via the IMO’s “tacit acceptance” procedures. And like SOLAS itself, these amendments often followed tragedy, such as when the International Safety Management (ISM) Code was added as a chapter of SOLAS after a 1987 ferry accident in Belgium killed nearly 200 people. Because casualty investigators found the company’s poor safety culture contributed to the accident, IMO Member States developed the ISM Code, a global safety management standard, to combat what one investigator called the “disease of sloppiness” on ships and ashore. Entering into force in 1998, the ISM Code has made “shipping safer and cleaner” for more than two decades.

The IMO’s 2021 Cyber Guidelines

The ISM Code serves as the foundation upon which IMO Member States have built the 2021 guidelines for cyber risk management. The guidelines were consigned in 2017 via three key declarations. First, in Resolution MSC.429(98), Maritime Cyber Risk Management in Safety Management Systems, the IMO affirmed a view that the ISM Code already requires mitigation of cyber risks. Per this view, cyber risk management is already encompassed in the code’s existing general requirement that companies establish safeguards against all risks to ships, personnel, and the environment.

Resolution MSC.429(98) also contains a second important declaration. In it, the IMO encouraged countries to “appropriately address” this preexisting requirement no later than January 1, 2021. Put in more practical terms, now that the anticipated deadline for IMO’s cyber guidelines has arrived with the start of this new year, the IMO encourages Flag States not to issue compliance documents to vessels if cyber risks are not appropriately addressed in the respective safety management system.

The third important IMO declaration is in a July 2017 circular, in which the IMO announced that its Maritime Safety Committee (MSC) and its Facilitation Committee jointly approved specific cyber risk management guidelines. Member States developed these non-mandatory guidelines in partnership with shipping industry leaders to promote compliance with the aforementioned preexisting ISM Code requirement to mitigate cyber risks. In the July 2017 circular, the IMO recommends vessels and Flag States utilize the guidelines during compliance checks to assess whether cyber risks have been appropriately addressed.

As a risk management regime, the ISM Code is expected to adapt well to the management and mitigation of cyber risks. Government officials and maritime industry leaders, experienced from roughly 18 years of ISM Code practice, are expected to rise to the challenge of applying the code in the emerging cyber arena. Moreover, by identifying in the ISM Code a preexisting, albeit seemingly dormant, cyber requirement and then complementing that requirement with non-binding industry guidelines, Member States avoided the lengthy process of amending SOLAS 1974 and the ISM Code.

This is all to say, harnessing the ISM Code’s risk management framework to mitigate cyber threats was an efficient approach. In 2021, Flag States will begin to utilize this approach and work toward global uniformity.

The Work that Remains to Secure Ports

SOLAS 1974 has been amended numerous times, often to implement subsidiary regulations such as the ISM Code. Another subsidiary regulation within SOLAS is the International Ship and Port Facility Security (ISPS) Code, the IMO’s comprehensive mandatory security regime developed after a different tragedy—the 9/11 attacks. Interestingly, as the IMO’s new model for addressing cyber threats was being considered, the MSC reported, via MSC 97/22, that some Member States felt ISPS might be more suitable for addressing cyber threats. Nonetheless, seemingly moved by the United States’ 2017 assertion that the ISM Code’s “application is sufficiently wide to include emerging risks associated with cyber-enabled systems,” the IMO chose to harness the ISM Code, not ISPS, to promote global maritime cyber standardization.

While tapping into the ISM Code’s wide framework was efficient, such resourcefulness also came with a major limitation. Unlike the ISPS Code that covers certain ships and the port facilities that serve them, the ISM Code, even with its broad risk management concepts, applies only to vessels. This limitation means owners and operators of port facilities around the world will not reap the protective benefits realized with 2021’s implementation of IMO’s new cyber guidelines.

Port facilities play a vital role in global trade and rely heavily on technology to operate. As the May 2020 incident at Iran’s Shahid Rajaee port terminal demonstrates, a cyberattack at a port facility can be crippling. Since 2017, each of the four biggest maritime shipping companies in the world have been the victim of a cyberattack, with a recent attack taking place only a few months ago in September 2020. Considering these events, one should have no doubt that port facilities across the globe are presently vulnerable to cyber threats and the potential that these vulnerabilities will be exploited is undeniably real.

With the reality of cyber threats in mind, Member States and maritime industry leaders should collaborate at IMO to develop uniform cybersecurity standards for port facilities, just as they did to protect vessels. Coincidentally, in 2016 the Islamic Republic of Iran offered this exact proposal to the MSC. In MSC 97/4, Iran stressed the critical need for cyber risk management guidelines specific to ports. This proposal, somewhat prophetically considering the 2020 events at the Port of Shahid Rajaee, underscored the serious consequences a cyberattack could have on a port and on critical infrastructure.

While the MSC did not act on Iran’s proposal, in December 2016 the MSC expressly thanked Iran for its recommendation and “invited interested Member States to submit a proposal” for consideration at a future MSC session. No record has been found that any Member State has submitted such a proposal. Now is the time for Member States to accept the invitation.


The IMO’s guidelines for managing cyber risks on vessels are a key development for the shipping industry. Flag States and shipping companies worldwide now have an industry-sponsored framework from which to recurringly assess cyber safeguards on ships. There is more work to be done, however, to appropriately protect the rest of the maritime transportation system. Like Flag States and their vessels, Port States and their ports require guidelines to ensure cyber risks are uniformly addressed at maritime facilities. With 2021 finally ushering in cyber standards for vessels, now is the time for Member States, in partnership with the maritime industry, to assemble at the IMO and develop similar standards to secure ports across the globe.

Commander Michael C. Petta, USCG, serves as Associate Director for Maritime Operations and professor of international law in the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the policy or position of the U.S. Coast Guard, the Department of Homeland Security, the U.S. Navy, the Naval War College, or the Department of Defense.

Featured Image: CMA CGM’s Benjamin Franklin at the Port of Los Angeles, December 26, 2015. (Photo via Wikimedia Commons)