Category Archives: Cyber

In Cyberspace, No One Can Hear You Bluff

By Captain Tuan N. Pham, U.S. Navy

General Paul Nakasone – Commander, U.S. Cyber Command (USCC) and Director, National Security Agency (NSA) – asserts that “traditional military deterrence is binary in regard to conflict and a deterrence model…does not comport to cyberspace where much of the nefarious cyber activity plays out non-stop in an ambiguous strategic gray zone.” While this article is in agreement with the “futility of totally deterring adversaries from operating in cyberspace and instead actively disrupting those activities before they can inflict damage,” it takes the position of respectfully disagreeing that traditional deterrence is binary and the rules of traditional deterrence do not hold in cyberspace.

Deterrence centered around domain denial is neither desirable nor sustainable. Hindering access to cyberspace is not consistent with the enduring American values of individual liberty, free expression, and free markets. This encumbered access also runs counter to the U.S. national interest of protecting and promoting internet freedom to support the free flow of information that enhances international trade and commerce, fosters innovation, and strengthens both national and international security; and the universal right (global norm) of unfettered free access to and peaceful use of cyberspace for all. Restricting access to cyberspace is also not practical considering the cost to operate in cyberspace is modest, the barriers to entry low, and the ease of operating negligible. 

Deterrence, the “prevention of action by either the existence of a credible threat of unacceptable counteraction and/or belief that the costs of action outweigh the perceived benefits,” is more complicated and nuanced than a simple binary response of yes or no. Deterrence can create a delay or pause for transitory maneuvering space to mitigate the effects of the threat action, or better yet, take preemptive or preventive measures to disrupt (neutralize) the threat action. Deterrence, like warfighting (war), involves universal and immutable “human nature” that does not change over time or across nationality, demographic, culture, geography, and domain. Rational actors choose to act or not to act based on fundamental “fear, honor, and interest (Thucydides)” and are deterred to act or not to act by real or perceived “capability, intent, and credibility (deterrent triad).” Additionally, as Henry Kissinger once noted, “deterrence is a product of capability, intent, and credibility and not a sum…if any one of them is zero, deterrence fails.” Washington accordingly must do more and do better to ensure each factor succeeds as an aggregate deterrent triad for increased integrated deterrence, decreased strategic risk, greater strategic alignment, and lesser likelihood of conflict across all the interconnected and contested domains.

Deterrence works best when it is clear, coherent, uniform, and complementary across the fluid competition continuum (steady state to crisis to conflict); expansive instruments of national power (diplomatic, information, military, economic, financial, intelligence, and law enforcement – DIMEFIL); and interconnected and contested domains (physical and nonphysical) for strategic consistency, operational agility, and tactical flexibility. Last year in an article titled “In Space, No One Can Hear You Bluff,” this author made the policy case for a more active space deterrence to better manage the growing threats to the vulnerable U.S. high-value space assets. This article makes the same policy case now for a more active cyber deterrence to better address the exigent factors of time, space, and force in cyberspace. An attack in cyberspace can come from anyone, occur anywhere, and happen anytime with no warning to react and no opportunity to respond – an increasing real risk as the ongoing Russian invasion of Ukraine persists and President Putin becomes more impatient and desperate for victory while becoming at risk of dangerously perceiving a shift in U.S. policy from conflict containment (vertical and horizontal) to conflict escalation, or worse, regime change.

More Active Cyber Deterrence

Despite a considerable arsenal of sophisticated offensive and defensive cyber capabilities, American political and military systems still struggle at times with inconsistent strategic communications and a dogged credibility gap. The new deterrent framework in cyberspace must therefore focus more on communicating clear intent and building enduring credibility through redlines, deterrent language, and cross-domain options to impose further costs, deny added benefits, encourage greater restraints, and control more the narratives.


Declaratory redlines make clear the unwanted risks, costs, and consequences of specific actions. They are an important way to influence an adversary’s risk perception and rational calculus, lower the likelihood of misunderstanding, and encourage restraint. They also outline the conditions of and willingness to inflict unacceptable retaliatory damage or destruction. U.S. policymakers should therefore “privately” reinforce to strategic competitors (and potential adversaries) the deterrent public statements contained therein the 2018 National Cyber Strategy (NCS), 2021 Interim National Security Strategic Guidance (INSSG), 2022 National Defense Strategy (NDS), and (anticipated) forthcoming National Security Strategy (NSS). U.S. law enforcement officials should likewise continue to “publicly” warn cyber criminals of egregious illicit cyber acts. In doing so, they should make it clear to both state and non-state threat actors that any cyber attack or cyber act that threatens U.S. national security interests, U.S. economic prosperity, and U.S. political stability is unacceptable and will be met with severe and disproportionate consequences for them. If they attack or act, they should not expect a proportionate response. They should expect prompt and devastating force that will cause retaliatory damages much greater than what they intended to inflict. This clear warning should have the effect of causing malicious cyber actors to think twice before acting and consider that the real costs may be much greater than any intended benefits.

For cyber powers like China and Russia, it should be made unequivocally clear that any cyber attack on critical military space systems – missile warning, command and control of nuclear forces, and positioning, navigation, and timing – is an act of war and will be dealt with accordingly. Doing so interlocks the 2020 National Space Policy with the 2018 NCS, both of which acknowledge the imperative of and calls for improvements to space cybersecurity. Like any other increasingly digitized and networked critical infrastructure, space-based and ground-based space systems and their communication links are vulnerable to cyber attacks. A future space conflict will undoubtedly involve cyber attacks, and conversely, a future cyber conflict may also involve space attacks.

Policymakers should also declare a more assertive and explicit redline [for cyberspace] consistent with the extant public redline in the interconnected and contested space domain. The 2018 National Space Strategy and 2020 National Space Policy unambiguously declared that “any harmful interference with or attack upon critical components of our space [cyberspace] architecture that directly affects this vital interest will be met with a deliberate response at a time, place, manner, and domain of our choosing.” The 2020 Defense Space Strategy forcefully reasserted the White House redline, stating that “the United States will deter aggression and attacks in space [cyberspace] and, if deterrence fails, be capable of winning wars that extend into space [cyberspace].”

Some may contend that redlines only work against rational state actors. Non-state actors are not always rational, confidently hiding behind their anonymities like some state actors hiding behind their notions of sovereignty, and consequently are not easily deterred by redlines. However, this article puts forth the argument that both actors are rational thinkers governed by rational thinking driven by varying nuances of elemental “fear, honor, and interest.” State actors are more impelled by power (statecraft), while non-state actors are more motivated by money (business). Both have pressure points (critical vulnerabilities) related to fear and interest that are predisposed to deterrent actions.

Others might argue that Chinese and Russian nefarious cyber activities below the threshold justifying a traditional military response persist unabated despite the best deterrent efforts by the United States and international community. So why and how would redlines deter these continued gray zone operations in cyberspace? The short answer is that redlines are not necessarily only intended to deter threat actors from operating in the gray zone but to also deter them from escalating beyond the gray zone. For now, Beijing and Moscow appear disinclined to escalate beyond the gray zone since they have perceived advantage in cyberspace and may not want to invite the increased strategic risk. Redlines help maintain the unsatisfying status quo.

Still others, like Secretary of Defense Lloyd Austin, argue that it is “never a good idea to publish destabilizing redlines because they inflame tensions, inadvertently provoke reactions, and back policymakers into corners.” While this article agrees that redlines should not be made if one is not able and willing to carry them out, it respectfully disagrees that they are inherently destabilizing. Instead, this author contends that “credible” redlines demonstrate stabilizing political will if the deterrent language is consistently followed up with deterrent action when called to do so as evidenced by contemporary history.

In 2012, the Obama Administration warned Syria that the use of chemical weapons would draw U.S. retaliation. A year later, Washington did not follow through when Damascus disregarded that warning and launched chemical attacks on Syrian civilians. Although the reasons for President Obama’s policy change are complex, the net result was a perception that the administration backed down, and in deterrence, perception is reality. The Syrian regime did not believe the U.S. red line credible, despite the United States having more than enough DIMEFIL capabilities to threaten and undermine Syria’s national interests. When Syria again conducted chemical attacks on its citizens in 2017, Damascus encountered a much different U.S. response from the Trump administration. A U.S.-led coalition promptly launched punitive missile strikes against Syrian military targets and expanded U.S. military presence and activities in Syria. By the end of that year, President Trump released a new NSS, announcing that the United States would place U.S. national interests first and would not hesitate to protect and advance them. Washington followed up the bold words with bold actions through the maximum pressure campaigns against Pyongyang and Tehran, a trade war with Beijing, sanctions against Moscow, and the killing of Iranian General Soleimani. All in all, the say-do mismatch should be eschewed in favor of consistent words and actions, both of which matter in deterrence.

Deterrent Language

In cyberspace just like in space, offensive dominance scales up, which means “a power that strikes aggressively should be, in theory, able to get the upper hand, or at least get the greatest possible use of whatever offensive space [cyber] capabilities it has invested in.” There is therefore deterrent value to explicitly stating the willingness to use tactical cyber preemption and active cyber defense to keep all deterrent options on the table against all state and non-state actors that threaten U.S. national interests in cyberspace. Tactical cyber preemption employs cyber power to deny a specific outcome, by attacking potential or imminent cyber threats before they can be employed or disrupting possible or looming illicit cyber acts before they can be initiated. Active cyber defense is the interception and disruption of an imminent cyber attack before it reaches its intended target or a looming cyber act before it actualizes. When combined with proven offensive and defensive cyber capabilities and credible redlines, the threat of tactical cyber preemption and active cyber defense can give additional pause to a state actor contemplating a first cyber strike or a cyber criminal considering an illicit cyber act.

China, a strategic competitor (national security imperative) and major cyber threat to U.S. national interests, serves as a deterrent exemplar. The People’s Liberation Army’s (PLA) warfighting doctrine favors surprise and deception when conditions warrant. Hence, the United States should take active steps to introduce elements of doubt and uncertainty into the Chinese Communist Party’s (CCP) decision-making and discourage the PLA from acting on real or perceived advantageous political-military conditions. The CCP and PLA should be reminded of Sun Tzu’s famous dictum: “If not in the interests of the state, do not act…If you cannot succeed, do not use force.” In essence, this means not risking initiating a cyber conflict that one cannot win or that may result in a pyrrhic victory.

Some contend that cyber criminals are not easily deterred by deterrent language. Cyber criminals stay anonymous and nondescript in cyberspace, assured that they can overcome any cybersecurity measures while staying below the radar of state actors and avoiding state actions. Instead, the U.S. should take away their assurance by strengthening cybersecurity and operating more and deeper in “white (neutral)” cyberspace (persistent engagement) to increase the likelihood of attribution, disruption, and if needed, retaliation. This also necessitates encouraging and supporting the private sector to do the same by promoting, for example, more corporate cyber activities from the likes of Microsoft. Microsoft seizes domain servers used by hackers in China and leads industry-wide efforts to disrupt Russian cyber attacks. 

Cross-Domain Options

Responses need not be limited to the same domain as the provocation. They can occur in another domain or across multiple ones. The dilemma for the United States is where, when, and how best to deter, and if deterrence fails, where, when, and how best to respond. U.S. policymakers and defense planners should prepare a broad set of flexible and dynamic cross-domain responses to the threat of cyber attack or the cyber attack itself in accordance with the 2018 NCS, 2021 INSSG, 2022 NDS, and (anticipated) forthcoming NSS.

Some might contend that cross-domain actions are destabilizing and will escalate a crisis. This argument diminishes as Washington fully commits and prepares to respond in kind or over-respond to make a deterrent point. Future conflicts will be transnational, multi-functional, and multi-domain. Cross-domain deterrence is therefore the best policy option for the interconnected and contested battlespaces now and into the future.

Other still argue that cross-domain actions risk pushing state actors (and cyber powers) like China and Russia over an invisible red line drawn by “fear, honor, and interest.” To mitigate this strategic risk, the United States must retain escalation dominance, freedom of movement, and strategic initiative to impose its will on Beijing and Moscow. As Sun Tzu said, “the clever combatant imposes his will on the enemy but does not allow the enemy’s will to be imposed on him.” Washington should therefore holistically impose costs, deny benefits, encourage restraints, and control the narrative so that the only acceptable strategic calculus for Beijing and Moscow is to not initiate or escalate conflict in cyberspace.

Selective Disclosure

Selectively disclosing cyber capabilities and intent amplifies the deterrent effects of redlines, deterrent language, and cross-domain options. Decisions about what, when, how, and for how long to reveal or conceal play an important role in active cyber deterrence. In certain circumstances, cyber capabilities should be disclosed to targeted audiences to sow doubt and uncertainty, encourage restraint, and reassure allies and partners. In other circumstances, strategic ambiguity may be more advantageous with regards to the exact nature, scope, and extent of intended cyber actions. An adversary does not need to know what, how, when, and where the United States would act, only that it can and would do so. Nevertheless, the question of how Washington can gain the deterrent benefits of selective disclosure while maintaining operational and information security is a crucial one moving forward. Similarly, it is also worth thinking about how to selectively reveal or conceal cyber capabilities to induce favorable threat responses, such as the expenditure of resources on U.S. defensive efforts or countermeasures in cyberspace.

Strategic Deterrent Alignment

Like space deterrence, the character of cyber deterrence may change over time, but the nature of cyber deterrence remains constant. The United States should therefore strengthen the deterrent triad of capability, intent, and credibility by defining redlines, declaring a willingness to fight in cyberspace preemptively or preventively, and threatening to respond (or responding) proportionately or disproportionately not just in cyberspace but in any or all domains for strategic deterrent alignment across the fluid competition continuum, expansive instruments of national power, and interconnected and contested domains.

Captain Pham served at NSA and USCC (plank owner), and completed a fellowship at JHU/APL working on cyber and space issues. The views expressed here are personal and do not reflect the positions of the U.S. Government or U.S. Navy.

Featured image by DKosig/Getty Images

Port Cybersecurity: Incorporating the IAPH’s New Guidelines into the ISPS Code

By CDR Michael C. Petta


Port industry leaders recently submitted cybersecurity guidelines to the International Maritime Organization (IMO) for consideration. The IMO Member States should seize this opportunity and amend the International Ship and Port Facility Security (ISPS) Code to enact cybersecurity standards for ports and port facilities. Specifically, IMO Member States should amend the code, using the new industry guidelines as a model, to require port facilities to conduct regular cybersecurity assessments and develop distinct cybersecurity plans.

The IAPH’s Cybersecurity Guidelines for Ports and Port Facilities

Earlier this month the International Association of Ports and Harbors (IAPH), a trade association representing ports across the globe, announced the publication of cyber guidelines for ports and port facilities. With help from the World Bank, the IAPH developed these cybersecurity guidelines to mitigate, according to the publication’s executive summary, “the top risk for port authorities and the wider port community.” A review of the extensive list of cyber incidents occurring over the past year, as compiled by the Center for Strategic and International Studies, reinforces the IAPH’s view that cyberattacks are a preeminent global threat. Recently in a speech at the United Nations, President Biden recognized the immediacy of that risk, emphasizing the importance of “hardening our critical infrastructure against cyberattacks” and establishing “clear rules…for all nations as it relates to cyberspace.” Needless to say, the IAPH guidelines are a welcome move toward a nearly decade-old aspiration to improve cybersecurity resilience in the maritime sector.

The IAPH’s recent work toward cyber resiliency is not the only 2021 cyber milestone in the maritime transportation sector. Rather, at the start of the year the IMO’s guidelines for maritime cyber risk management, although adopted almost four years earlier, came into effect for parts of the Maritime Transportation System (MTS). It is no coincidence these two sets of guidelines emerged the same year. Indeed, the latter guidelines are a necessary consequence of the former because the earlier set, in fact, does not cover port facilities. Port leaders had no choice but to fill the gap, and they did so quickly.

The IAPH did more than jump into the breach. It also coordinated its effort with the IMO. This substantive coordination is evident in two 2021 submissions to the IMO’s Maritime Safety Committee (MSC). In MSC 103/92 of March, the IAPH, recognizing the port facility gap, stressed that “ports and port facilities would benefit” from a framework akin to that applied to vessels earlier in the year. The IAPH was motivated by cyber risks it considers to be “the most significant threats for ports today,” citing a “fourfold increase in cyberattacks in the maritime industry” over a four-month period last year. Equally motivating was an expected intensification of cyber threats from accelerated port digitalization, an ongoing modernization effort triggered by, inter alia, the coronavirus pandemic.

Driven by these long-standing and mushrooming risks, the IAPH declared to the MSC its intention to develop “a single comprehensive set of guidelines customized for Ports and Port Facilities.” Impressively, just four months later, via MSC 104/7/1, the IAPH reported completion of its work—the IAPH Cybersecurity Guidelines for Ports and Port Facilities.

The 73-page guide contains many valuable cybersecurity measures and instructs facility operators on many topics fundamental to security in the cyber domain. These include management buy-in, personnel training, risk assessment, proper staffing, threat detection, and incident response. While this article does not intend to explore each provision in depth, highlighting a few features is useful for illustrating the guidelines’ utility. For example, the guide expressly endorses port facilities conducting unique cybersecurity training, drills, and exercises. Also, it encourages facility operators to share cyber information with government regulators and industry partners. The guidelines further acknowledge the importance of planned cybersecurity incident response and reporting. Finally, and perhaps most importantly, the IAPH’s new guidelines favor port facilities conducting regular cybersecurity assessments and developing distinct cybersecurity plans.

To incorporate such measures into an international government framework, the IAPH asked the IMO to consider the new guidelines and measures at the next MSC session, which is scheduled to take place in the first week of October, next week.

Amending the International Ship and Port Facility Security Code

The IMO’s previous cyber guidelines, those adopted in 2017 and put into effect in 2021, were considered game changing. Certainly, they were a vital step toward a uniform approach for combating cyber threats in the shipping industry. Notably, IMO Member States relied on the International Safety Management (ISM) Code as the legal foundation for those guidelines. The ISM Code is a safety management system adopted in 1987 to help shipping industry leaders manage safety risks. Regardless of whether a safety management system is the best instrument for generally mitigating security threats, it is not the right tool for promoting cybersecurity at port facilities. This is because the ISM Code, fundamentally, applies only to ships, not port facilities.

Fortunately, there is an international instrument designed specifically to protect port facilities from attacks—the International Ship and Port Facility Security (ISPS) Code. Twenty years ago this month, subversive actors exploited vulnerabilities in the global transportation system and attacked civilian locations across the United States. The ISPS Code was developed in direct response to those attacks and has become the IMO’s “comprehensive mandatory security regime.” One of the code’s express objectives is to assess and detect “security threats to… port facilities… [and] to implement preventive security measures against such threats.” Ultimately, if IMO Member States intend to comprehensively secure port facilities against attacks from within the cyber domain, they must turn to the ISPS Code.

Even though the ISPS Code is the right tool to pull from the international toolbox, the instrument first needs calibrating. Indeed, the code’s existing, albeit implicit, cybersecurity provisions are soft law, non-binding instructive guidance that is unenforceable. Such soft cyber law makes port facilities soft cyber targets. Within the past few weeks, subversive actors backed by a foreign nation, according to the testimony of the Director of the U.S. Cybersecurity and Infrastructure Agency, breached servers and planted malicious code at a port facility in Houston, Texas. When discussing this recent breach, one cybersecurity expert predicted that such incidents would bring about a “much more regulatory” framework instead of the current “aspirational” model.

The ISPS Code has two parts: a mandatory Part A and a recommendatory Part B. Of note, there are no cybersecurity provisions, explicit or implicit, in Part A. Meanwhile, Part B hints at cybersecurity as it encourages port facilities to consider “radio and telecommunications equipment, including computer systems and networks” when they assess physical security vulnerabilities. Encouraging facilities to consider certain threats is a notable aspiration, but it is not a clear, enforceable cybersecurity rule. This is all to say, the ISPS Code, enacted for the specific purpose of preventing attacks on the MTS, is the right tool for the job, but to be an effective instrument against threats in the cyber domain, it must be amended.

Certainly, amending the ISPS Code will take careful consideration. One adjustment IMO Member States might consider is amending Part B Section 18 to encompass training, drills, and exercises specific to cybersecurity. Such cyber-specific requirements do not presently exist. Section 9 of the IAPH guidelines provides useful examples. Also, Member States might consider amending Section 15 of Part A and Part B to expressly require a cybersecurity assessment based on the factors in the IAPH’s model. The cybersecurity assessment would be separate from and a complement to the facility security assessment already required by Section 15 of the code.

Another adjustment to the ISPS Code worth earnest consideration is a change to Section 16 of Part A and Part B to require port facilities to prepare and governments to approve distinct cybersecurity plans. The IAPH provides a model as a baseline. Like the cybersecurity assessment, the cybersecurity plan would be an independent document, a supplement to the already required facility security plan. These are just a few examples of potential ISPS Code adjustments that can be used to effectively incorporate the work of the IAPH into international law.

In a 2020 Port Community Cybersecurity Note, the IAPH seems to recognize a need to amend the code. In chapter five of the note, the IAPH insightfully concludes “that the role of the [Port Facility Security Officer] must evolve to encompass cyber security… rather than being focused purely on physical threats.” Arguably, because the Port Facility Security Officer’s role is controlled by the ISPS Code, it follows that to evolve this role IMO Member States must evolve the code. Moreover, the IAPH seems to recognize that any adjustments should be comprehensive. As it asserts in the 2020 note, due to the “unpredictability and everchanging [sic] nature of cyber threats… a limited or partial approach probably will not suffice.”


The IMO’s MSC meets the first week of October. The IAPH provided the MSC with fully developed port facility cybersecurity guidelines and asked the MSC to consider them. This invitation should be dutifully accepted and used as a springboard to enact IMO standards internationally. The cyber threats and vulnerabilities are well known and expected to multiply with ongoing digitalization across the MTS. The time is ripe for IMO Member States to act. When they meet next week, they should build on the IAPH’s momentum and start the process to amend the ISPS Code, with strongest consideration given to mandating regular cybersecurity assessments and distinct cybersecurity plans.

Commander Michael C. Petta, USCG, is the Deputy Chair, the Director for Maritime Operations, and a professor of international law at the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the policy or position of the U.S. Coast Guard, the U.S. Department of Homeland Security, the U.S. Navy, the Naval War College, or the U.S. Department of Defense.

Featured Image: Container ship Houston Express in Hamburg, Germany. (Credit: Prosertek)

The IMO’s 2021 Cyber Guidelines and the Work that Remains to Secure Ports

By CDR Michael C. Petta


The coming of a new year often holds promise for the future. With the coronavirus pandemic dominating center-stage last year, many have their eyes keenly focused on new beginnings with the start of 2021. For some in the maritime industry, especially owners and operators of commercial vessels involved in international trade, 2021 brings a new set of guidelines for protecting vessels—the International Maritime Organization’s (IMO) guidelines on maritime cyber risk management.

These new guidelines, a milestone for maritime safety and security, are the product of collaboration and hard work among shipping industry leaders and IMO Member States. Some in the shipping industry consider this development to be game changing. Whether game changing or not, implementation of this new model is a vital step toward forging a uniform approach for combating cyber threats against vessels.

Notably, however, the 2021 guidelines leave an equally vital, and maybe just as vulnerable, part of the shipping industry—port facilities—without a similar set of principles. Now that the IMO’s vessel guidelines are in the implementation phase, Member States and maritime industry leaders should again prioritize cybersecurity and collaborate at the IMO to develop uniform cybersecurity standards for port facilities.

The IMO and International Maritime Regulation

Before exploring the need for port facility cybersecurity standards, it may be useful to review the IMO’s role in developing international regulations. In 1948, the Member States of the United Nations created the IMCO, which changed its name to IMO in 1982, to facilitate global cooperation with regulation and practices of shipping engaged in international trade. The IMO’s goal is to ensure safe, secure, and sustainable shipping, facilitating trade and friendly relations among all states. Because shipping is historically and inherently an international endeavor, the IMO depends on and promotes cooperation among its 174 Member States to build uniform regulations that support this essential goal. The IMO construct has remained durable and inclusive since its inception.

Few maritime regulatory regimes exemplify the IMO’s impactful work across the globe more than the International Convention for the Safety of Life at Sea (SOLAS). SOLAS is a treaty from the early 1900s drafted in response to, among other things, the infamous sinking of the RMS Titanic. After its initial adoption in 1914, SOLAS further evolved via multiple conventions over many years with the last convention adopted in 1974. Consequently, the treaty is commonly referred to as SOLAS 1974.

In general terms, SOLAS establishes minimum safety standards related to ship construction, equipment, and operation. Countries party to the treaty ensure vessels under their flags comply with SOLAS’s terms by way of nationally administered certification programs. At the time of this writing, 166 countries, representing about 99 percent of the world’s shipping tonnage, were contracting parties to SOLAS 1974.

Although the last SOLAS convention was adopted in 1974, the treaty has been amended various times since then via the IMO’s “tacit acceptance” procedures. And like SOLAS itself, these amendments often followed tragedy, such as when the International Safety Management (ISM) Code was added as a chapter of SOLAS after a 1987 ferry accident in Belgium killed nearly 200 people. Because casualty investigators found the company’s poor safety culture contributed to the accident, IMO Member States developed the ISM Code, a global safety management standard, to combat what one investigator called the “disease of sloppiness” on ships and ashore. Entering into force in 1998, the ISM Code has made “shipping safer and cleaner” for more than two decades.

The IMO’s 2021 Cyber Guidelines

The ISM Code serves as the foundation upon which IMO Member States have built the 2021 guidelines for cyber risk management. The guidelines were consigned in 2017 via three key declarations. First, in Resolution MSC.429(98), Maritime Cyber Risk Management in Safety Management Systems, the IMO affirmed a view that the ISM Code already requires mitigation of cyber risks. Per this view, cyber risk management is already encompassed in the code’s existing general requirement that companies establish safeguards against all risks to ships, personnel, and the environment.

Resolution MSC.429(98) also contains a second important declaration. In it, the IMO encouraged countries to “appropriately address” this preexisting requirement no later than January 1, 2021. Put in more practical terms, now that the anticipated deadline for IMO’s cyber guidelines has arrived with the start of this new year, the IMO encourages Flag States not to issue compliance documents to vessels if cyber risks are not appropriately addressed in the respective safety management system.

The third important IMO declaration is in a July 2017 circular, in which the IMO announced that its Maritime Safety Committee (MSC) and its Facilitation Committee jointly approved specific cyber risk management guidelines. Member States developed these non-mandatory guidelines in partnership with shipping industry leaders to promote compliance with the aforementioned preexisting ISM Code requirement to mitigate cyber risks. In the July 2017 circular, the IMO recommends vessels and Flag States utilize the guidelines during compliance checks to assess whether cyber risks have been appropriately addressed.

As a risk management regime, the ISM Code is expected to adapt well to the management and mitigation of cyber risks. Government officials and maritime industry leaders, experienced from roughly 18 years of ISM Code practice, are expected to rise to the challenge of applying the code in the emerging cyber arena. Moreover, by identifying in the ISM Code a preexisting, albeit seemingly dormant, cyber requirement and then complementing that requirement with non-binding industry guidelines, Member States avoided the lengthy process of amending SOLAS 1974 and the ISM Code.

This is all to say, harnessing the ISM Code’s risk management framework to mitigate cyber threats was an efficient approach. In 2021, Flag States will begin to utilize this approach and work toward global uniformity.

The Work that Remains to Secure Ports

SOLAS 1974 has been amended numerous times, often to implement subsidiary regulations such as the ISM Code. Another subsidiary regulation within SOLAS is the International Ship and Port Facility Security (ISPS) Code, the IMO’s comprehensive mandatory security regime developed after a different tragedy—the 9/11 attacks. Interestingly, as the IMO’s new model for addressing cyber threats was being considered, the MSC reported, via MSC 97/22, that some Member States felt ISPS might be more suitable for addressing cyber threats. Nonetheless, seemingly moved by the United States’ 2017 assertion that the ISM Code’s “application is sufficiently wide to include emerging risks associated with cyber-enabled systems,” the IMO chose to harness the ISM Code, not ISPS, to promote global maritime cyber standardization.

While tapping into the ISM Code’s wide framework was efficient, such resourcefulness also came with a major limitation. Unlike the ISPS Code that covers certain ships and the port facilities that serve them, the ISM Code, even with its broad risk management concepts, applies only to vessels. This limitation means owners and operators of port facilities around the world will not reap the protective benefits realized with 2021’s implementation of IMO’s new cyber guidelines.

Port facilities play a vital role in global trade and rely heavily on technology to operate. As the May 2020 incident at Iran’s Shahid Rajaee port terminal demonstrates, a cyberattack at a port facility can be crippling. Since 2017, each of the four biggest maritime shipping companies in the world have been the victim of a cyberattack, with a recent attack taking place only a few months ago in September 2020. Considering these events, one should have no doubt that port facilities across the globe are presently vulnerable to cyber threats and the potential that these vulnerabilities will be exploited is undeniably real.

With the reality of cyber threats in mind, Member States and maritime industry leaders should collaborate at IMO to develop uniform cybersecurity standards for port facilities, just as they did to protect vessels. Coincidentally, in 2016 the Islamic Republic of Iran offered this exact proposal to the MSC. In MSC 97/4, Iran stressed the critical need for cyber risk management guidelines specific to ports. This proposal, somewhat prophetically considering the 2020 events at the Port of Shahid Rajaee, underscored the serious consequences a cyberattack could have on a port and on critical infrastructure.

While the MSC did not act on Iran’s proposal, in December 2016 the MSC expressly thanked Iran for its recommendation and “invited interested Member States to submit a proposal” for consideration at a future MSC session. No record has been found that any Member State has submitted such a proposal. Now is the time for Member States to accept the invitation.


The IMO’s guidelines for managing cyber risks on vessels are a key development for the shipping industry. Flag States and shipping companies worldwide now have an industry-sponsored framework from which to recurringly assess cyber safeguards on ships. There is more work to be done, however, to appropriately protect the rest of the maritime transportation system. Like Flag States and their vessels, Port States and their ports require guidelines to ensure cyber risks are uniformly addressed at maritime facilities. With 2021 finally ushering in cyber standards for vessels, now is the time for Member States, in partnership with the maritime industry, to assemble at the IMO and develop similar standards to secure ports across the globe.

Commander Michael C. Petta, USCG, serves as Associate Director for Maritime Operations and professor of international law in the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the policy or position of the U.S. Coast Guard, the Department of Homeland Security, the U.S. Navy, the Naval War College, or the Department of Defense.

Featured Image: CMA CGM’s Benjamin Franklin at the Port of Los Angeles, December 26, 2015. (Photo via Wikimedia Commons)

Cybersecurity at Port Facilities: Making Rules Requires Rulemaking

By CDR Michael C. Petta, USCG

Following the September 11, 2001 attacks, the U.S. Coast Guard led the way on maritime security by shaping new international rules, national laws, and domestic regulations to protect maritime shipping and infrastructure. These changes set the standard in the global fight against threats to port facilities and served as the template for new regimes negotiated at the International Maritime Organization (IMO).

Yet in recent years, U.S. domestic regulations have not kept pace with the ever-expanding risks posed by emerging threats at sea—especially with cyber risks. As a result, American maritime infrastructure has become more vulnerable to disruptive and destructive threats in the cyber domain.

In February 2020, the U.S. Coast Guard published guidelines for port facilities to address these threats. The new guidelines were needed, but they are not enough. The U.S. Coast Guard should, to carry out its legal duty to safeguard the maritime transportation system, energize the domestic rulemaking process to adopt uniform and enforceable cybersecurity rules for maritime facilities.

The Port Facility Cyber Problem

Before turning to the need for U.S. Coast Guard rulemaking, it is important to underscore the problem at hand—cyber threats to port facilities are both significant and real. Unfortunately, the maritime industry remains unprepared. Scholars, industry leaders, and government officials have long sounded the alarm and repeatedly warned of threats, vulnerabilities, and adverse consequences associated with cyberattacks. These long-recognized risks persist, and they are likely to grow in the future as malicious cyber capabilities become more available as a low-cost tool to subvert commercial and governmental systems.

In 2011, the European Union (EU) studied the rising menace of cyber threats and the general lack of cybersecurity awareness in the maritime sector. Pointing to the disastrous consequences a significant cyber disruption would have on international trade, the study recognized an increasing need to secure maritime infrastructure. The EU study was validated in a 2017 IMO resolution, which expressly recognizes an “urgent need to raise awareness on cyber threats and vulnerabilities to support safe and secure shipping.”

For years, leaders in the United States have also warned of the growing cyber threat. Most prominently, former President Barack Obama cautioned in a 2013 Executive Order that “[r]epeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity.” President Obama continued on to say that, “[t]he cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.” Four years later, Chairman of the U.S. House Committee on Homeland Security, Michael McCaul (R-Texas), explained during a field hearing that port facilities “find themselves in the crosshairs of international hackers and rogue nation-states,” and he declared that the United States “must do more to strengthen cybersecurity and these essential maritime hubs.”

Maritime agency officials have been similarly cautious. For example, the 2015 U.S. Coast Guard Cyber Strategy warns of “real and growing” cyber threats in the maritime community. Like the 2011 EU study, the U.S. Coast Guard Cyber Strategy explains that cyber disruptions in maritime trade could have serious consequences for local, regional, national, and global economies. To protect maritime transportation and reduce cybersecurity vulnerabilities, the Cyber Strategy avows to “incorporate cybersecurity into existing enforcement and compliance programs.”

Despite years of discourse, preeminent maritime officials continue to believe port facilities remain vulnerable to and unprepared for cyber threats. For example, in a March 2020 Federal Register Notice, the Commandant of the U.S. Coast Guard, Admiral Karl L. Schultz, offered warnings similar to those in the agency’s five-year-old Cyber Strategy. Admiral Schultz describes cybersecurity as “one of the most serious economic and national security challenges for the maritime industry.” More recently, during a September 2020 webinar on maritime security, Rear Admiral Mark H. Buzby, U.S. Navy (ret.), the Administrator of the U.S. Maritime Administration, acknowledged the longstanding struggle to resolve cybersecurity risks, explaining, “What has become quite apparent over the last several years is that [maritime cybersecurity] truly needs an operational focus… truly needs a strategic approach to a very vexing and growing problem.” Rear Admiral Buzby further explained that solving the problem of maritime cybersecurity “is absolutely vital not only to our economic security but really to our national security.”

The Physical Security Focus of U.S. Regulations

Even more enduring than the maritime cybersecurity problem is the U.S. Coast Guard’s resolve to protect the maritime transportation system, particularly following the tragic events of 9/11. After the terrorist attacks, the U.S. Coast Guard established new global maritime security requirements. Internationally, the requirements were expressed in the IMO’s International Ship and Port Facility Security (ISPS) Code. Domestically, the requirements were codified in the Maritime Transportation Security Act (MTSA) of 2002, which the U.S Coast Guard implemented through regulations found in Title 33 of the Code of Federal Regulations (CFR). Developing and enacting such a comprehensive governance regime took herculean efforts and affirmed the U.S. Coast Guard’s leading role in safeguarding maritime facilities.

The 9/11 attacks generated the energy needed to establish comprehensive security laws and regulations. However, because of the kinetic nature of the attacks, the focus of these laws and regulations was largely limited to physical security measures designed to control access to facilities and to protect personnel and property from physical damage and harm. As one scholar wrote in 2013, the United States’ requirements could “loosely be summed up as guns, gates, guards, and identification cards.” In other words, when the ISPS Code, the MTSA of 2002, and the U.S. Coast Guard’s domestic regulations were authored, they did not address today’s cybersecurity challenges. Because cyber risks operate in a relatively new, non-physical domain, mitigating cyber risks calls for renewed energy and strategy.

Although the ISPS Code and MTSA regime do not openly contemplate cybersecurity, the U.S. Coast Guard has not been powerless to produce cyber standards. To the contrary, with the MTSA of 2002 and the Maritime Security Improvement Act (MSIA) of 2018, the agency’s power to regulate cybersecurity at port facilities is clear. Such authority could be used to modernize U.S. Coast Guard regulations and incorporate cybersecurity-centric rules into its enforcement and compliance programs. Rather than taking that authoritative step, the agency made a more subtle move in February 2020 by offering a modern cyber-centric interpretation of the agency’s 17-year-old regulations. Perhaps more should be done.

The Dormant Cyber Rule

The United States’ maritime facility security regulations, as implemented under the MTSA of 2002, reside in Part 105 of Title 33 of the CFR. As alluded to earlier, the word “cyber” is absent from these regulations. To some, this absence might indicate that U.S. Coast Guard regulations omitted cybersecurity. In its February 2020 Navigation and Vessel Inspection Circular (NVIC), “Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities, NVIC 01-20,” the U.S. Coast Guard announced a new interpretation of Part 105 in which it ostensibly takes the position that cybersecurity requirements were not omitted from Part 105—they were dormant.

A brief description of Part 105, entitled “Maritime Security: Facilities,” helps bring context to the seemingly latent cyber rules. The U.S. Coast Guard enacted Part 105 in October 2003 to harmonize domestic regulations with security measures adopted by the IMO (i.e., ISPS Code). Combining international requirements and existing domestic policy, Part 105 is extensive. It consists of five separate subparts, 54 individual sections, and just over 100 pages of regulatory text. Put plainly, Part 105 is the U.S. Coast Guard’s rulebook for security at U.S. maritime facilities.

A critical mandate in Part 105 is a requirement that port facilities periodically conduct a Facility Security Assessment (FSA). Generally, the FSA evaluates a facility’s threats, vulnerabilities, and protective measures in order to inform the development of a facility’s Facility Security Plan (FSP). The Facility Security Officer (FSO) is responsible for developing and implementing the FSP. When preparing the FSP, the FSO must analyze certain factors enumerated in Part 105. While Part 105 does not expressly require the FSO to consider cybersecurity vulnerabilities, among the listed factors the FSO is required to consider are “[m]easures to protect radio and telecommunications equipment, to include computer systems and networks.” This provision is the source of Part 105’s seemingly dormant cyber rules. In short, NVIC 01-20 interprets the provision on “radio and telecommunications equipment” to encompass cybersecurity because it uses the phrase “computer systems and networks.” Under this interpretation, Part 105 has required FSOs to assess and address cybersecurity vulnerabilities since it was enacted in 2003.

The Path Forward: Holistic and Affirmative Cyber Requirements

Recognizing this tacit cybersecurity provision is a meaningful step, but the dormant cyber provision recognized by NVIC 01-20 is too ambiguous and inoperative to embody the degree of governance sufficient to mitigate known cyber risks. The U.S. Coast Guard should explore whether it could do more to integrate cybersecurity into its maritime security regime. If the Service aims to better incorporate cybersecurity into existing enforcement and compliance programs, it could leverage domestic rulemaking to implement enforceable and uniform standards.

An FSO must consider measures to protect radio and telecommunications equipment, including computer systems and networks, when developing an FSP. Although this requirement seems clear at first, closer examination reveals an ambiguity that may confuse those trying to understand its scope and application. Considering how vital Part 105’s assessment requirement is to mitigate potentially catastrophic cyber threats, any amount of confusion is undesirable. Fortunately, ameliorating this confusion may be relatively easy.

As the U.S. Coast Guard recognizes in NVIC 01-20, the maritime industry presently uses cyber systems for various critical functions (e.g., administration, operations, engineering, safety, security, and navigation). IMO Guidelines on Maritime Cyber Risk Management also recognize that modern cyber systems are used for an array of Information Technology (IT) and Operational Technology (OT) purposes. The IMO considers this variety of cyber functions “essential to the operation and management of numerous systems critical to the safety and security of shipping and protection of the marine environment.” Of note, IMO’s 2017 guidelines identify “communication systems” as only one of the many types of cyber systems. Despite the variety of integral cybertechnologies, Part 105, on its face, implicates computer systems and networks used for just one purpose—radio and telecommunications. This is all to say, based on a plain reading of Part 105’s text, one may reasonably conclude that the FSO is only required to consider vulnerabilities with cyber systems used for communication, not cyber systems used to perform the variety of other critical IT and OT functions at maritime facilities.

Highlighting this ambiguity in Part 105 is more than an academic, textual critique. Doing so underlines a fundamental regulatory problem—a lack of clear standards—that undermines effective enforcement and compliance. This ambiguity is significant enough that Canada brought it to the attention of the IMO over five years ago and recommended an update to the ISPS Code.

The U.S. Coast Guard already has the authority to remedy enforcement and compliance problems brought on by the ambiguity in Part 105’s dormant cyber language. Through the domestic rulemaking process, the agency can amend Part 105 to create a distinct cybersecurity requirement that encompasses a variety of cyber systems. Coincidentally, in the MSIA of 2018, U.S. Congress provides a sample of a modern-day cyber requirement. Specifically, the MSIA, codified at 46 U.S.C. § 70103(c)(3), expressly requires FSPs to “include provisions for detecting, responding to, and recovering from cybersecurity risks…” and violating this rule subjects the facility to a civil penalty. This 2018 mandate in the law is clear and enforceable. Its express use of the common, up-to-date term “cybersecurity” without limiting itself to any one cyber system avoids any confusion caused by innovative interpretations. U.S. Coast Guard regulations could be amended to achieve a degree of clarity equal to that in the law.

Ambiguity aside, the dormant requirement recognized by the NVIC is also largely inoperative. As NVIC 01-20 states, although FSOs must assess and address cybersecurity vulnerabilities, the facility has discretion to decide how it identifies, assesses, and addresses those vulnerabilities. In light of this discretion, there is essentially no regulatory framework on which to base uniform enforcement and compliance decisions. The United States’ current port facility cybersecurity model is akin to a safe speed law that allows drivers discretion to set and clock their own speeds. This approach may be suitable for certain regulatory areas, but it is an insufficient approach for guarding against such a serious threat to the global economy and national security. Contrasting the quantity of effort expended governing physical security at ports with the meager scope of governance now envisioned for cybersecurity illustrates the point.

The kinetic attacks on 9/11 led to comprehensive rules, both domestically and internationally, on maritime physical security. Pioneering those rules took colossal effort by the U.S. Coast Guard. Today the agency has a similar opportunity with cybersecurity. Twenty years ago, Part 105 could have been distilled into a single line—FSOs must assess and address physical security vulnerabilities when developing FSPs. Obviously, the U.S. Coast Guard opted for a more comprehensive approach, choosing a holistic, affirmative governance model. This approach might be applied today to cybersecurity. There are too many contrasting examples of physical security requirements to list here, but a summary of Part 105’s Subpart B is useful.

Subpart B consists of 25 regulatory sections collectively entitled “Facility Security Requirements.” These sections contain, among other things, requirements on staff responsibilities; personnel knowledge and training; recordkeeping; physical searches; drills and exercises; controlling access; hiring employees; screening individuals; arming guards; designating restricted areas; policing grounds; equipment maintenance and testing; handling cargo; delivering stores; and receiving passengers, dangerous cargo, and barges. Importantly, across these requirements, Subpart B includes about 175 provisions unique to physical security.

As for cybersecurity, even with NVIC 01-20 on the books, existing regulations seemingly establish no explicit requirements. There are no unique cyber requirements related to staff responsibilities (e.g., security responsibilities of IT or OT personnel). Likewise, there are no distinct cyber training or knowledge requirements (e.g., requiring the FSO to be familiar with IT and OT terminology or requiring employees to take a basic computer hygiene course). There are no affirmative rules related to cyber drills, cyber exercises, or cyber recordkeeping. Unlike with systems used for physical security, there currently are no maintenance or testing requirements unique to IT or OT systems. Most importantly, in contrast with the unequivocal governance over elements fundamental to physical security (e.g., access controls, restricted areas, personnel screening), Part 105 is silent about any element associated with and tailored for effective cybersecurity programs.


Returning to the metaphor of the safe speed law, some might contend the current cyber model is not only akin to empowering drivers to set and clock their own speeds, it also affords them such discretion, but without requiring them to possess any driving experience, complete driver education classes, maintain or test vehicle systems, consult traffic reports, or obtain drivers licenses.

Effective cybersecurity, in this age of pervasive and expanding cyber threats, benefits from holistic and explicit governance. Just as it did with physical security after the 9/11 attacks, the U.S. Coast Guard could again leverage the domestic rulemaking process to implement a clear, uniform, and more rigorous cybersecurity regime. In so doing, the U.S. Coast Guard would again be the standard-bearer, leading the way in the global fight to protect port facilities. 

Commander Michael C. Petta, USCG, serves as Associate Director for Maritime Operations and professor of international law in the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the views of the U.S. Coast Guard, the Department of Homeland Security, the U.S. Navy, the Naval War College, or the Department of Defense.

Featured Image: Evergreen container ships in the port of Los Angeles (Wikimedia Commons)