By Eva Prokofiev

Thousands of commercial and private vessels transit the world’s oceans daily, broadcasting positional data, transmitting communications through exploitable unencrypted satellite communications, and connecting to shoreside networks with minimal security. Adversaries do not need to build dedicated collection strategies when the commercial fleet functions as a distributed sensor network accessible to anyone with the technical capability and intent.

The concept is not new. During the Cold War, the Soviet Union equipped commercial fishing trawlers with SIGINT and ELINT equipment, stationing them off U.S. naval bases to photograph and report the arrival and departure of warships.[1] These vessels – unremarkable in appearance and operating under legitimate commercial cover – functioned as auxiliary intelligence platforms. Today, the same logic applies at scale, except the commercial fleet no longer requires modification. The collection infrastructure is already installed.

In March 2025, a coordinated cyberattack disabled satellite communications across 116 vessels belonging to Iran’s state-owned shipping fleet.[2] Ship-to-shore links failed. Automatic Identification System (AIS) tracking went dark. Voice communications were compromised. The attackers – a group known as Lab Dookhtegan – had not targeted vessels individually. Instead, they compromised Fanava Group, an Iranian satellite and IT provider, gaining root-level access to the Linux systems running VSAT terminals across the National Iranian Tanker Company (NITC) and Islamic Republic of Iran Shipping Lines (IRISL) fleets simultaneously.[3] One provider, 116 vessels targeted, communications severed.

But before those communications were severed, the attackers had access to everything flowing through those systems – voice calls, data traffic, and real-time vessel positions around Bandar Abbas.[4] The attack was destructive, but the access that preceded it was an intelligence windfall. The incident demonstrated not merely that maritime communications are vulnerable, but that adversaries have recognized their intelligence value and are acting accordingly.

A Distributed Collection Network

The maritime sector’s digital transformation has created something unprecedented: a globe-spanning network of platforms that continuously radiate exploitable data while transiting areas of strategic significance. Modern vessels integrate VSAT terminals, Global Navigation Satellite Systems (GNSS), Automatic Identification Systems (AIS), Electronic Chart Display and Information Systems (ECDIS), closed-circuit television, access control systems, and multiple wireless networks. Many feature remote monitoring allowing shoreside engineers to access propulsion and machinery controls. Entertainment and administrative systems frequently share network infrastructure with systems necessary to safely operate a ship.

International Maritime Organization (IMO) Resolution MSC.428(98), adopted in 2017, requires cyber risk management within Safety Management Systems for vessels subject to the International Safety Management (ISM) Code.[5] Yet implementation remains uneven, enforcement mechanisms weak, and significant portions of the maritime domain fall outside mandatory frameworks entirely.

The Guidelines on Cyber Security Onboard Ships, produced by BIMCO and major industry associations, identify structural vulnerabilities persisting across the sector: “involvement of multiple stakeholders potentially resulting in lack of accountability for IT and OT system infrastructure,” “use of legacy systems that are no longer supported,” and “a cyber risk management culture that still has potential for improvement.”[6]

Technical management fragments among owners, management companies, and rotating crews. Classification society oversight focuses primarily on safety rather than cybersecurity. Port state control inspections rarely assess digital vulnerabilities. The result: a global fleet where vessels carry sophisticated communications equipment with considerably weaker protections than naval auxiliaries operating in the same waters.

The barrier to access is remarkably low. A security researcher used a publicly available search engine to locate a commercial vessel’s satellite communications system and access it using default credentials (admin/1234). No exploit, no malware, no supply chain compromise – only a web browser.[7]

From an adversary perspective, this represents not a problem but an opportunity. The collection infrastructure exists. Someone else maintains it. And access requires only the technical capability to exploit known vulnerabilities – or unconventional methods to bypass existing controls, on-site or entirely remotely.

Intelligence Streams Without Deployment

Traditional signals intelligence requires expensive platforms, trained personnel, and operational risk. The unwitting fleet offers an alternative: passive collection from commercial systems that operators voluntarily connect to exploitable networks.

Communications interception represents the most direct stream. VSAT systems transmitting unencrypted or poorly secured traffic expose telephone calls, emails, and data transfers. Passengers and crew accustomed to connectivity discuss sensitive matters assuming shipboard communications are private. The BIMCO guidelines acknowledge that VSAT signals are “vulnerable to exploitation using low-cost, off-the-shelf products.”[6] Encryption implementation remains inconsistent across the sector. The Lab Dookhtegan attack demonstrated that compromising a satellite provider’s infrastructure via a supply chain attack grants access not just to data traffic but to Voice over IP (VOIP) services – enabling interception or disruption of voice communications between vessels and shore.

Location and pattern-of-life data flows continuously without requiring any compromise at all. AIS transponders broadcast position, course, and speed by design. Voyage histories stored in navigation systems reveal movement patterns. Booking and cargo management platforms maintain detailed records accessible through compromised supply chains. For vessels carrying high-value individuals, government officials, or defense-connected personnel, this information enables precise tracking across jurisdictions. The Fanava breach confirmed attackers accessed real-time vessel positions around Bandar Abbas, demonstrating how a single intrusion escalates from communications disruption to full operational visibility.[4] This dynamic is not limited to commercial vessels. Just this month, March 2026, the French aircraft carrier Charles de Gaulle and its carrier group were tracked in near real-time through Strava fitness data from a sailor’s smartwatch — a textbook example of how commercially available consumer technology becomes unintentional intelligence infrastructure.

Crew and passenger data constitutes targeting intelligence. Vessels routinely collect identification documents, travel histories, and contact details. Crew employment records, uploaded to recruitment agencies with minimal security, contain personal data exploitable for social engineering or direct approach. Cyber awareness training in the commercial maritime sector remains minimal. Exposure assessments have found crew credentials in breach databases, traced to documents uploaded years earlier to maritime employment platforms.

Physical proximity may be the least appreciated dimension. Commercial vessels routinely anchor near naval facilities, transit chokepoints, and call at ports hosting military ships. A vessel with compromised onboard systems positioned in these areas becomes a passive collection platform – whether operators recognize the condition or not.

The vulnerability of vessel navigation systems has been demonstrated directly. In 2013, University of Texas researchers used a $2,000 GPS spoofing device to covertly take control of an $80 million superyacht’s navigation system in the Mediterranean, diverting it from course without triggering any alarm.[8] If a research team can redirect a vessel using off-the-shelf equipment, an adversary can position a compromised vessel precisely where collection value is highest.

Consider a scenario: A commercial bulk carrier with compromised VSAT systems anchors in Hampton Roads awaiting berth assignment – within line of sight of Naval Station Norfolk. Its onboard Wi-Fi access point passively logs every wireless device in range, including phones carried by personnel on nearby piers. Its AIS receiver captures the movements of every naval vessel entering or departing. Its compromised satellite terminal provides an adversary with real-time access to the vessel’s communications and surrounding RF emissions. The crew is unaware. The operator is unaware. The adversary did not need to deploy a dedicated collection platform – the commercial fleet provided one.

This is not purely hypothetical. China has formalized this approach through its maritime militia. A 2025 Naval War College report documented that China embeds intelligence specialists – “information personnel” – aboard fishing and merchant vessels to collect data on foreign military vessels, transmitting intelligence directly to the PLA.[9] The Chinese government has installed BeiDou satellite systems with messaging capabilities on thousands of fishing boats for maritime surveillance.[10]

The critical difference between state-run programs and the unwitting fleet is intent. China’s maritime militia requires coordination, trained personnel, and exposure risk. The unwitting fleet requires none – the collection infrastructure is already deployed, maintained, and paid for by commercial operators.

Opportunities for collection extend beyond the vessel itself. Management companies, brokers, terminals, chandlers, and service providers all interface with vessel systems. The BIMCO guidelines warn that “lack of physical and/or cyber security at a supplier, vendor or service provider may result in a breach of corporate IT systems and/or corruption of ship OT/IT systems.”[6] A compromised vessel becomes an entry point into broader maritime and commercial networks.

The cumulative picture: adversaries can collect communications, track movements, harvest personal data, achieve physical proximity to sensitive facilities, and pivot into shoreside networks – all without deploying dedicated intelligence platforms.

Adversary Recognition of the Opportunity

Evidence suggests state and criminal actors recognize the maritime sector’s intelligence value – and are exploiting it with increasing frequency.

The Lab Dookhtegan attack used destructive commands to wipe storage partitions and disable the Falcon software central to Iran’s maritime satellite communications. The damage required physical replacement of hardware aboard affected vessels. Internal documents, network diagrams, and operational checklists were leaked.[3]

The Chinese state-sponsored group Mustang Panda has targeted cargo shipping companies in Norway, Greece, and the Netherlands, with malware discovered directly on cargo ship systems via USB-based infection.[12] The South Asian group SideWinder APT has targeted maritime facilities across Egypt, Djibouti, the UAE, Bangladesh, Cambodia, and Vietnam. At least a dozen advanced persistent threat groups targeted the maritime industry in the past year alone.[12]

Other incidents confirm the sector’s exposure. In 2023, Lürssen – a major European shipbuilder – suspended operations following a ransomware attack.[13] The same year, Brunswick Corporation reported losses of $85 million and nine days of disrupted operations from a cyber incident.[14] In March 2024, MarineMax, the world’s largest luxury yacht retailer, disclosed that attackers exfiltrated data on over 123,000 customers and employees – including financial information on high-net-worth individuals.[15]

The BIMCO guidelines explicitly identify the threat actor landscape: “states, state-sponsored organisations, and terrorists” motivated by “political/ideological gain, espionage, financial gain, commercial espionage, and industrial espionage.”[6]

Russia’s intelligence-collection vessel Yantar – operated by the Main Directorate of Underwater Research (GUGI) – has been tracked surveilling undersea cables along Europe’s Atlantic coastline and operating near the U.S. submarine base at Kings Bay, Georgia.[16][17] While the Yantar is a purpose-built intelligence platform, its operations demonstrate the collection value of physical proximity to maritime infrastructure – the same proximity that thousands of commercial vessels achieve daily without attracting attention.

Monitoring of sanctioned vessels and those linked to specific state actors has shown how AIS data, satellite imagery, and port records synthesize into comprehensive surveillance. The same techniques available to journalists and compliance analysts are available to intelligence services. The defensive or proactive awareness within much of the maritime sector lags far behind the exposure.

Strategic Geography

The unwitting fleet operates precisely where intelligence collection carries greatest value.

The Mediterranean hosts dense vessel traffic intersecting NATO operations, Russian operations, and critical energy transit routes. Cyprus, Malta, and Gibraltar – significant flag states and frequent ports of call – sit at the intersection of multiple intelligence interests.

The Arabian Gulf and Red Sea see commercial traffic alongside critical energy infrastructure and ongoing naval operations. Vessels transiting these waters pass within range of state actors possessing demonstrated cyber capabilities and clear strategic motivations. The Iranian fleet targeted in March 2025 operated extensively in these waters – and the attackers’ access to AIS tracking data around Bandar Abbas underscores the intelligence value of maritime positioning in contested regions.

The Indo-Pacific presents expanding concerns as maritime activity increases alongside great power competition. The South China Sea, Malacca Strait, and waters surrounding Taiwan see commercial vessels operating in proximity to military activities – with minimal cybersecurity oversight. Chinese intelligence-collection vessels have been observed near Australia’s Naval Communication Station Harold E. Holt, a joint U.S.-Australian facility providing VLF communications vital for submarine operations.[18]

Unlike military vessels with communications security protocols, commercial craft frequently operate with default configurations, outdated software, and crews unfamiliar with threat indicators. They anchor in remote locations, utilize facilities with limited security infrastructure, and interface with vendors without proper verification of cybersecurity practices. The unwitting fleet transits sensitive waters daily – radiating data, accepting connections, and enabling collection.

Implications for Naval and Intelligence Communities

Recognizing commercial vessels as existing intelligence infrastructure – rather than merely vulnerable assets – suggests several considerations for naval, coast guard, and intelligence communities.

A natural limitation of the unwitting fleet as a collection platform is that commercial vessels move according to commercial schedules, not adversary requirements. An adversary cannot direct a container ship to remain anchored near a naval facility indefinitely. However, the density of commercial traffic in strategic waters means exploitable vessels are nearly always present in areas of intelligence value – and supply chain compromise of a single VSAT provider can deliver simultaneous access to hundreds of vessels, as the Fanava breach demonstrated.

Awareness and monitoring: Commercial and private vessels operating near defense installations or during significant events represent potential collection platforms, whether through deliberate compromise or passive exploitation of security gaps. Analytical frameworks should account for the intelligence value these vessels offer adversaries by default.

Industry engagement: Classification societies and flag states could strengthen cybersecurity certification and extend requirements across vessel categories. Organizations like BIMCO have established guidelines; what remains absent is meaningful incentive for adoption. U.S. Navy and Coast Guard engagement with maritime industry associations might encourage improved practices while building information-sharing relationships.

Supply chain assessment: The Lab Dookhtegan attack demonstrated that VSAT providers, navigation system manufacturers, and vessel management software companies constitute single points of failure. Compromise of one provider delivered access to 116 vessels simultaneously. Understanding the security posture of these suppliers – and the potential for similar attacks against providers serving allied commercial fleets – supports broader maritime domain awareness.

Information sharing: Much of the maritime sector operates outside established security frameworks. Integrating commercial vessel incident data into threat assessment would improve understanding of adversary capabilities and intentions in the maritime domain.

Exercise integration: Naval and coast guard exercises could incorporate scenarios involving compromised commercial vessel communications or adversary exploitation of maritime satellite infrastructure. The Iranian fleet incident provides a real-world template.

Conclusion

The maritime sector’s cybersecurity gaps are typically framed as a defensive problem – vessels at risk of attack, operations vulnerable to disruption. This framing, while accurate, is incomplete.

The unwitting fleet is not merely vulnerable. It is already functioning as adversary intelligence infrastructure. Thousands of vessels transit strategic waters broadcasting position, transmitting communications through exploitable links, and maintaining connections to shoreside networks – all without security adequate to the operating environment.

The commercial fleet provides positioning, sensors, and connectivity. Operators maintain the infrastructure and pay the bills. Collection requires only the will and skill to access what is already exposed.

A vessel does not need to be gray-hulled to present intelligence value – or strategic risk. Naval and intelligence communities attentive to military communications security should extend that awareness to the unwitting fleet operating every day on the world’s oceans.

Eva Prokofiev, former Israeli Military Intelligence Officer from a Special Operations Division with 15+ years in cyber and intelligence. Her work has been cited by the U.S. Army War College and various defense publications. She is the founder and CEO of EPCYBER and RedRadar Technologies, focused on intelligence and cyber for government, defense, and maritime sectors.

References

[1] “Spy ship,” Wikipedia. Soviet fishing trawlers were equipped with SIGINT and ELINT equipment and stationed off U.S. naval bases to monitor warship movements. https://en.wikipedia.org/wiki/Spy_ship

[2] Iran International, “Cyber group says it disrupted Iranian shipping communications,” March 18, 2025. https://www.iranintl.com/en/202503182119

[3] Cydome, “Lab Dookhtegan Cyberattack – Second Wave Findings (Aug 2025).” Lab Dookhtegan published leaked internal documents, network diagrams, and operational data from Fanava Group following the attack. https://cydome.io/lab-dookhtegan-cyberattack-second-wave-findings-aug-2025/

[4] Cydome, “Lab Dookhtegan cyber attack on Iranian oil tankers disrupts operations,” March 2025. Maps with real-time vessel positions around Bandar Abbas confirmed access to AIS tracking data, and control over ship-to-shore VOIP services enabled interception of voice communications. https://cydome.io/lab-dookhtegan-cyber-attack-on-iranian-oil-tankers-disrupts-operations/

[5] International Maritime Organization, Resolution MSC.428(98), “Maritime Cyber Risk Management in Safety Management Systems,” June 2017. https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/Resolution%20MSC.428(98).pdf

[6] BIMCO et al., The Guidelines on Cyber Security Onboard Ships, Version 4, 2021. https://www.bimco.org

[7] Cyber Defense Magazine, “Cyber Attacks at Sea: Blinding Warships,” July 2020. https://www.cyberdefensemagazine.com/cyber-attacks-at-sea-blinding-warships/

[8] Todd Humphreys et al., University of Texas at Austin, “Researchers Successfully Spoof an $80 Million Yacht at Sea,” July 2013. https://news.utexas.edu/2013/07/29/ut-austin-researchers-successfully-spoof-an-80-million-yacht-at-sea/

[9] Conor M. Kennedy, “China’s Fishermen Spies: Intelligence Specialists in the Maritime Militia,” China Maritime Report No. 46, Naval War College, April 2025. https://digital-commons.usnwc.edu/cmsi-maritime-reports/46/

[10] Benar News, “China Turning South China Sea Supply Ships into Mobile Surveillance Bases,” April 2021. https://www.benarnews.org/english/news/philippine/surveillance-ships-04092021173155.html

[11] “Chinese Spy Ships Stalk U.S., Philippine and French Warships in South China Sea,” USNI News, April 2024. https://news.usni.org/2024/04/29/chinese-spy-ship-live-stalks-u-s-philippine-and-french-warships-in-south-china-sea-interrupts-live-fire-drill

[12] Cyble, “Cyber Threats Surge Against Maritime Industry in 2025,” July 2025. https://cyble.com/blog/cyberattacks-targets-maritime-industry/

[13] The Record, “German builder of yachts and military vessels hit by ransomware attack,” April 2023. Lürssen shipyard operations brought to a standstill by ransomware attack over Easter holiday. https://therecord.media/german-builder-of-superyachts-and-military-boats

[14] The Record, “Marine industry giant Brunswick Corporation lost $85 million in cyberattack, CEO confirms,” August 2023. Nine days of disrupted operations; major impact on Navico marine electronics subsidiary. https://therecord.media/marine-industry-giant-brunswick-lost-millions

[15] BleepingComputer, “Yacht giant MarineMax data breach impacts over 123,000 people,” July 2024. Rhysida ransomware group exfiltrated 225GB of data including financial documents, driver’s licenses, and passports. https://www.bleepingcomputer.com/news/security/yacht-giant-marinemax-data-breach-impacts-over-123-000-people/

[16] Financial Times, “The Russian Spy Ship Stalking Europe’s Subsea Cables,” Helen Warrell, Chris Cook, and Daria Mosolova, September 26, 2025. https://www.ft.com/content/0b351091-3f82-4f2f-bef2-a52a35f009f2

[17] “Russian research vessel Yantar,” Wikipedia. https://en.wikipedia.org/wiki/Russian_research_vessel_Yantar

[18] “Chinese Spy Ship Makes First Appearance Near Australian Submarine Communications Base,” The War Zone, May 2022. https://www.twz.com/chinese-spy-ship-makes-first-appearance-near-australian-submarine-communications-base

Featured Image: Commercial vessels sailing (courtesy of pxhere.com)

By Tyson Meadors

In the spring of 2019, then-Navy Secretary Richard Spencer publicly released the “Navy Cybersecurity Readiness Review.”¹ Conducted in the tradition of earlier reviews commissioned by Navy Secretaries such as the Chambers Board and the General Board Studies of 1929-1933, this report, led by the now-Under Secretary for Intelligence Ronald Moultrie, concluded that the Navy’s cybersecurity shortfalls were “an existential threat.”

Following its release, Secretary Spencer summarized the review’s findings during Congressional testimony: “…[O]ne of our battles is going to be just getting off the pier because [of] cyber…” After over two years in the position, the civilian leader of the Navy and Marine Corps had become convinced that the cyber-related reforms and force structure changes outlined in the Review were required to remain a viable naval power.

Due to his untimely dismissal in November of that same year, however, Secretary Spencer was never afforded the opportunity to see his proposed cyber reforms through. In his wake, the “existential” cyber matters described in the report have been largely left unaddressed. Three years later, Congress started to demand significant reforms to Navy cyber force structure in the 2023 National Defense Authorization Act (NDAA). These NDAA mandates suggest that Congressional defense committee leadership has concurred with Spencer’s conclusions—so much so, in fact, that they are willing to force the matter on Navy leadership.

While the 2019 report, prompted by over a decade of cyber incidents resulting in the “loss of significant amounts of Department of the Navy data,” makes it clear that the Navy is “losing the current global, counter-force, counter-value cyber war,” it never describes the strategic or operational naval implications of losing this “war.” The report notes that “[cyber] war is manifested in ways few appreciate, fewer understand, and even fewer know what to do about it.” But it leaves translating such proclamations into tangible guidance to the imagination of the (presumably “few”) readers capable of doing so. High-profile cyber warfare events over the last five years, however, have made understanding the strategic implications of the Navy’s cybersecurity readiness shortfalls far more apparent. The “how” and “why” of Spencer’s “battle to get off the pier”—and what it means for the Navy’s strategic reality—demands the attention of more than just Congress.

Introducing Schrödinger’s Fleet

The strategic reality described by the 2019 Cybersecurity Readiness Review is best analogized by Erwin Schrödinger’s “cat” thought experiment, which describes a situation where it is impossible to know whether a cat—imperiled by the superposition aspect of quantum dynamics—is either alive or dead until someone goes to observe the state of the cat. In this way, the cat is effectively both alive and dead prior to direct observation.

In the case of Schrödinger’s Fleet, the uncertainty is the unclear combat readiness of a naval fleet whose supply chains have suffered a thorough and prolonged period of cyber exploitation by sophisticated adversary actors. Given an indefinite period of access to the key portions of the defense industrial base responsible for the provisioning of all U.S. Navy platform and weapon systems, these actors are afforded countless opportunities to insert malicious code into software and firmware that eventually is built into one or myriad platforms, systems, and networks. The added code then lies effectively dormant until such a time or condition that it is activated to disrupt the availability of a weapon system, network, and/or platform. From a readiness perspective, the naval fleet appears operationally ready in peacetime, but the adversary knows that at the intended moment of action, the imperiled fleet will struggle to “just get off the pier.”

Had the 2019 Review been written 18 months later, it would have benefitted from the ready example of the SolarWinds cyber breach that made the term “software supply chain compromise” common parlance. The SolarWinds² event was revealed by the cybersecurity firm FireEye, which discovered malicious cyber activity on its own network in December 2020.³ Further analysis revealed that beginning in the spring of 2020, this Russian cyber campaign had first compromised the software development environments of a prominent vendor of IT management tools, SolarWinds. They then modified code in its products to allow themselves access to its customers, leveraging SolarWinds’ otherwise legitimate software update processes to spread ‘poisoned’ updates across the networks of approximately 18,000 entities. Amongst the victims were the Departments of Defense, Homeland Security, Energy, and State, as well as defense-linked Fortune 500 companies such as Microsoft, Cisco, Deloitte, and Intel.⁴

SolarWinds was nowhere near the first supply-chain compromise used by adversary cyber actors. The NotPetya cyberattack by Russian military cyber units in 2017, for example, used a similar supply-chain infiltration tactic to infect Ukrainian accounting software updates to pre-position the virus across Ukraine before activating its worming and data destruction capabilities on the eve of Ukrainian Constitution Day. Once activated, its global spread and effects were the results of automatic spreading and attack processes in pre-positioned malicious code causing at least $10 billion of damage—the most financially destructive cyberattack ever.^5,6

China is also a prolific software supply chain compromiser. In 2017, Chinese cyber actors compromised the development environments of the company responsible for the CCleaner software utility, subsequently inserting malicious code into software updates for that product, eventually spreading to over 2.3 million computers worldwide.⁷ This campaign lasted about six months, and subsequent analysis revealed that the Chinese ultimately only leveraged access to 40 organizations in the pursuit of further targeted activities against dissident groups and other Chinese security priorities.

Taken in totality, SolarWinds, NotPetya, and CCleaner represent the wavetops of what has now become a go-to tactic for nation-state and criminal actors alike—subvert the software supply chain to get to higher value targets with latent, malicious code. Then, at a time and place of the adversary’s choosing, activate the malicious code.

Adversary actors need two things to leverage such capabilities: First, they need ready access to a target’s supporting supply chains—the type of prolonged access to the Navy’s supporting vendors that prompted the commissioning of the 2019 Cyber Readiness Review. Second, the adversary needs to have some advanced idea of what type of outcomes it wishes to achieve with such operations. Adversaries with focused strategic or operational objectives—an invasion of a nearby island, for example—for which they control the notional timing and tempo, can engage in prolonged supply chain subversion campaigns to ensure that opposing forces are disadvantaged at the outset of a conflict. In the opening hours of Russia’s invasion of Ukraine, for example, (presumably Russian) hackers brought down satellite communications run by Viasat, upon which the Ukrainians were operationally reliant.⁸ While not decisive due to Russia’s conventional military failings, this type of cyberattack demonstrates that peer competitors can use pre-positioned cyber capabilities as part of a combined arms assault.

The 2019 Cybersecurity Readiness Review suggests—but did not state outright—that at least some of the Navy’s myriad acquisition programs may have been victim to this class of long-term compromise. The risk to an unknown number of Navy platforms and weapon systems remains critical. As recently as this year, “nearly nine out of ten US defense contractors fail to meet basic cybersecurity minimums,” as defined by the Defense Federal Acquisition Regulation Supplement (DFARS).⁹ Even generously assuming perfect contractor cyber defense thereafter, when the updated DFARS cybersecurity requirements finally are enforced (via the oft-delayed implementation of the Cybersecurity Maturity Model Certification [CMMC]), whatever latent compromises that Spencer alluded to in his Congressional testimony—as well as at least four additional years of continued near-peer cyber activity against Navy supply chains will remain. And the U.S. Navy will be left operating Schrödinger’s Fleet through the duration of the so-called Davidson Window and beyond.¹⁰

Cousin Cats: “Schrödinger’s Infrastructure” and “Schrödinger’s ICS”

The Navy is not the only entity faced with strategic cyber uncertainty. In a recent speech at NATCON 3, Joshua M. Steinman, the senior-most cybersecurity official in the Trump administration, described what he called “Schrödinger’s Infrastructure”: “…[A]n industrial base that is simultaneously compromised and not compromised… We find out which it is once the [People’s Liberation Army (PLA)] departs for Taipei.”¹¹

Steinman’s description is significant to the U.S. Navy for two reasons. First, it identifies that the threat of latent Chinese cyber capabilities embedded in U.S. industrial infrastructure may only be fully realized when it is leveraged in support of a major PLA operation such as invading Taiwan. Perhaps less obvious—but just as significant—is that Steinman identifies an issue with a class of technologies that are just as critical to naval operations as they are to U.S. critical infrastructure. Namely, Steinman’s comments specifically addressed the cybersecurity vulnerability of “Operational Technologies” (OT), which describes the class of computers, controllers, networks, and embedded systems associated with the control of physical things such as power grids, factories, ship propulsion plants, and weapon systems.

Just as relevant to understanding contemporary U.S. Navy cyber risk is a description of what Robert M. Lee, the founder of the OT cybersecurity company Dragos, calls “Schrödinger’s Industrial Control System (ICS).” In a 2019 blog post discussing the circumstances of a rumored cyberattack that had caused a fire at the Abadan Oil Refinery in Iran, Lee explains that “Schrödinger’s ICS” is a situation that exists when operators of operational technology are unable to do “root cause analysis of the event to include a cyber component.”¹² Otherwise stated, another aspect of the cyber-Schrödinger condition is that any OT-controlled machinery or weaponry casualty may be a cyberattack unless an entity has the cyber forensic capabilities to “observe” otherwise.

Responding to a question in 2017 about the possibility of a cyberattack causing a ship collision involving the USS McCain, the then Deputy-Chief of Naval Operations for Information Warfare, VADM Jan Tighe, stated that “…what if we detect a cyber intrusion into one of those machinery systems, et cetera? We need to have expertise that can respond to that… and can look for any signs of cyber intrusion or cyber malicious – malware… we will… learn from the results of the McCain investigation and just make [cyber forensics] part of the normal process of how we do mishap investigations moving forward.”¹³ As other observers noted,¹⁴ however, in 2017 the Navy did not have the capabilities required to do a proper forensics investigation on the McCain’s OT. VADM Tighe’s remarks suggested, at least, that a Fleet cyber forensic capability was an identified naval requirement and was to soon come online.

A recent letter from Congress to CNO Gilday sent in the fall of 2022,¹⁵ however, expressed concern that “the Navy’s cyber resiliency budget [for fiscal year 2023] equated to less than 0.1 percent of service-requested funds,” and pointedly asked, “What unit(s) will respond to cyberattacks against shipboard systems and are those units sufficient to meet wartime need?” It appears that Congress is skeptical as to whether the Navy has sufficiently developed the expertise that VADM Tighe stated was necessary two years prior to the 2019 Cybersecurity Readiness Study—the type of expertise required to resolve whether the Fleet is “cyber alive” or “cyber dead.”

Schrödinger Fleet Strategy

From a naval strategy perspective, Schrödinger’s Fleet is effectively the opposite of Mahan’s “fleet in being.” Rather than an immobile fleet limiting an adversary’s maneuvers because of the risks of such a fleet mobilizing, an otherwise mobile Schrödinger’s Fleet no longer has to be respected in an adversary’s calculations. At the initiation of conflict, the antagonist can assume that an otherwise mobile fleet will be rendered moot via cyber effects, and the antagonist can maneuver their forces accordingly.

That said, because the actual efficacy of latent malicious cyber capabilities cannot be known for certain until time of activation, it cannot be expected that an adversary advantaged by such capabilities will necessarily conduct its ante bellum activity noticeably different than they would if they did not possess such advantages. It is worth considering, however, that having such cyber capabilities may incline adversarial leadership to perceive a decisive strategic advantage, further easing their path towards initiating hostile actions.

This risk—that cyber effects at the outset of conflict used to undermine the military capabilities of the opposite side will ultimately be destabilizing and make conflict more likely—is described by another former Navy Secretary, Dr. Richard Danzig, as “mutually unassured destruction” (“MUD”). In a 2014 essay, Danzig specifically points out that should nuclear command, control, and warning be degraded by cyberattack, this could lead to a situation where the strategic deterrence inherent to mutually assured destruction deteriorates, leading to strategic instability.¹⁶ Danzig’s point might be extended, however, to consider the advantages conveyed if only the conventional defense capabilities of an adversary are disrupted.

Danzig’s explanation of cyber-induced MUD suggests that there may be a fundamental strategic difference in degrading conventional rather than nuclear forces. Namely, whereas there may be destabilizing risks in placing nuclear forces into Schrödinger Fleet conditions, this does not necessarily hold true for conventional forces. Consider two adversaries who have both compromised the software supply chains of the conventional forces of the opposing side. Each is faced with uncertainty regarding what forces will and will not be impacted at the point of initial aggression and therefore face an incalculable risk toward their respective chances of success. This condition—when Schrödinger Fleet-conditions call into question the viability of conventional military success—can prove deterring and thus potentially stabilizing. And this form of cyber deterrence need not be symmetrical or mutual. Should one side be able to demonstrate that they have created Schrödinger Fleet conditions inside of the aggressing force, the aggressor may hesitate to act, especially if the aggressor’s theory of victory requires a full complement of combat-available forces.

Spencer’s Congressional statements suggest that he believed the Navy may be at such a conventional disadvantage—potentially deterring U.S. strategic or operational action at a future moment of crisis or conflict. A Navy composed of a Schrödinger’s Fleet is not merely a force in an “existential” crisis. It is a critical national security liability.

Resiliency and MUD: A Quantum of Solace

Assuming that the strategic implications of the U.S. Navy operating a Schrödinger Fleet are anywhere near as dire as what Spencer’s Review and further analysis suggest, what is to be done?

Commercial OT cybersecurity suggests two partial remedies. First, after the SolarWinds event, public and private sector cybersecurity leadership began calling for the use of “software bills of material” or “SBOMs.” These are lists of software components used to create applications or systems that are provided upon the delivery of a product or service. While not a defensive cyber capability per se, they do allow entities to understand the degree of risk incurred when a subverted IT or OT component is revealed via a breach disclosure or some other sort of reporting.

In 2021, the Biden administration tasked the Department of Commerce to develop government-wide guidance mandating SBOMs for all IT and OT used by the federal government.¹⁷ The Senate’s version of the 2023 National Defense Authorization Act also contained an SBOM mandate for the Department of Defense, but this language did not make it into the bill’s final form.¹⁸ It remains prudent, however, for the Navy to require SBOMs from all its IT and OT suppliers.

Second, as Rob Lee and VADM Tighe both suggested is required, the Navy needs a rapidly deployable expert forensics capability that it can deploy to its ships and platforms to quickly determine whether or not the root cause of a system failure or casualty is or is not cyber-related. As VADM Tighe noted in her 2017 comments about the USS McCain cyber investigation, one of the most urgent second-order questions the Navy would have had to determine was that, if the McCain collision had been revealed to have a precipitating cyber cause, were other ships – to include the earlier collision of the USS Fitzgerald – also liable to a similar notional cyber effect?

Some of this forensic capability can be provided by additional cybersecurity sensors integrated into platforms. In Congress’ 2022 letter to Admiral Gilday, for example, Congress notes the existence of two Navy programs that address some of this risk. Some of this enhanced forensics capability will also require the types of teams that Congress inquired about in the same letter. As the Navy considers how to implement the reforms mandated in the 2023 NDAA, manning and equipping these sorts of teams should be top of mind.

While SBOMs and operational forensic capabilities reduce the uncertainties associated with Schrödinger’s Fleet, they do not meaningfully address the waxing strategic risk of systemic platform and weapon system casualties caused by latent malicious code. For this, two further compensatory mechanisms are necessary.

First, the Navy must have the capacity to recover compromised systems to secure baselines in operationally relevant timeframes. Assuming that the advance detection of latent malicious code is nigh impossible given the volume and complexity of the systems-of-systems in a naval platform and each of those systems’ respective supply chains, quickly recovering from the unpredictable impacts of such malicious code becomes a critical “fight through” enabler.

Finally, the Navy should pursue and maintain the ability to hold potential adversaries’ conventional naval capabilities at equivalent cyber risk. Expanding Secretary Danzig’s “MUD,” we should consider how much can be gained from developing an ability to call into doubt the wartime availability and reliability of an adversary’s conventional naval forces. This would create a credible, likely stabilizing deterrent that is not dependent on ensuring the cyber survivability of our own navy. This is a necessary approach when addressing the need to maintain strategic balance—if not outright advantage—over great naval powers.

LCDR Tyson B. Meadors is a Navy Cyber Warfare Engineer. He previously served both afloat and ashore as a Surface Warfare Officer and Naval Intelligence Officer. From 2017-2018, he was a Director of Cyber Policy on the National Security Council Staff, where he advised the President, Vice President, and multiple National Security Advisors on cyber operations policy, technology, and threats and helped draft multiple national-level strategies and policies. Prior to commissioning from the U.S. Naval Academy, he worked as a journalist and taught English in the People’s Republic of China. He is the only U.S. naval officer to ever defeat a guided missile destroyer in a real-world engagement and is also the founder and CEO of Ex Mare Cyber, a cybersecurity consultancy. The views expressed are those of the author and do not reflect the official policy or position of the U.S. Navy, Department of Defense, or other parts of the U.S. government.

References

1. No longer accessible via official Navy portals, but it remains accessible via that Wall Street Journal here: https://www.wsj.com/public/resources/documents/CyberSecurityReview_03-2019.pdf?mod=article_inline

2. While this event is commonly referred to as “SolarWinds” because the compromise of Solar Winds’ network administration suite allowed the malicious actors to compromise such a large number of government and commercial entities, product lines from both VMWare and Microsoft were also compromised during this event.

3. https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor

4. https://www.bruceb.com/2021/02/the-great-russia-hack-4-how-did-they-get-caught/

5. https://www.brookings.edu/techstream/how-the-notpetya-attack-is-reshaping-cyber-insurance/

6. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

7. https://www.wired.com/story/inside-the-unnerving-supply-chain-attack-that-corrupted-ccleaner/

8. https://www.economist.com/science-and-technology/2022/11/30/lessons-from-russias-cyber-war-in-ukraine

9. https://www.scmagazine.com/analysis/third-party-risk/most-us-defense-contractors-fail-basic-cybersecurity-requirements

10. A period defined by ADM Phil Davidson as period between 2021 and 2027, which he identifies as the period when China is most likely to attempt to take military control of Taiwan; see https://news.usni.org/2021/03/09/davidson-china-could-try-to-take-control-of-taiwan-in-next-six-years.

11. https://steinman.substack.com/p/Schrödingers-infrastructure#details

12. https://www.dragos.com/blog/industry-news/claims-of-a-cyber-attack-on-irans-abadan-oil-refinery-and-the-need-for-root-cause-analysis/

13. https://www.csis.org/analysis/cyber-warfare-maritime-domain

14. https://cimsec.org/cyberphysical-forensics-lessons-from-the-uss-john-s-mccain-collision/

15. See Golden, et al., Congressional letter addressed to Admiral Gilday, which begins, “We write to express our significant concerns regarding the cybersecurity of combat systems utilized by the U.S. Navy on its surface ships and submarines…” dated 3 October 2022.

16. https://s3.us-east-1.amazonaws.com/files.cnas.org/documents/CNAS_PoisonedFruit_Danzig.pdf?mtime=20161010215746&focal=none

17. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/

18. See “JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE JAMES M. INHOFE NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2023”, pp 353. https://rules.house.gov/sites/democrats.rules.house.gov/files/BILLS-117HR7776EAS-RCP117-70-JES.pdf

Featured Image: Artwork created via Midjourney AI.

By Captain Tuan N. Pham, U.S. Navy

General Paul Nakasone – Commander, U.S. Cyber Command (USCC) and Director, National Security Agency (NSA) – asserts that “traditional military deterrence is binary in regard to conflict and a deterrence model…does not comport to cyberspace where much of the nefarious cyber activity plays out non-stop in an ambiguous strategic gray zone.” While this article is in agreement with the “futility of totally deterring adversaries from operating in cyberspace and instead actively disrupting those activities before they can inflict damage,” it takes the position of respectfully disagreeing that traditional deterrence is binary and the rules of traditional deterrence do not hold in cyberspace.

Deterrence centered around domain denial is neither desirable nor sustainable. Hindering access to cyberspace is not consistent with the enduring American values of individual liberty, free expression, and free markets. This encumbered access also runs counter to the U.S. national interest of protecting and promoting internet freedom to support the free flow of information that enhances international trade and commerce, fosters innovation, and strengthens both national and international security; and the universal right (global norm) of unfettered free access to and peaceful use of cyberspace for all. Restricting access to cyberspace is also not practical considering the cost to operate in cyberspace is modest, the barriers to entry low, and the ease of operating negligible. 

Deterrence, the “prevention of action by either the existence of a credible threat of unacceptable counteraction and/or belief that the costs of action outweigh the perceived benefits,” is more complicated and nuanced than a simple binary response of yes or no. Deterrence can create a delay or pause for transitory maneuvering space to mitigate the effects of the threat action, or better yet, take preemptive or preventive measures to disrupt (neutralize) the threat action. Deterrence, like warfighting (war), involves universal and immutable “human nature” that does not change over time or across nationality, demographic, culture, geography, and domain. Rational actors choose to act or not to act based on fundamental “fear, honor, and interest (Thucydides)” and are deterred to act or not to act by real or perceived “capability, intent, and credibility (deterrent triad).” Additionally, as Henry Kissinger once noted, “deterrence is a product of capability, intent, and credibility and not a sum…if any one of them is zero, deterrence fails.” Washington accordingly must do more and do better to ensure each factor succeeds as an aggregate deterrent triad for increased integrated deterrence, decreased strategic risk, greater strategic alignment, and lesser likelihood of conflict across all the interconnected and contested domains.

Deterrence works best when it is clear, coherent, uniform, and complementary across the fluid competition continuum (steady state to crisis to conflict); expansive instruments of national power (diplomatic, information, military, economic, financial, intelligence, and law enforcement – DIMEFIL); and interconnected and contested domains (physical and nonphysical) for strategic consistency, operational agility, and tactical flexibility. Last year in an article titled “In Space, No One Can Hear You Bluff,” this author made the policy case for a more active space deterrence to better manage the growing threats to the vulnerable U.S. high-value space assets. This article makes the same policy case now for a more active cyber deterrence to better address the exigent factors of time, space, and force in cyberspace. An attack in cyberspace can come from anyone, occur anywhere, and happen anytime with no warning to react and no opportunity to respond – an increasing real risk as the ongoing Russian invasion of Ukraine persists and President Putin becomes more impatient and desperate for victory while becoming at risk of dangerously perceiving a shift in U.S. policy from conflict containment (vertical and horizontal) to conflict escalation, or worse, regime change.

More Active Cyber Deterrence

Despite a considerable arsenal of sophisticated offensive and defensive cyber capabilities, American political and military systems still struggle at times with inconsistent strategic communications and a dogged credibility gap. The new deterrent framework in cyberspace must therefore focus more on communicating clear intent and building enduring credibility through redlines, deterrent language, and cross-domain options to impose further costs, deny added benefits, encourage greater restraints, and control more the narratives.

Redlines

Declaratory redlines make clear the unwanted risks, costs, and consequences of specific actions. They are an important way to influence an adversary’s risk perception and rational calculus, lower the likelihood of misunderstanding, and encourage restraint. They also outline the conditions of and willingness to inflict unacceptable retaliatory damage or destruction. U.S. policymakers should therefore “privately” reinforce to strategic competitors (and potential adversaries) the deterrent public statements contained therein the 2018 National Cyber Strategy (NCS), 2021 Interim National Security Strategic Guidance (INSSG), 2022 National Defense Strategy (NDS), and (anticipated) forthcoming National Security Strategy (NSS). U.S. law enforcement officials should likewise continue to “publicly” warn cyber criminals of egregious illicit cyber acts. In doing so, they should make it clear to both state and non-state threat actors that any cyber attack or cyber act that threatens U.S. national security interests, U.S. economic prosperity, and U.S. political stability is unacceptable and will be met with severe and disproportionate consequences for them. If they attack or act, they should not expect a proportionate response. They should expect prompt and devastating force that will cause retaliatory damages much greater than what they intended to inflict. This clear warning should have the effect of causing malicious cyber actors to think twice before acting and consider that the real costs may be much greater than any intended benefits.

For cyber powers like China and Russia, it should be made unequivocally clear that any cyber attack on critical military space systems – missile warning, command and control of nuclear forces, and positioning, navigation, and timing – is an act of war and will be dealt with accordingly. Doing so interlocks the 2020 National Space Policy with the 2018 NCS, both of which acknowledge the imperative of and calls for improvements to space cybersecurity. Like any other increasingly digitized and networked critical infrastructure, space-based and ground-based space systems and their communication links are vulnerable to cyber attacks. A future space conflict will undoubtedly involve cyber attacks, and conversely, a future cyber conflict may also involve space attacks.

Policymakers should also declare a more assertive and explicit redline [for cyberspace] consistent with the extant public redline in the interconnected and contested space domain. The 2018 National Space Strategy and 2020 National Space Policy unambiguously declared that “any harmful interference with or attack upon critical components of our space [cyberspace] architecture that directly affects this vital interest will be met with a deliberate response at a time, place, manner, and domain of our choosing.” The 2020 Defense Space Strategy forcefully reasserted the White House redline, stating that “the United States will deter aggression and attacks in space [cyberspace] and, if deterrence fails, be capable of winning wars that extend into space [cyberspace].”

Some may contend that redlines only work against rational state actors. Non-state actors are not always rational, confidently hiding behind their anonymities like some state actors hiding behind their notions of sovereignty, and consequently are not easily deterred by redlines. However, this article puts forth the argument that both actors are rational thinkers governed by rational thinking driven by varying nuances of elemental “fear, honor, and interest.” State actors are more impelled by power (statecraft), while non-state actors are more motivated by money (business). Both have pressure points (critical vulnerabilities) related to fear and interest that are predisposed to deterrent actions.

Others might argue that Chinese and Russian nefarious cyber activities below the threshold justifying a traditional military response persist unabated despite the best deterrent efforts by the United States and international community. So why and how would redlines deter these continued gray zone operations in cyberspace? The short answer is that redlines are not necessarily only intended to deter threat actors from operating in the gray zone but to also deter them from escalating beyond the gray zone. For now, Beijing and Moscow appear disinclined to escalate beyond the gray zone since they have perceived advantage in cyberspace and may not want to invite the increased strategic risk. Redlines help maintain the unsatisfying status quo.

Still others, like Secretary of Defense Lloyd Austin, argue that it is “never a good idea to publish destabilizing redlines because they inflame tensions, inadvertently provoke reactions, and back policymakers into corners.” While this article agrees that redlines should not be made if one is not able and willing to carry them out, it respectfully disagrees that they are inherently destabilizing. Instead, this author contends that “credible” redlines demonstrate stabilizing political will if the deterrent language is consistently followed up with deterrent action when called to do so as evidenced by contemporary history.

In 2012, the Obama Administration warned Syria that the use of chemical weapons would draw U.S. retaliation. A year later, Washington did not follow through when Damascus disregarded that warning and launched chemical attacks on Syrian civilians. Although the reasons for President Obama’s policy change are complex, the net result was a perception that the administration backed down, and in deterrence, perception is reality. The Syrian regime did not believe the U.S. red line credible, despite the United States having more than enough DIMEFIL capabilities to threaten and undermine Syria’s national interests. When Syria again conducted chemical attacks on its citizens in 2017, Damascus encountered a much different U.S. response from the Trump administration. A U.S.-led coalition promptly launched punitive missile strikes against Syrian military targets and expanded U.S. military presence and activities in Syria. By the end of that year, President Trump released a new NSS, announcing that the United States would place U.S. national interests first and would not hesitate to protect and advance them. Washington followed up the bold words with bold actions through the maximum pressure campaigns against Pyongyang and Tehran, a trade war with Beijing, sanctions against Moscow, and the killing of Iranian General Soleimani. All in all, the say-do mismatch should be eschewed in favor of consistent words and actions, both of which matter in deterrence.

Deterrent Language

In cyberspace just like in space, offensive dominance scales up, which means “a power that strikes aggressively should be, in theory, able to get the upper hand, or at least get the greatest possible use of whatever offensive space [cyber] capabilities it has invested in.” There is therefore deterrent value to explicitly stating the willingness to use tactical cyber preemption and active cyber defense to keep all deterrent options on the table against all state and non-state actors that threaten U.S. national interests in cyberspace. Tactical cyber preemption employs cyber power to deny a specific outcome, by attacking potential or imminent cyber threats before they can be employed or disrupting possible or looming illicit cyber acts before they can be initiated. Active cyber defense is the interception and disruption of an imminent cyber attack before it reaches its intended target or a looming cyber act before it actualizes. When combined with proven offensive and defensive cyber capabilities and credible redlines, the threat of tactical cyber preemption and active cyber defense can give additional pause to a state actor contemplating a first cyber strike or a cyber criminal considering an illicit cyber act.

China, a strategic competitor (national security imperative) and major cyber threat to U.S. national interests, serves as a deterrent exemplar. The People’s Liberation Army’s (PLA) warfighting doctrine favors surprise and deception when conditions warrant. Hence, the United States should take active steps to introduce elements of doubt and uncertainty into the Chinese Communist Party’s (CCP) decision-making and discourage the PLA from acting on real or perceived advantageous political-military conditions. The CCP and PLA should be reminded of Sun Tzu’s famous dictum: “If not in the interests of the state, do not act…If you cannot succeed, do not use force.” In essence, this means not risking initiating a cyber conflict that one cannot win or that may result in a pyrrhic victory.

Some contend that cyber criminals are not easily deterred by deterrent language. Cyber criminals stay anonymous and nondescript in cyberspace, assured that they can overcome any cybersecurity measures while staying below the radar of state actors and avoiding state actions. Instead, the U.S. should take away their assurance by strengthening cybersecurity and operating more and deeper in “white (neutral)” cyberspace (persistent engagement) to increase the likelihood of attribution, disruption, and if needed, retaliation. This also necessitates encouraging and supporting the private sector to do the same by promoting, for example, more corporate cyber activities from the likes of Microsoft. Microsoft seizes domain servers used by hackers in China and leads industry-wide efforts to disrupt Russian cyber attacks. 

Cross-Domain Options

Responses need not be limited to the same domain as the provocation. They can occur in another domain or across multiple ones. The dilemma for the United States is where, when, and how best to deter, and if deterrence fails, where, when, and how best to respond. U.S. policymakers and defense planners should prepare a broad set of flexible and dynamic cross-domain responses to the threat of cyber attack or the cyber attack itself in accordance with the 2018 NCS, 2021 INSSG, 2022 NDS, and (anticipated) forthcoming NSS.

Some might contend that cross-domain actions are destabilizing and will escalate a crisis. This argument diminishes as Washington fully commits and prepares to respond in kind or over-respond to make a deterrent point. Future conflicts will be transnational, multi-functional, and multi-domain. Cross-domain deterrence is therefore the best policy option for the interconnected and contested battlespaces now and into the future.

Other still argue that cross-domain actions risk pushing state actors (and cyber powers) like China and Russia over an invisible red line drawn by “fear, honor, and interest.” To mitigate this strategic risk, the United States must retain escalation dominance, freedom of movement, and strategic initiative to impose its will on Beijing and Moscow. As Sun Tzu said, “the clever combatant imposes his will on the enemy but does not allow the enemy’s will to be imposed on him.” Washington should therefore holistically impose costs, deny benefits, encourage restraints, and control the narrative so that the only acceptable strategic calculus for Beijing and Moscow is to not initiate or escalate conflict in cyberspace.

Selective Disclosure

Selectively disclosing cyber capabilities and intent amplifies the deterrent effects of redlines, deterrent language, and cross-domain options. Decisions about what, when, how, and for how long to reveal or conceal play an important role in active cyber deterrence. In certain circumstances, cyber capabilities should be disclosed to targeted audiences to sow doubt and uncertainty, encourage restraint, and reassure allies and partners. In other circumstances, strategic ambiguity may be more advantageous with regards to the exact nature, scope, and extent of intended cyber actions. An adversary does not need to know what, how, when, and where the United States would act, only that it can and would do so. Nevertheless, the question of how Washington can gain the deterrent benefits of selective disclosure while maintaining operational and information security is a crucial one moving forward. Similarly, it is also worth thinking about how to selectively reveal or conceal cyber capabilities to induce favorable threat responses, such as the expenditure of resources on U.S. defensive efforts or countermeasures in cyberspace.

Strategic Deterrent Alignment

Like space deterrence, the character of cyber deterrence may change over time, but the nature of cyber deterrence remains constant. The United States should therefore strengthen the deterrent triad of capability, intent, and credibility by defining redlines, declaring a willingness to fight in cyberspace preemptively or preventively, and threatening to respond (or responding) proportionately or disproportionately not just in cyberspace but in any or all domains for strategic deterrent alignment across the fluid competition continuum, expansive instruments of national power, and interconnected and contested domains.

Captain Pham served at NSA and USCC (plank owner), and completed a fellowship at JHU/APL working on cyber and space issues. The views expressed here are personal and do not reflect the positions of the U.S. Government or U.S. Navy.

Featured image by DKosig/Getty Images

By CDR Michael C. Petta

Introduction

Port industry leaders recently submitted cybersecurity guidelines to the International Maritime Organization (IMO) for consideration. The IMO Member States should seize this opportunity and amend the International Ship and Port Facility Security (ISPS) Code to enact cybersecurity standards for ports and port facilities. Specifically, IMO Member States should amend the code, using the new industry guidelines as a model, to require port facilities to conduct regular cybersecurity assessments and develop distinct cybersecurity plans.

The IAPH’s Cybersecurity Guidelines for Ports and Port Facilities

Earlier this month the International Association of Ports and Harbors (IAPH), a trade association representing ports across the globe, announced the publication of cyber guidelines for ports and port facilities. With help from the World Bank, the IAPH developed these cybersecurity guidelines to mitigate, according to the publication’s executive summary, “the top risk for port authorities and the wider port community.” A review of the extensive list of cyber incidents occurring over the past year, as compiled by the Center for Strategic and International Studies, reinforces the IAPH’s view that cyberattacks are a preeminent global threat. Recently in a speech at the United Nations, President Biden recognized the immediacy of that risk, emphasizing the importance of “hardening our critical infrastructure against cyberattacks” and establishing “clear rules…for all nations as it relates to cyberspace.” Needless to say, the IAPH guidelines are a welcome move toward a nearly decade-old aspiration to improve cybersecurity resilience in the maritime sector.

The IAPH’s recent work toward cyber resiliency is not the only 2021 cyber milestone in the maritime transportation sector. Rather, at the start of the year the IMO’s guidelines for maritime cyber risk management, although adopted almost four years earlier, came into effect for parts of the Maritime Transportation System (MTS). It is no coincidence these two sets of guidelines emerged the same year. Indeed, the latter guidelines are a necessary consequence of the former because the earlier set, in fact, does not cover port facilities. Port leaders had no choice but to fill the gap, and they did so quickly.

The IAPH did more than jump into the breach. It also coordinated its effort with the IMO. This substantive coordination is evident in two 2021 submissions to the IMO’s Maritime Safety Committee (MSC). In MSC 103/92 of March, the IAPH, recognizing the port facility gap, stressed that “ports and port facilities would benefit” from a framework akin to that applied to vessels earlier in the year. The IAPH was motivated by cyber risks it considers to be “the most significant threats for ports today,” citing a “fourfold increase in cyberattacks in the maritime industry” over a four-month period last year. Equally motivating was an expected intensification of cyber threats from accelerated port digitalization, an ongoing modernization effort triggered by, inter alia, the coronavirus pandemic.

Driven by these long-standing and mushrooming risks, the IAPH declared to the MSC its intention to develop “a single comprehensive set of guidelines customized for Ports and Port Facilities.” Impressively, just four months later, via MSC 104/7/1, the IAPH reported completion of its work—the IAPH Cybersecurity Guidelines for Ports and Port Facilities.

The 73-page guide contains many valuable cybersecurity measures and instructs facility operators on many topics fundamental to security in the cyber domain. These include management buy-in, personnel training, risk assessment, proper staffing, threat detection, and incident response. While this article does not intend to explore each provision in depth, highlighting a few features is useful for illustrating the guidelines’ utility. For example, the guide expressly endorses port facilities conducting unique cybersecurity training, drills, and exercises. Also, it encourages facility operators to share cyber information with government regulators and industry partners. The guidelines further acknowledge the importance of planned cybersecurity incident response and reporting. Finally, and perhaps most importantly, the IAPH’s new guidelines favor port facilities conducting regular cybersecurity assessments and developing distinct cybersecurity plans.

To incorporate such measures into an international government framework, the IAPH asked the IMO to consider the new guidelines and measures at the next MSC session, which is scheduled to take place in the first week of October, next week.

Amending the International Ship and Port Facility Security Code

The IMO’s previous cyber guidelines, those adopted in 2017 and put into effect in 2021, were considered game changing. Certainly, they were a vital step toward a uniform approach for combating cyber threats in the shipping industry. Notably, IMO Member States relied on the International Safety Management (ISM) Code as the legal foundation for those guidelines. The ISM Code is a safety management system adopted in 1987 to help shipping industry leaders manage safety risks. Regardless of whether a safety management system is the best instrument for generally mitigating security threats, it is not the right tool for promoting cybersecurity at port facilities. This is because the ISM Code, fundamentally, applies only to ships, not port facilities.

Fortunately, there is an international instrument designed specifically to protect port facilities from attacks—the International Ship and Port Facility Security (ISPS) Code. Twenty years ago this month, subversive actors exploited vulnerabilities in the global transportation system and attacked civilian locations across the United States. The ISPS Code was developed in direct response to those attacks and has become the IMO’s “comprehensive mandatory security regime.” One of the code’s express objectives is to assess and detect “security threats to… port facilities… [and] to implement preventive security measures against such threats.” Ultimately, if IMO Member States intend to comprehensively secure port facilities against attacks from within the cyber domain, they must turn to the ISPS Code.

Even though the ISPS Code is the right tool to pull from the international toolbox, the instrument first needs calibrating. Indeed, the code’s existing, albeit implicit, cybersecurity provisions are soft law, non-binding instructive guidance that is unenforceable. Such soft cyber law makes port facilities soft cyber targets. Within the past few weeks, subversive actors backed by a foreign nation, according to the testimony of the Director of the U.S. Cybersecurity and Infrastructure Agency, breached servers and planted malicious code at a port facility in Houston, Texas. When discussing this recent breach, one cybersecurity expert predicted that such incidents would bring about a “much more regulatory” framework instead of the current “aspirational” model.

The ISPS Code has two parts: a mandatory Part A and a recommendatory Part B. Of note, there are no cybersecurity provisions, explicit or implicit, in Part A. Meanwhile, Part B hints at cybersecurity as it encourages port facilities to consider “radio and telecommunications equipment, including computer systems and networks” when they assess physical security vulnerabilities. Encouraging facilities to consider certain threats is a notable aspiration, but it is not a clear, enforceable cybersecurity rule. This is all to say, the ISPS Code, enacted for the specific purpose of preventing attacks on the MTS, is the right tool for the job, but to be an effective instrument against threats in the cyber domain, it must be amended.

Certainly, amending the ISPS Code will take careful consideration. One adjustment IMO Member States might consider is amending Part B Section 18 to encompass training, drills, and exercises specific to cybersecurity. Such cyber-specific requirements do not presently exist. Section 9 of the IAPH guidelines provides useful examples. Also, Member States might consider amending Section 15 of Part A and Part B to expressly require a cybersecurity assessment based on the factors in the IAPH’s model. The cybersecurity assessment would be separate from and a complement to the facility security assessment already required by Section 15 of the code.

Another adjustment to the ISPS Code worth earnest consideration is a change to Section 16 of Part A and Part B to require port facilities to prepare and governments to approve distinct cybersecurity plans. The IAPH provides a model as a baseline. Like the cybersecurity assessment, the cybersecurity plan would be an independent document, a supplement to the already required facility security plan. These are just a few examples of potential ISPS Code adjustments that can be used to effectively incorporate the work of the IAPH into international law.

In a 2020 Port Community Cybersecurity Note, the IAPH seems to recognize a need to amend the code. In chapter five of the note, the IAPH insightfully concludes “that the role of the [Port Facility Security Officer] must evolve to encompass cyber security… rather than being focused purely on physical threats.” Arguably, because the Port Facility Security Officer’s role is controlled by the ISPS Code, it follows that to evolve this role IMO Member States must evolve the code. Moreover, the IAPH seems to recognize that any adjustments should be comprehensive. As it asserts in the 2020 note, due to the “unpredictability and everchanging [sic] nature of cyber threats… a limited or partial approach probably will not suffice.”

Conclusion

The IMO’s MSC meets the first week of October. The IAPH provided the MSC with fully developed port facility cybersecurity guidelines and asked the MSC to consider them. This invitation should be dutifully accepted and used as a springboard to enact IMO standards internationally. The cyber threats and vulnerabilities are well known and expected to multiply with ongoing digitalization across the MTS. The time is ripe for IMO Member States to act. When they meet next week, they should build on the IAPH’s momentum and start the process to amend the ISPS Code, with strongest consideration given to mandating regular cybersecurity assessments and distinct cybersecurity plans.

Commander Michael C. Petta, USCG, is the Deputy Chair, the Director for Maritime Operations, and a professor of international law at the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the policy or position of the U.S. Coast Guard, the U.S. Department of Homeland Security, the U.S. Navy, the Naval War College, or the U.S. Department of Defense.

Featured Image: Container ship Houston Express in Hamburg, Germany. (Credit: Prosertek)