Podcast

Sea Control 281 – Here There Be Dragons with Tim Choi and Adam Lajeunesse

Leave a comment

By Jared Samuelson

Friend of the pod Tim Choi and Adam Lajeunesse join the program to discuss their article, “Here There Be Dragons? Chinese Submarine Operations in the Arctic,” and the feasibility of Chinese under-ice operations.

Download Sea Control 281 – Here There Be Dragons with Tim Choi and Adam Lajeunesse

Links

1. “Here there be dragons? Chinese submarine options in the Arctic,” by Adam Lajeunesse and Tim Choi, Journal of Strategic Studies, June 23, 2021.

Jared Samuelson is Co-Host and Executive Producer of the Sea Control podcast. Contact him at [email protected].

This episode was edited and produced by Dr. Ed Salo. 

Podcast

Sea Control 280 – To Boldly Go with Doctrine Man and Jon Klug

Leave a comment

By Jon Frerichs

Jon Klug and Steve Leonard, aka Doctrine Man, join the program to discuss their new work, To Boldly Go: Leadership, Strategy and Conflict in the 21st century and Beyond.

Sea Control 280 – To Boldly Go with Doctrine Man and Jon Klug

Links

1. To Boldly Go: Leadership, Strategy and Conflict in the 21st Century and Beyond, by Jonathan Klug and Steve Leonard (editors), Casemate, Sep 30, 2021.

Jon Frerichs is Co-Host of the Sea Control podcast. Contact the podcast team at [email protected].

This episode was edited and produced by Keagan Ingersoll.

Cyber

Port Cybersecurity: Incorporating the IAPH’s New Guidelines into the ISPS Code

Leave a comment

By CDR Michael C. Petta

Introduction

Port industry leaders recently submitted cybersecurity guidelines to the International Maritime Organization (IMO) for consideration. The IMO Member States should seize this opportunity and amend the International Ship and Port Facility Security (ISPS) Code to enact cybersecurity standards for ports and port facilities. Specifically, IMO Member States should amend the code, using the new industry guidelines as a model, to require port facilities to conduct regular cybersecurity assessments and develop distinct cybersecurity plans.

The IAPH’s Cybersecurity Guidelines for Ports and Port Facilities

Earlier this month the International Association of Ports and Harbors (IAPH), a trade association representing ports across the globe, announced the publication of cyber guidelines for ports and port facilities. With help from the World Bank, the IAPH developed these cybersecurity guidelines to mitigate, according to the publication’s executive summary, “the top risk for port authorities and the wider port community.” A review of the extensive list of cyber incidents occurring over the past year, as compiled by the Center for Strategic and International Studies, reinforces the IAPH’s view that cyberattacks are a preeminent global threat. Recently in a speech at the United Nations, President Biden recognized the immediacy of that risk, emphasizing the importance of “hardening our critical infrastructure against cyberattacks” and establishing “clear rules…for all nations as it relates to cyberspace.” Needless to say, the IAPH guidelines are a welcome move toward a nearly decade-old aspiration to improve cybersecurity resilience in the maritime sector.

The IAPH’s recent work toward cyber resiliency is not the only 2021 cyber milestone in the maritime transportation sector. Rather, at the start of the year the IMO’s guidelines for maritime cyber risk management, although adopted almost four years earlier, came into effect for parts of the Maritime Transportation System (MTS). It is no coincidence these two sets of guidelines emerged the same year. Indeed, the latter guidelines are a necessary consequence of the former because the earlier set, in fact, does not cover port facilities. Port leaders had no choice but to fill the gap, and they did so quickly.

The IAPH did more than jump into the breach. It also coordinated its effort with the IMO. This substantive coordination is evident in two 2021 submissions to the IMO’s Maritime Safety Committee (MSC). In MSC 103/92 of March, the IAPH, recognizing the port facility gap, stressed that “ports and port facilities would benefit” from a framework akin to that applied to vessels earlier in the year. The IAPH was motivated by cyber risks it considers to be “the most significant threats for ports today,” citing a “fourfold increase in cyberattacks in the maritime industry” over a four-month period last year. Equally motivating was an expected intensification of cyber threats from accelerated port digitalization, an ongoing modernization effort triggered by, inter alia, the coronavirus pandemic.

Driven by these long-standing and mushrooming risks, the IAPH declared to the MSC its intention to develop “a single comprehensive set of guidelines customized for Ports and Port Facilities.” Impressively, just four months later, via MSC 104/7/1, the IAPH reported completion of its work—the IAPH Cybersecurity Guidelines for Ports and Port Facilities.

The 73-page guide contains many valuable cybersecurity measures and instructs facility operators on many topics fundamental to security in the cyber domain. These include management buy-in, personnel training, risk assessment, proper staffing, threat detection, and incident response. While this article does not intend to explore each provision in depth, highlighting a few features is useful for illustrating the guidelines’ utility. For example, the guide expressly endorses port facilities conducting unique cybersecurity training, drills, and exercises. Also, it encourages facility operators to share cyber information with government regulators and industry partners. The guidelines further acknowledge the importance of planned cybersecurity incident response and reporting. Finally, and perhaps most importantly, the IAPH’s new guidelines favor port facilities conducting regular cybersecurity assessments and developing distinct cybersecurity plans.

To incorporate such measures into an international government framework, the IAPH asked the IMO to consider the new guidelines and measures at the next MSC session, which is scheduled to take place in the first week of October, next week.

Amending the International Ship and Port Facility Security Code

The IMO’s previous cyber guidelines, those adopted in 2017 and put into effect in 2021, were considered game changing. Certainly, they were a vital step toward a uniform approach for combating cyber threats in the shipping industry. Notably, IMO Member States relied on the International Safety Management (ISM) Code as the legal foundation for those guidelines. The ISM Code is a safety management system adopted in 1987 to help shipping industry leaders manage safety risks. Regardless of whether a safety management system is the best instrument for generally mitigating security threats, it is not the right tool for promoting cybersecurity at port facilities. This is because the ISM Code, fundamentally, applies only to ships, not port facilities.

Fortunately, there is an international instrument designed specifically to protect port facilities from attacks—the International Ship and Port Facility Security (ISPS) Code. Twenty years ago this month, subversive actors exploited vulnerabilities in the global transportation system and attacked civilian locations across the United States. The ISPS Code was developed in direct response to those attacks and has become the IMO’s “comprehensive mandatory security regime.” One of the code’s express objectives is to assess and detect “security threats to… port facilities… [and] to implement preventive security measures against such threats.” Ultimately, if IMO Member States intend to comprehensively secure port facilities against attacks from within the cyber domain, they must turn to the ISPS Code.

Even though the ISPS Code is the right tool to pull from the international toolbox, the instrument first needs calibrating. Indeed, the code’s existing, albeit implicit, cybersecurity provisions are soft law, non-binding instructive guidance that is unenforceable. Such soft cyber law makes port facilities soft cyber targets. Within the past few weeks, subversive actors backed by a foreign nation, according to the testimony of the Director of the U.S. Cybersecurity and Infrastructure Agency, breached servers and planted malicious code at a port facility in Houston, Texas. When discussing this recent breach, one cybersecurity expert predicted that such incidents would bring about a “much more regulatory” framework instead of the current “aspirational” model.

The ISPS Code has two parts: a mandatory Part A and a recommendatory Part B. Of note, there are no cybersecurity provisions, explicit or implicit, in Part A. Meanwhile, Part B hints at cybersecurity as it encourages port facilities to consider “radio and telecommunications equipment, including computer systems and networks” when they assess physical security vulnerabilities. Encouraging facilities to consider certain threats is a notable aspiration, but it is not a clear, enforceable cybersecurity rule. This is all to say, the ISPS Code, enacted for the specific purpose of preventing attacks on the MTS, is the right tool for the job, but to be an effective instrument against threats in the cyber domain, it must be amended.

Certainly, amending the ISPS Code will take careful consideration. One adjustment IMO Member States might consider is amending Part B Section 18 to encompass training, drills, and exercises specific to cybersecurity. Such cyber-specific requirements do not presently exist. Section 9 of the IAPH guidelines provides useful examples. Also, Member States might consider amending Section 15 of Part A and Part B to expressly require a cybersecurity assessment based on the factors in the IAPH’s model. The cybersecurity assessment would be separate from and a complement to the facility security assessment already required by Section 15 of the code.

Another adjustment to the ISPS Code worth earnest consideration is a change to Section 16 of Part A and Part B to require port facilities to prepare and governments to approve distinct cybersecurity plans. The IAPH provides a model as a baseline. Like the cybersecurity assessment, the cybersecurity plan would be an independent document, a supplement to the already required facility security plan. These are just a few examples of potential ISPS Code adjustments that can be used to effectively incorporate the work of the IAPH into international law.

In a 2020 Port Community Cybersecurity Note, the IAPH seems to recognize a need to amend the code. In chapter five of the note, the IAPH insightfully concludes “that the role of the [Port Facility Security Officer] must evolve to encompass cyber security… rather than being focused purely on physical threats.” Arguably, because the Port Facility Security Officer’s role is controlled by the ISPS Code, it follows that to evolve this role IMO Member States must evolve the code. Moreover, the IAPH seems to recognize that any adjustments should be comprehensive. As it asserts in the 2020 note, due to the “unpredictability and everchanging [sic] nature of cyber threats… a limited or partial approach probably will not suffice.”

Conclusion

The IMO’s MSC meets the first week of October. The IAPH provided the MSC with fully developed port facility cybersecurity guidelines and asked the MSC to consider them. This invitation should be dutifully accepted and used as a springboard to enact IMO standards internationally. The cyber threats and vulnerabilities are well known and expected to multiply with ongoing digitalization across the MTS. The time is ripe for IMO Member States to act. When they meet next week, they should build on the IAPH’s momentum and start the process to amend the ISPS Code, with strongest consideration given to mandating regular cybersecurity assessments and distinct cybersecurity plans.

Commander Michael C. Petta, USCG, is the Deputy Chair, the Director for Maritime Operations, and a professor of international law at the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the policy or position of the U.S. Coast Guard, the U.S. Department of Homeland Security, the U.S. Navy, the Naval War College, or the U.S. Department of Defense.

Featured Image: Container ship Houston Express in Hamburg, Germany. (Credit: Prosertek)

Education

Rethinking the Cryptologic Warfare Officer Pipeline

6 Comments

By Will Cavin

The Cryptologic Warfare Officer (CWO) community, like many other naval warfare communities, has a narrowly-defined career path for officers to successfully complete the requisite milestones to assume command. Unlike flight school for naval aviators or nuclear power school for submariners, cryptologic warfare officers receive a rudimentary overview of the broad cryptologic field before they begin their initial tour at a Navy Information Operations Command (NIOC) collocated with a National Security Agency (NSA) site. Junior cryptologic warfare officers’ poor exposure to the incredibly broad field of cryptology and their limited insight into how signals intelligence supports the U.S. Navy fails to prepare them to serve in any meaningful role while completing their initial assignment at an NSA site. 

U.S. Navy cryptologic leaders need to send new ensigns to the fleet for their initial tour of duty to gain a broad understanding of the blue-water U.S. Navy, learn how signals intelligence (SIGINT) and electronic warfare are employed by naval units, and to ensure young officers develop a baseline knowledge to best leverage their operational experience in future support to NSA national missions. 

Importance of Early Exposure to the Maritime Navy

Historically, the CWO community believed that the Navy was best served by sending its new junior officers to work national missions at NSA sites to develop a broad understanding of cryptologic disciplines while gaining awareness of cutting-edge technologies that these junior officers could then bring to deployed forces in a follow-on “tactical” tour. However, signals intelligence, electronic warfare, and cyber operations have become increasingly specialized, making it more difficult for young officers to develop needed expertise in these three unique fields of study.

Without prior working experience in cryptology, new officers find themselves relegated to narrow-in-scope positions that often lack the technical challenges that Navy leaders hope will create subject matter expertise in their officer corps. Furthermore, without any actual experience with maritime forces, young cryptologists fail to recognize national mission capabilities or tool sets that could best be leveraged to support the Navy. 

This poor talent management is not a problem isolated to the cryptologic community. Talent management challenges span the Department of Defense due to ineffective evaluation systems used to measure performance and the poor placement of personnel to best maximize its talent. The cryptologic officer corps is uniquely positioned to make minor changes to greatly enhance its junior officers.

Navy Information Forces (NAVIFOR), the Type Commander for all of Navy cryptology, should adjust the traditional career pipeline for new CWOs by sending them to support deployable tactical naval units for their initial assignment. By serving a tour of duty directly supporting naval surface, subsurface, or air units, cryptologists would gain an understanding of how operational naval elements work and their different intelligence needs. 

Broad exposure to deployed forces provides fledgling CWOs with a unique perspective to carry to their follow-on assignment at an NSA site. Support for military operations, a primary mission set for the Intelligence Community, needs junior military officers that through tangible experience from prior assignments have the authority to explain both the intelligence needs and platform limitations of deployed military units. Having prior tactical experience provides CWOs a platform to inform their civilian intelligence analyst counterparts in how the national SIGINT apparatus can best support carrier strike groups, F/A-18 squadrons, and fast attack submarines.

The current CWO pipeline is a missed opportunity to support the warfighter because it strips first tour naval cryptologists of their most potentially valuable contribution to NSA’s joint environment, which is an ability to communicate the needs of deployed forces. 

Developing SIGINT and Electronic Warfare Expertise from Tactical Assignments

Thirty years ago, CWO leadership at NSA sites had the latitude to expose junior officers to a variety of national missions providing valuable hands-on experience for new officers to quickly develop a solid baseline in the cryptologic skillset. However in today’s construct, first-tour CWOs are expected to learn the theory of cryptology while supporting a single highly-specialized national mission. This silo of exposure limits the learning opportunities for young ensigns, and due to their lack of experience, young cryptologists are placed in largely administrative roles with little authority to support mission or to learn the complexities of cryptology. Thus, CWOs would benefit greatly from learning the basics of SIGINT and electronic warfare while attached to naval units in their initial assignment.

Through direct oversight of cryptologic elements attached to different naval units, CWOs would quickly learn the collection capabilities and limitations of various platforms. This early exposure would ensure that CWOs develop expertise and understand the warfighter’s perspective before working at an NSA field site alongside civilian intelligence analysts who spend their entire career working in national-level missions. Additionally, while completing tactical assignments these junior officers would develop much-needed experience in explaining the capabilities and importance of their mission set to the unrestricted line officers that their intelligence supports. 

In response to potential concerns of a young officer’s ability to assume responsibility for a cryptologic element with little to no experience, Navy senior enlisted personnel in the cryptologic element would provide the mentorship and guidance to young officers still learning the SIGINT and electronic warfare capabilities of their systems. This is much akin to the surface navy, which places new ensigns over divisions of sailors responsible for systems that are foreign to the young officer. Thus, young ensigns would complete a rich tour providing operational units with tactical cryptologic support while developing their own expertise through hands-on real-world application and overseeing the work of their sailors. These experiences would position them to successfully add value to NSA national mission sets with the ability to understand the capabilities and limitations of tactical naval units.

Tactical Cryptologic Competency Creates the Informed Leaders that NSA Needs

Finally, officers that complete an initial tactical assignment will have gained expertise needed to recognize NSA tool sets and emerging capabilities that can directly benefit tactical platforms. Under the current structure, new cryptologists lack the maritime experience to know which national capabilities can benefit deployed units. By altering the career progression path, officers will have the experience to know the limitations and needs of various naval platforms. In an era where over half of naval officers will separate from active-duty before completing eight years of service, the Navy must ensure it does not waste an entire tour of duty “developing” their junior officers. By reordering the career progression path and providing a clear understanding of the goals for each tour of duty, the cryptologic officer corps can best prepare its junior officers to not simply complete their expected responsibilities, but charge them to work alongside intelligence analysts to actively improve national support to deployed naval forces.

The current cryptologic warfare officer pipeline represents an outdated model in which senior officers had the flexibility to expose their new ensigns to diverse mission sets and applications of SIGINT during their initial tour, ensuring they developed a wide understanding of cryptology. In the increasingly specialized modern intelligence environment, NAVIFOR must adjust its career progression pipeline to ensure its young officers can provide better support to deployed forces. By exposing cryptologic warfare officers to the maritime navy as well as the practical application of SIGINT, they are better prepared to effectively assume leadership roles at NSA or other national SIGINT efforts. An additional outcome of this recommendation is that as CWOs continue in their career, the reorganization of the tactical assignment frees junior officers to specialize in one of the cryptologic disciplines, a growing need in today’s increasingly technical world. 

Lieutenant Will Cavin is a Cryptologic Warfare Officer in Washington, DC. He has completed assignments at the National Security Agency in Ft. Meade and served as an EP-3E Special Evaluator in Bahrain. He is passionate about the mental health of servicemembers and served as a Suicide Prevention Advocate. He graduated with merit from the United States Naval Academy.

References 

Combest, L. (1996). IC21: The intelligence community in the 21st century. Permanent Select Committee on Intelligence, 1–421. Retrieved from https://www.hsdl.org/?view&did=439040

Karpf, B. (2019). Train navy officers for cyber lethality. Proceedings145(2). Retrieved from https://www.usni.org/magazines/proceedings/2019/february/train-navy-officers-cyber-lethality

Kuzma, R., Shaw, I., Danelly, Z., & Calcagno, D. (2018). Good will hunting: The strategic threat of poor talent management. War on the Rocks. Retrieved from https://warontherocks.com/2018/12/good-will-hunting-the-strategic-threat-of-poor-talent-management/

Schultz, B. (2020, May 31). Coaching trees (NSGA kunia 2002-2004). Station Hypo. Retrieved from https://stationhypo.com/2020/05/31/coaching-trees-nsga-kunia-2002-2004-guest-post/#more-13907

Snodgrass, G. (2014). Keep a weather eye on the horizon: A navy officer retention study. Naval War College Review67(4), 64–90. Retrieved from https://digital-commons.usnwc.edu/cgi/viewcontent.cgi?article=1352&context=nwc-review

Talbot, A. (2020). Truth #3: Division officers must learn to “see the future.” Proceedings146(5). Retrieved from https://www.usni.org/magazines/ proceedings/2020/may/truth-3-division-officers-must-learn-see-future

Featured image:  An EP-3E Airborne Reconnaissance Integrated Electronic System (ARIES) II, assigned to the “World Watchers” of Fleet Air Reconnaissance Squadron 1 (VQ-1), transits over the East China Sea. (U.S. Navy photo )

Fostering the Discussion on Securing the Seas.