Infrastructure and Trade Week

Soft Cyber Law Makes Port Facilities Soft Cyber Targets

1 Comment

Maritime Infrastructure and Trade Topic Week

By CDR Michael C. Petta

Introduction

There is widespread recognition that cybersecurity vulnerabilities make the maritime transportation system a soft target. For example, about 10 years ago, a European Union study found “inadequate preparedness regarding cyber risks” in the maritime sector. In 2013, a U.S. Presidential Executive Order announced that cyber threats continue to grow as one of the most serious security challenges for critical infrastructure, such as port facilities. A few years later, an International Maritime Organization (IMO) resolution acknowledged the “urgent need” to address maritime cyber threats. Just a few days after that IMO resolution, Maersk, the global shipping company, suffered a major cyberattack, leading its chairman to admit in an interview that the maritime industry had been naïve with cybersecurity and needs “radical improvement.” Just recently, moreover, the European Union (EU) again spoke on the issue in a 2020 report on Cyber Risk Management for Ports. The EU report found ports continued a “fragmented approach” with cyber security due to inconsistent knowledge, compliance, and perceptions of cyber risks.

Despite the widespread recognition of these vulnerabilities, international port cybersecurity laws remain soft—unenforceable and discretionary. The international community should take steps to harden these laws and therefore harden the targets.

Soft Targets

The term “soft target” is used in law enforcement, force protection, national defense, and industrial security. Its definition has subtle varieties depending on the source. In the United States, a Department of Homeland Security soft target security plan states that soft targets include “locations that are easily accessible to large numbers of people and that have limited security or protective measures in place making them vulnerable to attack.” From a global perspective, a United Nations report on threats against soft targets characterizes soft targets as “locations that are easily accessible and predominantly civilian in nature, often with limited security measures in place.” Meanwhile, a basic online dictionary defines the term as a location that “can be attacked easily because it does not have military defenses.” Whatever the source, uses of the term carry a universal theme—a target is soft if vulnerable to attack, regardless of the reason for its vulnerability.

Some soft targets, like a small town’s water treatment plant, might seem obvious. Other soft targets, such as international port facilities, might be less obvious. This is because port facility infrastructure benefits from global security measures, particularly those established in the International Ship and Port Facility Security (ISPS) Code. Nevertheless, despite the ISPS Code’s benefits, cybersecurity remains the soft underbelly of port facilities.

This soft underbelly should be cause for action because soft targets are easy targets. As one criminologist writes, “terrorists generally attack where their opponents are weakest. As such, terrorists focus on soft sites.” The United Nations Security Council observes the same trend, stating in a recent analytical brief that soft targets “have long been preferred targets of terrorist attacks.”

A disruption to the maritime transportation system (MTS) due to an attack on a soft target could have far-reaching effects. The recent grounding of the container ship EVER GIVEN underscores the criticality and fragility of this global trade system. This single disruption to vessel traffic is estimated to have held up $9 billion in global trade per day. The effects of a cyber-induced MTS disruption would go beyond economics. People’s lives and livelihoods depend on the gasoline, building materials, food, and heating fuel the MTS delivers. The ongoing pandemic underscores this point.

Soft Law

Port facilities remain soft targets for cyberattacks because the ISPS Code, the regime implemented to protect international port facilities, contains “soft law.” Much scholarly debate exists on the meaning of the term soft law. Professor Dinah Shelton’s 2008 article Soft Law is recommended to those looking to more fully explore this area of international law. For efficiency’s sake, this article adopts the view that soft law is recommendatory and hard law is mandatory. Or, as a more succinct military leader might say, compliance with soft law is “desired but not required.”

The ISPS Code was established by member states of the IMO to protect shipping and port infrastructure around the world. Put into effect in 2004, the ISPS Code is a comprehensive security regime and a component of the International Convention for the Safety of Life at Sea (SOLAS). Although the ISPS Code is part of a binding convention, only the first of its two segments, Part A, is mandatory. Part B is recommendatory.

Part A of the ISPS Code mandates that each facility develops a Facility Security Plan (FSP). The FSP is the foundation upon which a facility’s preventative measures are built. Part A also directs FSPs to address particular security matters, such as measures to limit the entry of weapons, control facility access, protect restricted areas, and safeguard cargo. These physical security obligations in Part A are clear and certain.

What is also clear in Part A is its lack of any cybersecurity requirement. There is no mandate that a separate Cybersecurity Plan be developed. There is no directive that requires cybersecurity to be addressed in the already mandated FSP. In fact, the only reference to cyber in the whole ISPS Code is in Part B, the recommendatory portion. Specifically, there are four Part B provisions, each dealing with security assessments, that state facilities should consider “radio and telecommunications equipment, including computer systems and networks” when assessing vulnerabilities.

Being in Part B, these four provisions are discretionary. These “cyber” provisions are not only discretionary, they are also vague. Certainly, some may question whether the phrase “radio and telecommunications equipment, including computer systems and networks” is synonymous with the term cyber. In 2015, Canada raised this exact point in MSC 95/4/2, a submission to the IMO’s Maritime Safety Committee (MSC). In its submission, Canada proposed amending the ISPS Code to clarify the vague phrase. In MSC 95/22, the MSC decided that an amendment to the ISPS Code was not warranted at the time.

Being both vague and discretionary, the ISPS Code’s “computer systems and networks” language is unenforceable soft law. This attenuated law accommodates an environment in which cybersecurity merely subsists and port facilities remain vulnerable to cyberattacks. It is time to consider a different approach.

Harden the Law, Harden the Targets

Considering the serious impacts of a cyber disruption to the MTS, relying on unenforceable soft law may not be the right approach. The international community can do more to harden the law, and there is a useful model in the Unites States.

Enacted in 2018, the Maritime Security Improvement Act (MSIA), codified at 46 U.S.C. § 70103(c)(3)(C)(v), expressly requires FSPs to “include provisions for detecting, responding to, and recovering from cybersecurity risks.” Importantly, this domestic law prohibits port facilities from operating in the United States without an FSP that addresses such cybersecurity measures.

This U.S. mandate is a hard law, both clear and enforceable. To meaningfully address known cybersecurity vulnerabilities across the world’s port facilities, the member states of the IMO should collaborate and amend Part A of the ISPS Code to include a similar mandate. By hardening the law in this way, member states can establish a consistent, uniform enforcement framework and thus, begin to harden port facilities against cyberattacks.

Commander Michael C. Petta, USCG, serves as Associate Director for Maritime Operations and professor of international law in the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the policy or position of the U.S. Coast Guard, the Department of Homeland Security, the U.S. Navy, the Naval War College, or the Department of Defense.

Featured Image: Maersk MC Kinney Moller in port (Wikimedia Commons)

Infrastructure and Trade Week

Maritime Infrastructure and Trade Week Kicks Off on CIMSEC

Leave a comment

By Dmitry Filipoff

This week CIMSEC will be featuring articles submitted in response to our call for articles on maritime infrastructure and trade, issued in partnership with Maersk Line, Limited.

Maritime infrastructure and trade is an often underappreciated element of maritime power, and yet it is the origin and raison d’etre of maritime power. Undergirding the many commercial and military ships that sail the world’s oceans is an expansive network of ports, bases, shipyards, and more that give maritime assets a home and a destination. Infrastructure and trade transcends the tangible, with laws, norms, and cyberspace shaping behavior and controlling for risk. With respect to national security, infrastructure and trade is a soft underbelly of national defense, where chronic underinvestment has led to increasing threats. These matters deserve greater scrutiny in order to reap economic gains and adequately protect critical foundations of international order.

Below are the articles and authors being featured, which will be updated with further submissions as Maritime Infrastructure and Trade Week unfolds.

Soft Cyber Law Makes Port Facilities Soft Cyber Targets,” by CDR Michael C. Petta
How the Decarbonization Dilemma Will Impact Shipbuilding and Great Power Competition,” by Benjamin Clark
PRC Investments in Global Maritime Infrastructure: Implications for Port Access,” by John Bradford
All of One Company: The Need to Forge a Stronger Bond Between Navies and Commercial Shipping,” by Peter Cook
The Ship that Launched 1,000 Memes and Nearly Destroyed 12 percent of World Trade,” by Dr. Salvatore R. Mercogliano

Dmitry Filipoff is CIMSEC’s Director of Online Content. Contact him at [email protected].

Featured Image: The USS Illinois submarine sits in the main construction hall of General Dynamics Electric Boat in Groton, Conn. (General Dynamics)

Podcast

Sea Control 246 – Beyond Static Spatial Management with Dr. Guillermo Ortuño Crespo and Andrea Galassi

Leave a comment

By Jared Samuelson

Dr. Guillermo Ortuño Crespo and Andrea Galassi join the show for a wide-ranging discussion on fisheries management, the difficulties caused by decades-old policy instruments, the increasing industrialization of the fishing industries, and potential management solutions for the future.

Download Sea Control 246 – Beyond Static Spatial Management with Dr. Guillermo Ortuño Crespo and Andrea Galassi

Links

1. “Beyond static spatial management: Scientific and legal considerations for dynamic management in the high seas,” by Guillermo Ortuño Crespo et al, Marine Policy, Vol. 122, December 2020.
2. “An ocean of surprises – Trends in human use, unexpected dynamics and governance and challenges in areas beyond national jurisdiction,” by Andrew Merrie et al, Global Environmental Change, Vol 27, July 2014.

Jared Samuelson is Co-Host and Executive Producer of the Sea Control podcast. Reach him at [email protected].

1980s Maritime Strategy Series

Admiral Tom Hayward on Challenging War Plans and Revamping Strategy

Leave a comment

1980s Maritime Strategy Series

By Dmitry Filipoff

CIMSEC discussed the 1980s Maritime Strategy with Admiral Tom Hayward (ret.), who initiated much of the Navy’s efforts toward changing war plans and adopting a more offensive role that would later be embodied in the Maritime Strategy. In this conversation, Admiral Hayward discusses how he came to learn of the Swing Strategy, how he initiated efforts to revise war plans, and how he advocated for these changes as commander of the Pacific Fleet and as the Chief of Naval Operations (CNO).

How did you learn about the Swing Strategy as a senior commander and begin to change the war plans for the Navy?

It’s helpful to begin by providing some context. You have to put yourself back in the position of being an operator, and I myself was an operator when the Vietnam War was coming to an end. I’m no academic, I’m a tactician, and you try to get the immediate job done. So I commanded an aircraft carrier in Vietnam, focused on running strikes 24/7. In the context of global warfare, throughout that whole period of time, the Russians and their Pacific Fleet modernized a lot and clearly got to be bigger and better than our Pacific Fleet. But I didn’t focus on that at the time. I’m just the skipper of a carrier and my job is to get the guys over the beach and back safely.

We had a requirement to stand down every now and then to simulate the war plan launching of nuclear weapons, and this went on all over the fleet, as I far as I know. In the context of how the Seventh Fleet and the carriers would respond, our job was to launch nuclear weapons when so ordered. So we would exercise that. I’d pay some attention to it, but not in great detail, and made sure the exercise was taking place and got what we wanted out of it. Just a standard requirement of running the ship.

I got promoted to Rear Admiral and was eventually sent back to Washington. In all of my jobs for the next 10 or so years, I was trying to help get the Navy back on its feet post-Vietnam. When I went out later to command Seventh Fleet, I was dealing with plenty of logistics problems and getting the Navy back into rhythm again, with all the ships being way behind on maintenance. The primary responsibility of me as Seventh Fleet commander and later at PACFLT and so on was getting things back in shape, sorting things out, and getting our readiness back. We had major, major upkeep issues, retention, all those kinds of issues.

After settling down in Seventh Fleet, I said to the staff, “Let’s go through the war plans, what are they? I haven’t paid any attention to them.” And that’s the first time I found out that seriously what we were supposed to do under a certain DEFCON much of Seventh Fleet was to run and hide down among some islands in the South Pacific and pretend they can’t be found. And then they would use nukes when ordered to execute the war plans. And that’s when I started thinking that’s crazy, we’ve got a fleet out here we’ve got a fight, the Russians have a Pacific Fleet here. That was the real start of my working with the staff and my own thinking about other options. Because that was a lousy choice and we needed to start looking at how we should really do this.

How did you work on that while commanding the Pacific Fleet?

Around that time I get promoted to lead PACFLT. So my perspective changes where I’ve got the whole fleet to worry about now and not just Seventh Fleet. In that context, my priorities were still way over on the side of readiness and getting our Navy back to operating again. We had huge problems. We think we have problems now, back then we had horrible budgets, broken down people and platforms, drug problems, all those day-to-day things that affect readiness in a big way. Our readiness was terrible. So my highest priority at the time was readiness.

However, at the same time I had my ops guys start thinking about the war plans. That’s when I became even more familiar with what was in the war plans about the Swing Strategy. That’s around the time when Captain Jim Patton joined my staff and became the action officer for all my thinking on this and did the research and provided the background on these issues. It became very clear to me that the Swing Strategy was the wrong answer.

That’s when I formulated Sea Strike, the staff came up with that name. The idea was that the strategy would take the fight to the Russians and get them to tie down their eastern armies, which they could otherwise have swung to the west in the event of a major conflict. We were going to put them on the defensive. We knew from intelligence the Russians were logically very sensitive to homeland security. It took many months to put together a plan with all the extensive details and then think about how to wargame it, practice it, put it into effect.

But some people would say, ‘You didn’t promote it at the time.’ I said, absolutely not I didn’t promote it. If I had gone to even the CNO, Admiral Jim Holloway, or the Chairman of the Joint Chiefs, and tell him we wanted to change the war plans, it would surely have been squelched.

Furthermore, I didn’t know yet whether it was a practical thing to do. But I knew that what was already planned was definitely impractical. Send all our fleets to the Atlantic? Crazy idea.

That took place when I was at PACFLT, developing the plan, getting it ready to exercise, work out the obstacles and the hurdles to get through it, and get it to the point where we could be confident about it and then take on the issue of changing the war plans.

It was very clear when I got to be CNO, especially after I got all the debriefings about the way in which DoD was heavily biased toward the Central Front of Europe. Bob Komer, he was Defense Secretary Harold Brown’s loud mouthpiece about why we needed to swing the Navy, and saying the only reason we have a Navy is for getting the Army into Europe. I wasn’t aware of his being too much at the forefront of the issue until I became CNO. Prior to becoming CNO, Harold Brown came out and visited me at PACFLT. Before that, Senator Sam Nunn was out in the area and we briefed him on the whole program. He was very taken by it and it wasn’t too much longer after that when Harold Brown came out. That’s when the seed was planted back in the Washington environment that the Pacific Fleet was looking at alternatives.

When I got to be CNO and all the other issues that go with that, I got a briefing on the war plans for supporting Europe. I saw potential for the same sort of strategic logic I saw in confronting the Soviets in the Pacific and the potential for offensive warfare. This was actually a global issue, and the Navy has a major role to play on the flanks. The flanks being the Mediterranean, the North Sea, the North Atlantic, and elsewhere. We could tie down a lot of Soviet options that might be in their playbook to support the central front, but they wouldn’t be able to execute those options with the Navy and the Marines going after their flanks.

I brought in key flag officers, and folks like Bing West and others, and I started articulating where I wanted to take this. We needed to get buy-in from leadership, because the first reaction would be, “This is a crazy idea.” I gave a talk on a global, forward Navy to every War College in their auditorium. I got the flag officers all together and got their interaction. We got buy-in that there was a new role for the Navy, and it was way beyond escorting the Army to Europe.

When you were PACFLT you said it was risky to change the war plans. Were you in a better position to advocate for that as CNO?

I sure was, of course. Remember, the DOD all had other things on their mind, too. The big obstacle was getting Bob Komer to quiet down. But nobody ever came up and said, ‘You guys can’t do that.’ I don’t know precisely where we got to the point that we rewrote the general war plans, maybe Jim Patton knows that. He was down in the trenches making the details come together. I had brought him back to Washington not long after I was CNO and he kept assisting with the development of the global Navy strategy.

As CNO I’m still heavily involved in readiness issues. The drug issue was a huge thing, retention and recruiting was massively difficult. Harold Brown and President Carter were cutting the budget and making it harder and harder. The nation had turned against the military badly at that time. That’s where my attention was, and gradually changing the perception of the Navy’s global role.

About two-thirds of the way through my tour was when John Lehman came onboard. He apparently was having somewhat similar conversations with others on the future Navy posture and strategy. When he took over as SECNAV, he had his own priorities, but in this area, we were in synch. He wanted to raise the visibility of the Navy, increase the size of the Navy, and of course with President Reagan he came in with more money. And a lot of that went to readiness. We got spare parts, got training to where it belongs, more at-sea time and flying time, all those things that get you ready. In the meantime, 2nd fleet out there was getting instructions to do a “Sea Strike” exercise in the Atlantic.

After the Reagan Administration comes in, was there a much more receptive audience, especially with building the readiness needed for that kind of strategy?

The word “strategy” was not the driver necessarily, the Navy and all the services were so worn out and needed to get back into shape. I didn’t sell the budget on the basis of strategy but on the basis of the combat readiness of our units.

There are readiness categories, C1, 2, 3, and 4. C1 means I’ve got everything I need for combat. C2 means I’m short some things but we’re in pretty good shape. C3 means we’re getting kind of shaky, and at C4 you’re real shaky. Our readiness was so bad I created C5. That rattled around the building a lot. I was accused with playing games with the budget, and you’ve got to face that kind of thing all the time. But C5 meant that I am unsafe to steam or fly. Lo and behold, an AOE out of Norfolk was about to depart on deployment when the skipper rang the C5 bell. All hell broke loose, ‘Oh Hayward is playing games,’ and so on. I got in front of Congress and I told them to get down there and see what was going on.

That was the start of a major turnaround. That year I think we got about a 26 percent increase in pay, and many readiness-related things. When the real world finally got their attention, all this typical game playing that goes on between budgeteers and accountants, it got pushed to the side a bit. It was an honest effort to see how bad we were getting. That skipper called it right. He didn’t have enough qualified people onboard that ship to go on deployment. Today you wouldn’t get that far.

In the context of the Swing Strategy, I told staff to basically ignore it and we would build our own strategy, and if we can do our due diligence and do this thing right, then we could change the war plans.

What is the value of having a global Navy that can go on the offensive, rather than a more narrow purpose? What lessons are there for today?

The concept of having the enemy worry about you is a major element in deterrence. That was the overriding, broad strategic thrust of having the Navy play a proper and significant role in presenting the adversary with a meaningful threat. A new strategy would give the Navy a valuable deterrent role. The Navy could be in a position to constrain the Soviet ability to launch nukes and affect their ability to focus on a conventional assault on the central front.

We shouldn’t fight China today, whether it’s nuclear or non-nuclear. We have to posture and work all of our policies, foreign policy, commercial policy, and so on to be oriented toward presenting a deterrent in all its dimensions against what President Xi may be thinking about doing, and which could upset the global balance of power.

The role today in the broad sense remains the same, it is to deter. We can’t fight a land war with China. We have to use maritime power in a very constructive way to present deterrence.

Admiral Tom Hayward entered the naval service in World War II through the V-5 Naval Aviation Cadet Program, then transferred to the Naval Academy, from which he graduated in 1947. He has commanded a fighter squadron, a carrier air wing, and an aircraft carrier. In 1973-1975 he was the Navy’s Director of Program Planning, then served as Commander, Seventh Fleet from 1975-1976. From 1976 to 1978 he was Commander in Chief, Pacific Fleet, then finished his career as the 21st Chief of Naval Operations from 1978-1982.

Dmitry Filipoff is CIMSEC’s Director of Online Content. Contact him at [email protected].

Featured Image: November 15, 1985 – An elevated stern view of the aircraft carrier USS SARATOGA (CV 60) underway. (Photo by PH1 P.D. Goodrich via the U.S. National Archives)

Fostering the Discussion on Securing the Seas.