Wargames

Revamping Wargaming Education for the U.S. Department of Defense

9 Comments

By Jeff Appleget, Jeff Kline, and Rob Burks

Introduction

The U.S. Department of Defense has failed to educate generations of military officers on the skills of wargaming. Wargaming creates the environment in which uniformed leaders practice decision-making against an active, thinking adversary. Wargaming is also required by the Department of Defense’s planning process to create sound and executable plans, is inherent to designing new doctrine and operational concepts, and is a vital element in the cycle of research.1

For these reasons, military leaders must have the ability to create and conduct wargames. However, the current military education process does not impart this critical knowledge.

Background

Ed McGrady, distinguished Center for Naval Analyses wargamer, opened a recent commentary on wargaming by saying, “There is a widespread misunderstanding of what wargaming is…” and we agree wholeheartedly. Too many in the Department of Defense believe wargames are computer-based combat simulations used to produce quantitative analyses, but they are not. Wargaming is about human decision-making. Joint Publication 5-0 Joint Operation Planning’s wargaming definition makes this clear: “Wargames are representations of conflict or competition in a synthetic environment, in which people make decisions and respond to the consequences of those decisions” (emphasis added).

Most defense wargaming practitioners recognize three purposes for wargames: educational, experiential, and analytic. Educational and experiential wargames are focused on the player. The primary output of these types of wargames is a better educated or experienced player. For example, success might lead to an officer who now knows how a new weapon system is employed or has experienced fighting against a threat in a different region of the world. There are usually no other ‘results’ to demonstrate the wargame’s value.

On the other hand, analytic wargames focus on producing findings and recommendations in response to a sponsor’s tasking. Therefore the product of these wargames is not player-focused but sponsor-focused. Planning wargames, as outlined in Joint Publication 5-0 (Step 4: Course of Action analysis and wargaming), are specific analytic wargames with the task of analyzing courses of action, which then inform the development of a plan. Other analytic wargaming activities include developing new concepts of operations, doctrine, Tactics, Techniques, and Procedures (TTP) for emerging and future technologies, and front-end wargaming for experimentation and exercises to ensure that these expensive endeavors are properly focused and can achieve a high return on investment. We can learn much about new technologies and concepts through wargaming without burning a penny’s worth of fuel.

Current Status

Department of Defense wargaming is at a crossroads. It seems self-evident that the Department of Defense should own the responsibility to improve its wargaming. While Federally Funded Research and Development Centers (FFRDCs), educational institutions, and defense contractors may have roles to play in wargame improvement, only the Department of Defense can choose to lead and embrace a comprehensive end-to-end cycle of research construct. This construct includes wargaming, computer-based combat simulations, and other quantitative and qualitative analytic techniques that, when properly leveraged, provide quality decision support to the department’s leadership. It must begin by addressing the shortcomings in wargaming education.

The 2015 call to reinvigorate wargaming has inspired the reintroduction of wargaming into some service school classrooms. Hence, a portion of uniformed field grade officers have an appreciation for, and may have actually played, wargames. However, the inability of the Department of Defense’s uniformed members to design and conduct their own wargames still has not been addressed in professional military education. Today, the Department of Defense relies on FFRDCs, educational institutions, and defense contractors to design and conduct wargames on their behalf. While these organizations produce useful wargames, the sheer number of wargames that should be executed across the department cannot all be performed by these organizations—they simply do not have the capacity, nor does the department have the budget.

However, there is a far more fundamental problem on the department’s reliance on these organizations. This reliance is, in effect, outsourcing the intellectual underpinnings of the nation’s defense strategy, officer professional development, and the department’s acquisition process.

Wargaming should become an integral part of the military officer corps’ professional education. The skills required to design and conduct wargames go hand-in-hand with the skills required to plan and execute military operations. 

The lack of wargaming skills and experience in our field grade and senior officers should be a warning to the department’s leadership. Wargaming was once the primary venue for the exchange of ideas, debates on tactics and doctrine, the sharing of lessons learned from previous operations and experiences, and the operational and doctrinal education of junior officers.2 Now it has largely disappeared from officers’ professional development. The 38th Commandant of the Marine Corps’ Commandant’s Planning Guidance states this concern very succinctly:

“In the context of training, wargaming needs to be used more broadly to fill what is arguably our greatest deficiency in the training and education of leaders: practice in decision-making against a thinking enemy. Again, this requirement is inherent in the nature of war. In modern military organizations, it is, along with the fear of violent death, precisely the element of real war that is hardest to replicate under peacetime conditions. Wargaming historically was invented to fill this gap, and we need to make far more aggressive use of it at all levels of training and education to give leaders the necessary ‘reps and sets’ in realistic combat decision-making.”

Phil Pournelle, Senior Operations Analyst and Game Designer at Group W, points out a 2018 National Defense Strategy Commission finding that the military struggles to “link objectives to operational concepts to capabilities to programs.” Linking of objectives to operational concepts to capabilities is basic military planning. Yet our combatant commands and joint task forces struggle to conduct the planning wargames that Joint Publication 5-0 requires.

According to Joint Publication 5-0, each course of action should be wargamed against the enemy’s most likely and most dangerous course of action for a given plan. Assuming a modest number of three friendly courses of action to analyze, that is a requirement for six wargames per plan. And every plan that has sat on a digital shelf for more than a year needs to be dusted off and wargamed again, as the facts and assumptions that underpinned the plan’s development 12-plus months ago have undoubtedly changed, often significantly.

Unfortunately, due to time, staff capability, and capacity constraints, at best there may be one wargame conducted per combatant commander’s plan: the commander’s favorite Course of Action against the enemy’s most likely Course of Action. Insufficient time is allotted to conduct the wargame, resulting in poor design, less thorough execution, and results that fail to illuminate the plan’s operational risks or propose contingencies. This lack of time inspires the quick application of seminar games that devolve into BOGGSATS – a Bunch of Guys and Gals Sitting Around a Table.

As recent commentary from Peter Perla, author of the seminal book The Art of Wargaming, and Phil Pournelle3 have pointed out, wargaming should also be an integral part of analysis, experimentation, exercises, and the broader cycle of research. Far too often this is not the case. Instead, the department relies on analysis methods such as cost-benefit analysis, capabilities-based assessments, and analysis of alternatives that provide technical rationales for procurement decisions. However, in the Department of Defense, these analyses must be tempered with a thinking adversary in mind. Our potential adversaries in the future are concurrently developing new doctrine and concepts, fielding new technologies and force structures, and procuring new systems that increase our risk or limit our military options. Wargaming is necessary to gain an appreciation for our competitors’ capabilities, options, and objectives.

Wargaming has always been an integral part of the Army’s analysis to support their department’s acquisition of new technology and weapons systems. Army analytic organizations, such as the Center for Army Analysis and the Training and Doctrine Command’s Analysis Center, integrated wargaming with their computer-based combat simulations to provide comprehensive qualitative and quantitative analysis to support key acquisition programs several decades ago. Both tools are still used together, productively, today.

This approach’s benefit is two-fold. First, the warfighters brought into the wargame’s concepts of operations (CONOPS) that employs units equipped with new technologies provide input into the analysis process and gain a better appreciation for the quantitative analysis products that the combat simulations could provide. Second, the analysts gain a better understanding of how a new force would fight differently and use that knowledge to inform the instantiation of the schemes of maneuver required by their combat simulations, which in turn improves their quantitative analysis products. To do this properly, operations research analysts must create the wargaming environment, conduct the wargames, and determine how to best integrate the wargame’s qualitative output into the computer-based combat simulations so that the study produces both qualitative and quantitative analysis.

Unfortunately, some of the department’s more senior analysts that cut their analytical teeth using computer-based combat simulations believe that wargames provide little or no analytic value. This view completely misses the fact that counterinsurgency, hybrid warfare, the gray zone of conflict, and competition short of war are not well addressed by the millions of dollars the department invests in the maintenance, staffing, and running of kinetic-focused combat simulations and the organizations that support them.

In a recent Naval War College Review article, Capt. Robert Rubel (ret.), professor emeritus of the U.S. Naval War College and former chair of its Wargaming Department, stated, “Two-sided gaming should be a widespread and essential part of the professional education process from pre-commissioning through senior service colleges and even flag level courses.” He went on to describe several virtues of wargaming:

  • “A routine diet of two-sided gaming can generate and hone the ability to reason competitively.”
  • “Making two-sided gaming the default PME vehicle will help to re-create a sandbox in which innovative reflexes can be developed.”
  • “Repeated struggling in competitive situations is more likely to produce new ideas and insights, especially if such experience is widespread in the officer corps.”

Rubel also goes on to caution: “Two-sided gaming is not easy. The design of such games must take care to channel competitive instincts properly.”

In summary, the Department of Defense’s need for increased capacity to conduct quality wargaming starts by educating its officer corps on how to design, conduct, and assess analytical, educational, and experiential wargames.

The Way Ahead

We propose jumpstarting wargaming education in the Department of Defense with a two-pronged approach. First, the Department of Defense needs wargame designers at an apprentice level. Any officer who is a candidate to serve on a general or flag staff (most field grade line officers) should complete a basic analytic wargaming course to enable them to bring value to a wargaming design team. We do not advocate for a specialty track for wargamers. Instead, all military leaders should be wargamers (such as the Navy’s flag ranks at the onset of WWII). The Army and Marine Corps do a decent job of introducing their young officers to some of the building blocks of wargaming. While sand table discussions, table-top exercises, and rehearsal of concept drills incorporate several of the elements of wargaming, they are typically missing the conflict or competition that a thinking adversary produces. These events provide a wargaming-like basis from which to build. A logical place for such a course is in the command and general staff college level of Joint Professional Military Education. 

Second, there needs to be an executive-level wargaming course for senior leaders. Senior officers who supervise and consume the results of wargaming today, such as primary staff officers on Combatant Command or other flag officer commanded staffs, need to understand what wargames are, how they are different from computer-based combat simulations, what to expect from well-designed wargames, and the level of resource investment required from them and their staff to obtain quality wargaming results. They also need to realize that their younger charges must couple their wargaming education with playing and designing wargames to become proficient wargamers. They must give their subordinates enough time to game. Moreover, senior leaders should lead by example, participating in and encouraging wargaming activities in their commands.

Over time, the wargaming apprentices, through playing, designing, and conducting wargames, will mature in their wargaming skills and take on wargaming leadership roles. Note that the goal is not to identify a pipeline to create wargaming masters. Such masters are rare individuals, and some may emerge from the ranks of military wargamers produced. But, just as most officers will never achieve flag rank, most uniformed wargamers will never become wargaming masters. The FFRDCs, educational institutions, and Department of Defense contractors have wargaming masters, and their expertise will still be needed to support the department. However, many good wargames can be designed without requiring the supervision of a wargaming master.

Since 2009, the Naval Postgraduate School’s Operations Research Department has offered an 11-week Wargaming Applications course to its resident students that focuses on the design, conduct, and analysis of wargames for Department of Defense, allied, and partner sponsors.4 The faculty designed the course recognizing that the Naval Postgraduate School’s Operations Research graduates – our military’s newest Operations Research analysts–needed to be able to design, conduct, and analyze a wargame. Acquiring these skills enables them to participate in, lead, and eventually supervise the end-to-end campaign analysis that incorporates wargaming, computer simulations, and other qualitative and quantitative analytic tools as future analytic assignments will require. The course organizers did not fully recognize the added benefit of this education until some of the Operations Research graduates started serving at Combatant Commands. These graduates, now staff officers, reached back to the Naval Postgraduate School to report how useful their wargaming design skills were in helping the Combatant Command staffs design and conduct useful planning wargames. They asked if the Wargaming Applications instructors could come to their location and teach a cadre of the Combatant Command personnel the same basic wargaming design skills they had internalized at the Naval Postgraduate School.

In response, NPS developed the week-long Mobile Education Team Basic Analytic Wargaming Course around the same philosophy as our resident wargaming course: learn by doing. The objectives for this course were two-fold.

First, it builds a cadre of personnel who can initiate, design, develop, conduct, and analyze a wargame. Unified Combatant Commands have leveraged this opportunity by having personnel from their operational planning teams and staff sections attend the course and work in teams to learn how to design, develop, and execute a wargame.

Second, since the sponsoring organization chooses the wargaming topic used in the course’s practical exercises, the organization can have the core foundation of a wargame created and demonstrated that can then be further built out and used by the organization to meet other organizational wargaming requirements. NPS has conducted over 20 week-long Mobile Education Team Basic Analytic Wargaming Courses around the world, including five at Combatant Commands. Today, NPS conducts 6-8 Mobile Education Team events annually, and demand remains high.

The philosophy in teaching wargaming is that it requires a hands-on, learn-by-doing approach. Both the resident and Mobile Education Team courses are over 70 percent practical exercises, where the students are applying the techniques that we illustrate in the lectures. In both courses, a Department of Defense, ally, or partner sponsor provides the wargaming topic that serves as the impetus behind the practical exercises. Student groups design, conduct, and then analyze wargames for their sponsors as the course’s graduation exercise. Since 2009, the Naval Postgraduate School resident student wargaming teams have conducted over 70 wargames for 35 Army, Navy, Marine Corps, Joint, International, and Industry sponsors. NPS views the wargaming course graduates as wargaming apprentices. They have enough knowledge and experience to make useful, often significant, contributions to any wargaming effort required in the department. Several recent graduates have actually led wargaming design initiatives at their respective organizations soon after graduation.

Conclusion

If the Department of Defense is serious about improving its wargaming capability, it needs to invest in its people through wargaming education. That education needs to be practical and applied at the company and field grade level, preferably as part of their Joint Professional Military Education or graduate school opportunities. If it is a priority to emphasize wargaming’s role in Department of Defense decision-making, simply “doing more wargames” is insufficient. Preparing warfighters to employ wargaming to the full extent of their purposes must be a necessary element.

Colonel (Retired) Jeff Appleget, Ph.D., spent 20 of his 30 years in the U.S. Army as an Operations Research/Systems analyst where he participated in and supervised acquisition and analysis studies using wargaming and computer-based combat simulations. Since 2009, Jeff has been a Senior Lecturer in the Operations Research Department at the Naval Postgraduate School where he teaches wargaming and combat modeling courses. Jeff has mentored over 70 wargames that have been created, conducted, and analyzed by NPS resident Operations Research and Defense Analysis student teams for DoD, Defense partner and allied nation sponsors, and the defense industry. He has led 20 NPS Mobile Education Teams to teach his week-long Basic Analytic Wargaming course in DoD and around the world, to include STRATCOM, CENTCOM, AFRICOM, MARFORPAC, Marine Corps Warfighting Laboratory (two courses), NATO Special Operations Forces, the Australian Defence Force (four courses), the Canadian Air Force, the Indonesian Navy, the Taiwan Armed Forces, and a Tri-lateral course for the Swedish, Norwegian, and Finnish Defence Research Agencies. He holds a Ph.D. in Operations Research from the Naval Postgraduate School, an M.S. in Operations Research and Statistics from Rensselaer Polytechnic Institute, and a B.S. from the United States Military Academy. His major awards include the 2016 Richard W. Hamming Faculty Award for Interdisciplinary Achievement, the 2011 Army Modeling and Simulation Team Award (Analysis), 2003 Dr. Wilbur B. Payne Memorial Award for Excellence in Analysis, 2003 Simulation and Modeling for Acquisition, Requirements, and Training (SMART) Award, 2001 SMART Award, 1993 Instructor of the Year (At Large), Department of Mathematical Sciences,  U.S. Air Force Academy, 1991 Dr. Wilbur B. Payne Memorial Award for Excellence in Analysis, and 1990 Concepts Analysis Agency Director’s Award for Excellence. Along with Dr. Rob Burks, Jeff directs the activities of the NPS Naval Warfare Studies Institute Wargaming Center.

Colonel (Retired) Robert E. Burks, Jr., Ph.D., is an Associate Professor in the Department of Defense Analysis of the Naval Postgraduate School (NPS) and with Jeff Appleget, directs the activities of the NPS Naval Warfare Studies Institute Wargaming Center. He holds a Ph.D. in Operations Research from the Air Force Institute of Technology, an M.S. in Operations Research from the Florida Institute of Technology. Rob is a retired Army Colonel with more than thirty years of military experience in leadership, advanced analytics, decision modeling, and logistics operations. He spent 17 years in the U.S. Army as an Operations Research/Systems analyst and has led multiple analytical study teams responsible for Army Transformation and organizational restructuring and design efforts using wargaming and computer-based combat simulations. Since 2015, Rob has taught multiple educational, historical, and analytical wargaming courses at NPS. He has taught the NPS week-long Basic Analytic Wargaming Course 14 times to the Department of Defense and other organizations around the world, to include CENTCOM, AFRICOM, MARFORPAC, Marine Corps Warfighting Lab (two courses), NATO Special Operations Forces, the Australian Defence Force (four courses), and the Taiwan Armed Forces.

Captain Jeffrey E. Kline (ret.) served 26 years as a naval officer, including two sea commands. Jeff is currently a Professor of Practice in the Naval Postgraduate School Operations Research department. He directs the NPS Naval Warfare Studies Institute. He teaches campaign analysis, systems analysis, and executive programs in strategic planning and risk assessment. Jeff supports applied analytical research in maritime operations and security, tactical analysis, and future force composition studies. He has served on the U.S. Chief of Naval Operations’ Fleet Design Advisory Board and several Naval Study Board Committees of the National Academies. His faculty awards include the Superior Civilian Service Medal, 2019 J. Steinhardt Award for Lifetime Achievement in Military Operations Research, 2011 Institute for Operations Research and Management Science (INFORMS) Award for Teaching of OR Practice, 2009 American Institute of Aeronautics and Astronautics Homeland Security Award, 2007 Hamming Award for interdisciplinary research, 2007 Wayne E. Meyers Award for Excellence in Systems Engineering Research, and the 2005 Northrop Grumman Award for Excellence in Systems Engineering. He is a member of the Military Operations Research Society and the Institute for Operations Research and Management Science. He earned a Bachelor of Science in Industrial Engineering from the University of Missouri, a Master of Science in Operations Research from the Naval Postgraduate School, and a Master of Science in National Security Studies from the National Defense University’s National War College.

References

1. Peter Perla et. al, “Rolling the Iron Dice: From Analytical Wargaming to the Cycle of Research” October 21, 2019; https://warontherocks.com/2019/10/rolling-the-iron-dice-from-analytical-wargaming-to-the-cycle-of-research/

2. Matthew B. Caffrey, Jr., “On Wargaming” (2019). The Newport Papers. 43. https://digital-commons.usnwc.edu/newport-papers/43

3. Phil Pournelle, “Can the Cycle of Research Save American Military Strategy?” October 18, 2019, WOTR, https://warontherocks.com/2019/10/can-the-cycle-of-research-save-american-military-strategy/

4. Jeffrey Appleget, Robert Burks and Frederick Cameron, “The Craft of Wargaming: A Detailed Planning Guide for Defense Planners and Analysts,” Naval Institute Press, Annapolis, MD, 2020.

Featured Image: EIELSON AIR FORCE BASE, Alaska (Oct. 22, 2020) – A U.S. Army M142 High Mobility Artillery Rocket Systems (HIMARS) launches ordnance during RED FLAG-Alaska 21-1 at Fort Greely, Alaska, Oct. 22, 2020 (U.S. Air Force photo by Senior Airman Beaux Hebert)

Podcast

Sea Control 211 – Bursting A2/AD Bubbles with Robert Dalsjö and Michael Jonsson

Leave a comment

By Jared Samuelson

Ever look at a map depicting Russian capabilities and see a never-ending expanse of range rings that seem prohibitive to “friendly” maneuver? In 2019, Robert Dalsjö, Christofer Berglund, Michael Jonsson published their study Bursting the Bubble? Russian A2/AD in the Baltic Sea Region explaining why those range rings are misleading and why. They quickly followed up with a 2020 compilation from several authors expanding on their work. In this episode, Dalsjö and Jonsson join Sea Control to discuss the genesis of their work, the response, and more!

Download Sea Control 211 – Bursting Bubbles with Robert Dalsjö & Michael Jonsson

Links

1. Bursting the Bubble? Russian A2/AD in the Baltic Sea Region, Robert Dalsjö, Christofer Berglund, Michael Jonsson, FOI, March 2019.

2. Beyond Bursting Bubbles: Understanding the Full Spectrum of the Russian A2/AD Threat and Identifying Strategies for Counteraction, Robert Dalsjö, and Michael Jonsson (editors), FOI, June 2020.

Jared Samuelson is the Executive Producer and co-host of the Sea Control Podcast. Contact him at [email protected].

Fiction

Haze Gray Zone

Leave a comment

By Chris O’Connor

Ma’am, your presence is requested in Combat. OS2 Van-Manama’s message appeared in the right lens of LCDR Sara Fernandez’s glasses. A top-down overlay of an unknown surface contact appeared in her left lens.

On my way, OS2. She subvocalized back. She still wasn’t used to the formality in the Navy. Or the food. The only thing she ate for breakfast in this hot weather was buttered toast. She got up from her seat in the tiny mess space, dropped her plate in the washer, and went down the ladder.

“What do you have for me?” She asked OS2 V-M as she entered the Combat Information Center. She could talk plainly here. No need to message through LiFi to communicate, as she did in the rest of the ship. Combat was not an impressive space; two terminals, an observation chair, and display wall. At least it was air conditioned. OS2 was seated at the right terminal.

“It’s that Contact of Interest we’ve been waiting for; 350 at 23 miles. Going 13 knots on a course of 170. It’ll pass right by the seafarm.”

She squeezed past OS2 to sit at the left terminal and pulled up the COI’s track info. It was classified on AIS as a fishing fleet factory ship. The Chinese had this type harvesting seafood in every ocean now that most fisheries in their EEZ had collapsed.

V-M continued. “Its signature is certainly correct, the right number of diesels at the right harmonics, ELINT shows commercial SATCOMs and surface search. And the satellite images we pulled down show a wake profile that fits for a ship of the type. It has one commercial VTOL security drone up. I’m sure it’s aware of our tender.”

“Copy. I’ll go let the Captain know.” She said, leaving Combat.

The Master, Captain Aquino, was on the port bridge wing, observing crane ops. The heat and humidity was mitigated by a slight breeze. The Polillo 2 was working on one of the seafarm perimeter buoys.

“Morning, Captain.”

“Morning.” He mumbled back, eyes remaining on the crane. “I see the large contact on the Furuno. Is that why you’re here?”

“You guessed it. After this buoy, could you secure from crane ops for a while? We should be prepared to maneuver.” Fernandez said.

“I know the drill.” Aquino said, annoyance creeping into his voice. “I’ll go to thrusters soon and be ready to seem really interested in working deep in the buoy field.” He said, gesturing out to the farm, large yellow solar floats extending south as far as the eye could see. “I’ll act casual, ‘cuz I don’t want to be killed.”

“Yes, Sir.” She said, heading for the ladder.

“Don’t call me Sir!” He shouted after her. “I was a Senior Chief in the Navy. And I STILL work for a living!”

_______________________________________

A disembodied voice greeted Sara. “Thanks for coming today. The purpose of this interview is to collect information for our historical archives.” All that she could see was the emblem for Naval History and Heritage Command floating six feet in front of her in an empty, white-paneled cube. It was the default setting for a VRcast waiting room.

“Coming today? I’m in my office at home,” she pointed out.

“We will set the default interview template.” The view faded and was replaced by a mid-twentieth century history professor’s study, complete with walls of bookshelves and leather chairs. Fernandez could almost smell books, old wood, and leather. But without a multisensory neural link, it was all in her imagination.

Across from her was a desk covered in papers. Seated behind it was a middle-aged man, hair thinning on top of his head and in a blazer with leather patches at the elbows. A notepad was ready in front of him, fountain pen in hand.

“Does this put you at ease? We can set this to any template you prefer.” The interviewer AI asked, now enrobed in a professor avatar.

“This works for me. It is kinda funny, though. I was never in an office like this because I am not 100 years old.”

“Alright, then. Let us get started. The purpose of this interview is to collect information from veterans of the war so that we can make VR historical simulations. It is intended as a free-flowing discussion. I detect that you have a brain interface implant. Can we access it for biofeedback during our talk?”

“No, it’s just an augment for my right eye.” Sara felt an itching sensation where flesh and bone met metal and plastic in her ocular cavity. Maybe it was time for a firmware update.

“Joined the Navy at 36, after a leaving a successful career in autonomous systems. You were being paid more than two times a Lieutenant Commander in your civilian job. There were many people in your comfortable position that did not join up when the nation needed them. Why did you?”

_______________________________________

“The seafarm surveillance drone that US1 reconfigured is making an ID pass.” OS2 said looking at the drone feed. “Something’s not right.”

LCDR Fernandez was sitting in the chair next to him and monitoring the sensor feeds, while watching the AI run the object detector module. They had to use laser to communicate with the drone to keep their comms signature down. Signal strength was not very good in the humid and salty conditions.

The video feed from the drone showed the COI. It was painted blue and white, with perfectly placed rust streaks, and the superstructure was not quite right to Sara. The detector results came back as possibilities: 95% factory fishing ship, 72% car ferry, 5% generic amphibious warfare vessel. On the visual feed, panels on the side of the COI were changing colors, sometimes flashing patterns.

“It looks like it is covered in active adversarial network patches. I’ve never seen so many,” V-M said. “Our module is only seeing a fishing vessel and somehow ignoring the other qualities of the ship. It is being played like a fiddle.”

“Do you think they know the standard detector module inside and out and trained their AN systems to counter it?” Sara said sarcastically. “OCEANUS,” she said to the Combat AI. “Run it again with that algorithm trained with US1’s input set. A new module that the Chinese did not plan to encounter might see something else.”

After a few seconds, the module came up with a new result. 94% modified Type 071 (NATO reporting name: Yuzhao) LPD.

It was a Yuzhao altered to have the external appearance of a fishing vessel. It could have been damaged in the opening of the war and rebuilt in the yards to look that way. Maybe it was a mod of one of the export variants that never made it to Thailand.

Either way, it was a major violation of the Seven Powers agreement. Warships of that size should not be in the South China Sea.

_______________________________________

“I was a domestic delivery drone network supervisor. Studied robotics at Carnegie Mellon and got hired right after graduation by a small logistics UAV startup in San Diego. After working there for a few years, the company was bought out by one of the tech companies, which was inevitable. Absorbed into the workforce of a FANG, I was responsible for all UGV and UAV delivery operations in Pennsylvania when the war started. Looking back, the strangest part of the whole thing was we still haven’t figured out who started what we now call the ‘Seven Powers War.’”

“What do you mean?” The interviewer said, now going through the motion of jotting down notes.

“We always blamed China for starting the war, and China blames us. But neither of us were ready at the kickoff. The CCP was hit by that massive ransomware attack at the same time as Congress and the White House. And it was a well-executed hit job. Almost everyone’s official and personal email accounts and phones were taken offline, with no way to pay it off, like the NotPetya attack back in the day.” 

“NotPetya?” The AI stopped writing.

“You don’t know what that is? You do real-time research while we are talking. I’m sure you know precisely what happened.”

“Of course, I will develop VRcast content with embedded branches to references. But for the sake of archiving the interviews for public consumption, I would like to do this as a conversation.” 

“I am impressed how well you can talk to me. Can’t even tell that you are a bot.” Fernandez said.

“Ever since GPT5, the Turing test is invalid. If it would make you feel better, I can take on his persona for this interview.”

“Would you look like a young Cumberbatch or the real guy?”

“I can look like anyone you want if it makes this interview productive, but please do not call me a ‘bot.’ I find that outdated slang derogatory,” the AI said coldly.

“Right. Sorry.” She conceded. “I’ll get back on track. That attack’s intent was to cripple the leadership in both countries. Russia and the other powers either reacted quick enough to prevent it or they were not targeted. Of course, deepfakes of everyone taking credit were out there. I even saw one of Uruguay’s Prime Minister claiming responsibility to bring the ‘Great Powers to their knees.’”

“How did this lead to you signing on the dotted line?” the AI said, with a pipe now placed in the corner of his mouth, face simulating deep interest in the conversation.

Sara leaned back in her chair. “It’s a funny phrase, by the way. I completed my contract with a biometric finger scan.”

“I have to keep in character with my persona.” The AI commented, waving his pipe at his paper-covered desk. “I cannot be anachronistic.”

“Well, it was China’s first shots that made it personal for me,” Sara said. “They had been getting increasingly paranoid and thought we were intentionally crippling their leadership with the cyberattack. Maybe they thought we were overacting to that election-year PLAN carrier strike group FONOPS in the Gulf of Mexico. A lot of Americans were pissed off when the Chinese did that.

“Predicting a U.S. play in the Western Pacific, the Chinese leadership reacted with a what I see as a ‘flexible response option’— or at least that’s how my joint training would describe it. Instead of attacking our bases and combatants directly, they went for our fleet replenishment ships.

“Our oilers were easy to find and track with pretty basic AI, thanks to the hundreds of commercial imagery CubeSats in orbit. All the oilers underway in the Western Pacific had two antiship ballistic missiles fired at them. Not even the new missiles, but the older models, since our replenishment ships were easy pickings with no countermeasures or defenses. The PLA saved the new ‘DFs’ for the potential higher-end targets.

“Out of ASBM reach was USNS Genesee, two days west of Pearl. First in a new class of fast replenishment oilers, ‘Genny’ was the fastest and largest ship since the old AOEs were in service, with expanded hangar space for the new VTOL ‘Hopper’ logistics drones.

“Like its counterparts, it was sailing solo with no escorts. While its counterparts were being wiped out by ballistic missiles, the ‘Genny’ lost power. From what the survivors told us, immediately after a logistics database update, a worm was triggered in its power systems that shut everything down, to include backup batteries and generators. There was no recovering with the personnel onboard. None of their servers worked, so it was impossible to use the smart ship system to even find where the issues were.

“My Uncle Juan was one of the unfortunate engineers furtively trying to get the controllers on the diesels working when the main spaces and Hold 3 were both hit with sprint vehicles. Only nine from the crew of eighty-seven were plucked from the water hours later, after the UUV that launched the YJ-18s was found and neutralized.

“There were now no replenishment ships west of Pearl Harbor. They could have been crippled with worm attacks alone, but China put them on the bottom of the ocean. It meant that our warships throughout the Pacific had limited legs and were constrained to ports that were now at threatened by more long-range weapons.”

“So you joined because your uncle was killed?” The professor asked.

“It was a major part of it. We were not a military family. I had a great uncle that was an officer in the Navy during what he called the ‘Tanker Wars’ and my mom’s cousin served in the Space Force, but I really liked Uncle Juan and wanted to do something in his honor. The nature of how the war changed also made me a good officer candidate.”

_______________________________________

“Pass this info to the Hughes through the seafarm’s network.”

“Aye aye, Ma’am.” OS2 said. “US1 is putting up another drone to act as a laser comms relay for the exploit ops.”

“Ready for that?” Fernandez said to CTR2 Cruz. She was sitting in the left console seat now. Fernandez had moved back to the observation chair.

“Yes Ma’am. We have a common system target set fed into our JANUS AI. We’ll be looking for networks common to Yuzhaos, fishing vessels, or anything commercial commonly installed at the shipyard of origin.”

Sara reached behind her and grabbled the IC phone off the hook. “Captain, OIC. We’re about to annoy the contact,” she said.

“Copy,” Aquino gruffly said. “I’m turning off all my external comms and navigation systems except for the Furuno. It’s the only thing we have that is airgapped. Moving into the field now.”

The diesel vibrations through the hull stopped, and Fernandez felt the ship move on thrusters into the field.

“Sweep is negative for EM leakage. COI is doing a good job with signal discipline, save the nav radar.” OS2 reported.

“Let the Hughes know that we are going for network intrusion. We’ll probably get a response.”

“Will do Ma’am,” V-M replied.

“Let’s see if they left any of their antennas to receive only.” CTR2 said.

Probing low power signal antenna. JANUS began.

Detected: Autonomous trawling net system.

“It looks like they were serious enough about their cover that they put a commercial fishing system onboard, and someone didn’t think to disable the antenna.” Cruz observed.

Trawling systems connected to ship’s common servers.

Uploading worm.

Intrusion Detection AI on PLAN network countering.

Lost comms. JANUS was in the LPD’s network for mere seconds.

“Drone down.” OS2 said. “It looks like COI hit it with a laser.”

“Was the worm fully uploaded?” Fernandez asked.

Cruz was looking at multiple feeds at once, using hand gestures to make selections. “Looks like it, Ma’am,” she said. “It depends on which one JANUS decided to use.”

“They detected the intrusion, so it doesn’t have a lot of time to work,” Sara said. “What worm did JANUS deploy?”

Unmask Rev 11, JANUS responded, before Cruz could.

CTR2 continued. “The results from ‘Unmask’ will depend on how the shipboard networks are configu—crap!”

“Multiple military comms and radars radiating on COI. Classify contact as hostile!” OS2 shouted. “They just lit up like a Christmas tree.”

The true nature of the contact was now broadcast for the world to see. 27 miles away, on the west edge of the buoy field, the Hughes and its flotilla of Lake-class corvettes leapt to all ahead full, as their smaller Fiberclad USV escorts struggled to keep up.

_______________________________________

“The Navy needed people of your expertise with the new drone systems after the ceasefire,” the AI stated, leaning back in its chair, as if it was a human realizing this for the first time.

“Exactly. I’m sure you are collecting interviews from many vets, but as you know, the first two weeks of shooting was a free-for-all. It escalated so quickly that I am amazed to this day we didn’t go nuclear. I think it’s because we didn’t attack targets on the Chinese mainland, even though they laid waste to our Guam bases. China could have put some cruise missiles into Pearl or San Diego but chose not to. And both sides only used hypersonic weapons against each other’s warships. But that still meant that we lost a lot of ships. This wasn’t a one-sided exchange. With the help of the Air Force, we took out most of the larger platforms in the PLAN South- and East- Seas Fleets.

“We learned quickly that nothing on the surface of the ocean could hide anymore. On day one of the shooting, for example, they fired about thirty older ASBMs at the strike group that was east of the Philippines, purposely encircling it with impact points, demonstrating to us that they knew where it was.”

“Undeterred, our response to the sinking of the oilers was that same CSG launching a strike on Chinese artificial islands in the SCS. Before those strike aircraft recovered to the CVN, the CSG was hammered with ASBMs and long-range cruise missiles, and only the McCain got away without major damage. She escorted the survivors of the CSG into Tacloban; one barely afloat DDG and the CVN, which was missing sections of her island and had massive holes in her flight deck. The other strike group in WESTPAC had to fight its way back to Pearl through a PLAN UUV wolfpack, with a pod of our own ORCAs and LIVYATANs running interference.”

The AI was tearing through his notepad now; Sara wondered what exactly he was writing. The professor noted, “After this continued for two weeks, both sides ran out of chess pieces in the Pacific. And the Seven Powers ceasefire agreement limited the size of assets we could send over there.”

“The USN had to reconstitute fast,” she said. “It went on a crash course in platform procurement, and acquired small vessels built in yacht and fishing boat yards throughout the U.S. Most of these were modified to become unmanned surface vehicles. The USVs ranged from high-end combat ones, like the stealthy Fiberclads, to low-end logistics, surveillance, and lily pads for the short-range aerial systems. They were designed to need smaller logistical footprints so they could operate without a replenishment fleet of larger ships.”

“And new sailors were needed to crew this Navy,” the AI pointed out.

“Yep. It took about a year to get out to the fleet with my accelerated commission. Familiarization didn’t take too long. After all, I was experienced with a lot of the commercial platforms the Navy had bought. I joined up with the command in San Diego. Had sims and tactics training and was then assigned to a SCS-centric detachment that was to go underway on clandestine collection platforms. I thought the Navy was going to put me in charge of a sexy drone warfare unit. I ended up doing something quite different.”

_______________________________________

Seneca just got hit.” V-M said calmly. “Most likely a UUV.”

“At least hiding in the farm will protect us from that.” Fernandez said, matter-of-factly. It would be hard to weave a weapon through the underwater maze of interconnected buoys to hit Polillo 2.

Now that the game was up, the Yuzhao was in survival mode. The radiating triggered by ‘Unmask’ abruptly ceased, and she increased speed and turned to the north, trying to bug out.

“Swarm deployment on hostile.” OS2 reported. Concealed launchers on the Chinese ship began to disgorge a heterogenous cloud of drones into the air around it.

The U.S. flotilla was not going to let that LPD live to sneak around another day. The surviving corvettes each launched a pair of Super-LRASMs at the contact while kicking out their own much smaller swarms, which included Cormorant UAVs to counter the hostiles in the water below.

None of the LRASMs reached their target. They met a brick wall of drones, directed energy, and good old fashioned 30mm CIWS rounds. But the Hughes drove on with the flotilla, firing the rest of their missiles and going ‘Empty Quiver.’ The flotilla put every available drone into the fight, emptying their launchers. The LPD was more than a match. The PLAN equipped it with a superior combat systems AI and scores of drone tubes.

OS2 unleashed creative stream of multilingual invectives. Fernandez was impressed how her comms AI tried to keep up with the translation, labelling it as Mix of Vietnamese and Kiro. One insult, for example, had something to do with a whale and a bowl of petunias.

“I don’t know what you are saying, but it doesn’t seem professional,” she said.

“Sorry Ma’am. The contact just went Death Blossom on us,” V-M muttered.

The classic movie reference would have been funny in any other context, but the video feed of the LPD putting up an ever-thickening cloud of UAVs like an angry beehive was no laughing matter. To make matters worse, drone variants were launched that were new to OCEANUS’ threat database.

CTR2 barely croaked, “Network sweep. They suspect us. JANUS is countering multiple intrusion attempts from the Yuzhao through the seafarm net.”

Then Sara saw on the OCEANUS feed a tendril of the enemy swarm break off and head toward Polillo 2.

_______________________________________

“We were assigned to a 32-meter buoy tender, based out of a small fishing port in the western Philippines.” Fernandez continued. “There were many commercial vessels like it, contracted out to maintain farms of aquaculture such as kelp and mussels. We bounced around geographic locations in the SCS based on collection requirements. The Det consisted of seven ununiformed sailors of a mix of rates: Operations Specialists, Unmanned Systems Techs, Cryptologic Techs, Additive Artisans. I was the Officer in Charge, but the tender’s Master was a Merchant Mariner.

“These tenders were set up for autonomous systems control and maintenance. Seafarms are run on a daily basis by a workforce of aerial, surface, and subsurface drones that check the buoys’ status, scan the crops, and test the water column for pollutants and security intrusions. It wasn’t unusual for a tender such as ours to be launching and recovering drones and related systems, which made it the perfect cover. Limited to slight modifications for our mission, we had bolted on a few extra comms antennas, mostly laser and other LPI comms, and we sure as hell couldn’t launch any Cormorants or Sea Eagles.

“The forces agreement meant that the only USN and PLAN ships allowed in the SCS were small combatants, while other nations patrolled with larger vessels as part of the enforcement mission. A four-ship flotilla of Lake-class missile corvettes was positioned near us, trying its best to keep a low signature, but sticking out like a sore thumb among commercial traffic. We kept them up to date on our ops, and they were ready in case things got hairy. The USS Wayne P. Hughes was the manned command ship; the remaining three were unmanned versions of the same class.”

The AI shifted is pipe from one side of his mouth to the other. “You were operating in an area that could combust at any time, and you were on an unarmed vessel.”

“And it got messy quickly.”

“One of the purposes of this project is to capture vignettes of important phase changes of the war. And we think your part was a big one, because it was when a new facet of Chinese operations was discovered.” The professor said, tapping his pipe in an ashtray. “I hear it was a close call for you, and I would like to record accurately what happened at that seafarm.”

“Are you interviewing the Skipper of the Hughes?” Fernandez asked.

“CDR Zhu? Of course. One of my personas talked to her last week.”

“I’m sure she chose John Paul Jones as her interviewer.”

“Actually,” the AI said, without looking up from his notes, “she went with Admiral Nelson. It took us a few seconds to render the HMS Victory under full sail, but it was an informative discussion.”

“Good. I bought her beers after she got out of rehab. That woman is a straight-up badass. She lost an arm during that exchange.”

_______________________________________

The OCEANUS feed was looking grim. The Yuzhao had blunted the corvettes’ attacks and was now turning its efforts to neutralizing the flotilla, which was just buying time until the inevitable. The unmanned vessels and Fiberclads used their aggregated swarm to protect the Hughes. One by one the Lakes were being sacrificed as their HPM pulses and CIWS flechette shells were not enough to save them alone.

The smaller Fiberclads died first. Then Tahoe absorbed over a dozen hits before succumbing. Okeechobee was staggered by repeated impacts until a UUV was able to catch up to it. ‘Okee’ broke in half like the Seneca, keel snapped by an underwater explosion. Then the friendly swarm broke away and headed to deflect the attack on the tender.

V-M said what they all realized. “The Hughes is sending the flotilla’s swarm to protect us.”

The friendly UAVs intercepted their Chinese counterparts just as they were reaching the outskirts of the seafarm. The Sea Eagles were able to shoot down drones without sacrificing themselves, while others, such as the Petrels, had to ram the opposition to make an effect. The Polillo 2 was spared.

The Hughes paid the price. Opening broadside to the section of the swarm bearing down on it, it could only rely on its self-defense mounts and was beset by the autonomous adversaries. It fared a little better than the rest of the corvettes, but was still hit numerous times. Dead in the water, the Hughes’ weapons went silent.

“The swarm has been significantly thinned out. It looks like it is pulling back to reconstitute on the Yuzhao,” OS2 breathed out.

“Still trying to get to us over the networks,” CTR2 reported, reading the JANUS feeds. “We don’t have enough resources for our instance of JANUS to out-cycle whatever they are using. It’s only a matter of time before our they are in our network.”

MJOLNIR inbound, OCEANUS reported.

“Never mind.” Cruz whispered.

Fernandez looked at the large display in above terminals. The Yuzhao was 17 miles distant and headed away, wake boiling behind, an anemic swarm of drones in company. Then the enemy ship shook as if a giant finger flicked it. An upper part of the superstructure spiraled away as a gaping hole was punched starboard amidships at the weatherdecks, and the hypersonic projectile exited the port side, spraying a shotgun pattern of debris in the water far beyond.

“Wow. Never seen one of those….” Sara let slip.

“Me neither.” OS2 added. “Higher ups must have really wanted it dead.”

The critically damaged LPD began to slow, fires and smoke pouring from amidships. That hit alone was enough to sink it, even though it was above the waterline. But then the ship went up. A huge fireball began deep in in its hold, followed by a shockwave through the water that could be felt miles away on the Polillo 2. When the blast subsided, what was left of the bow and stern of the broken ship was settling into the water.

V-M began on his multicultural curses again, seemingly happy this time.

“What was that thing carrying?” Cruz asked.

“Probably missile batteries to reinforce an atoll somewhere around here.” Fernandez said. “OS2, what’s the status of the Chinese swarm?”

“OCEANUS shows eleven drones still active of various types.” V-M replied, now done with the swearing. “The blast took out the rest, and there is no local swarm controller now. But we can’t do anything if they are still out there, they’ll self-organize and still be hostile.”

“CTR2, work with US1 to get another pair of drones up. I want JANUS to take control of those drones and splash them.”

“Will do Ma’am.” Cruz replied.

Sara picked up the IC phone again. “Captain, we can go to assist the Hughes now.”

“Looks like it is barely afloat,” Aquino observed. “And what’s left of the Chinese ship is almost under. We’ll see if there are any very lucky Chinese survivors from that blast after we go to the Hughes. Continue acting all civilian and innocent?”

“That’s right.” Fernandez said. “We’re not onboard, remember?” Which was a pity. She wanted to shake the hand of every sailor on that corvette. Instead, her Det will have to hide until they transferred the survivors to a larger Indian or Japanese warship, which was probably now on its way after detecting the clash.

“Let’s hope those Cormorants took all of the Chinese UUVs. By the way, that was one of the craziest f’ing things that I have ever seen,” he added.

“You and me both.” The Det OIC laughed.

_______________________________________

“The covert USN and PLAN vessels rarely came to blows. The engagement between your seafarm tender and the Chinese LPD showed two different means of gray zone warfare with different platforms. One, a concealed warship, the other a fishing vessel with military capabilities.”

“Which, ironically, was a Chinese tactic decades before we did it.” Sara added.

Underlining something in his notes, the AI observed, “Your actions uncovered a PLA operation to establish a bastion in Micronesia.”

She shrugged. “I guess a good cover was a fleet of large vessels supposedly netting tuna.”

“There was an island outpost that was not going to be a threat until the hypersonic batteries arrived. The Det on Polillo 2 revealed that shipment and protected Guam from those missiles. You blocked their next ‘Go’ move.”

Sara paused before saying, “I’ve told very few people over the past twenty years about what happened that day.”

“Well, now you have approval to get it on the record.” The interviewer AI said, making a show of turning over a fresh leaf of paper in his notebook.

“Where shall I start?” CDR Sara Fernandez (ret.) began. “We were only a few days out on an op out of Palawan when my CIC watch messaged me at breakfast…”

Chris O’Connor is a Supply Corps Officer in the U.S. Navy. He has had tours at CNO Strategic Studies Group and CNO Rapid Innovation Cell, and is Vice President of the Center for International Maritime Security (CIMSEC). He has written a number of fiction and non-fiction pieces on the future of warfare.

Featured Image: “Grand Imperial Navy” by Rhys Bevan (via Artstation)

Cyber

Cybersecurity at Port Facilities: Making Rules Requires Rulemaking

Leave a comment

By CDR Michael C. Petta, USCG

Following the September 11, 2001 attacks, the U.S. Coast Guard led the way on maritime security by shaping new international rules, national laws, and domestic regulations to protect maritime shipping and infrastructure. These changes set the standard in the global fight against threats to port facilities and served as the template for new regimes negotiated at the International Maritime Organization (IMO).

Yet in recent years, U.S. domestic regulations have not kept pace with the ever-expanding risks posed by emerging threats at sea—especially with cyber risks. As a result, American maritime infrastructure has become more vulnerable to disruptive and destructive threats in the cyber domain.

In February 2020, the U.S. Coast Guard published guidelines for port facilities to address these threats. The new guidelines were needed, but they are not enough. The U.S. Coast Guard should, to carry out its legal duty to safeguard the maritime transportation system, energize the domestic rulemaking process to adopt uniform and enforceable cybersecurity rules for maritime facilities.

The Port Facility Cyber Problem

Before turning to the need for U.S. Coast Guard rulemaking, it is important to underscore the problem at hand—cyber threats to port facilities are both significant and real. Unfortunately, the maritime industry remains unprepared. Scholars, industry leaders, and government officials have long sounded the alarm and repeatedly warned of threats, vulnerabilities, and adverse consequences associated with cyberattacks. These long-recognized risks persist, and they are likely to grow in the future as malicious cyber capabilities become more available as a low-cost tool to subvert commercial and governmental systems.

In 2011, the European Union (EU) studied the rising menace of cyber threats and the general lack of cybersecurity awareness in the maritime sector. Pointing to the disastrous consequences a significant cyber disruption would have on international trade, the study recognized an increasing need to secure maritime infrastructure. The EU study was validated in a 2017 IMO resolution, which expressly recognizes an “urgent need to raise awareness on cyber threats and vulnerabilities to support safe and secure shipping.”

For years, leaders in the United States have also warned of the growing cyber threat. Most prominently, former President Barack Obama cautioned in a 2013 Executive Order that “[r]epeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity.” President Obama continued on to say that, “[t]he cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.” Four years later, Chairman of the U.S. House Committee on Homeland Security, Michael McCaul (R-Texas), explained during a field hearing that port facilities “find themselves in the crosshairs of international hackers and rogue nation-states,” and he declared that the United States “must do more to strengthen cybersecurity and these essential maritime hubs.”

Maritime agency officials have been similarly cautious. For example, the 2015 U.S. Coast Guard Cyber Strategy warns of “real and growing” cyber threats in the maritime community. Like the 2011 EU study, the U.S. Coast Guard Cyber Strategy explains that cyber disruptions in maritime trade could have serious consequences for local, regional, national, and global economies. To protect maritime transportation and reduce cybersecurity vulnerabilities, the Cyber Strategy avows to “incorporate cybersecurity into existing enforcement and compliance programs.”

Despite years of discourse, preeminent maritime officials continue to believe port facilities remain vulnerable to and unprepared for cyber threats. For example, in a March 2020 Federal Register Notice, the Commandant of the U.S. Coast Guard, Admiral Karl L. Schultz, offered warnings similar to those in the agency’s five-year-old Cyber Strategy. Admiral Schultz describes cybersecurity as “one of the most serious economic and national security challenges for the maritime industry.” More recently, during a September 2020 webinar on maritime security, Rear Admiral Mark H. Buzby, U.S. Navy (ret.), the Administrator of the U.S. Maritime Administration, acknowledged the longstanding struggle to resolve cybersecurity risks, explaining, “What has become quite apparent over the last several years is that [maritime cybersecurity] truly needs an operational focus… truly needs a strategic approach to a very vexing and growing problem.” Rear Admiral Buzby further explained that solving the problem of maritime cybersecurity “is absolutely vital not only to our economic security but really to our national security.”

The Physical Security Focus of U.S. Regulations

Even more enduring than the maritime cybersecurity problem is the U.S. Coast Guard’s resolve to protect the maritime transportation system, particularly following the tragic events of 9/11. After the terrorist attacks, the U.S. Coast Guard established new global maritime security requirements. Internationally, the requirements were expressed in the IMO’s International Ship and Port Facility Security (ISPS) Code. Domestically, the requirements were codified in the Maritime Transportation Security Act (MTSA) of 2002, which the U.S Coast Guard implemented through regulations found in Title 33 of the Code of Federal Regulations (CFR). Developing and enacting such a comprehensive governance regime took herculean efforts and affirmed the U.S. Coast Guard’s leading role in safeguarding maritime facilities.

The 9/11 attacks generated the energy needed to establish comprehensive security laws and regulations. However, because of the kinetic nature of the attacks, the focus of these laws and regulations was largely limited to physical security measures designed to control access to facilities and to protect personnel and property from physical damage and harm. As one scholar wrote in 2013, the United States’ requirements could “loosely be summed up as guns, gates, guards, and identification cards.” In other words, when the ISPS Code, the MTSA of 2002, and the U.S. Coast Guard’s domestic regulations were authored, they did not address today’s cybersecurity challenges. Because cyber risks operate in a relatively new, non-physical domain, mitigating cyber risks calls for renewed energy and strategy.

Although the ISPS Code and MTSA regime do not openly contemplate cybersecurity, the U.S. Coast Guard has not been powerless to produce cyber standards. To the contrary, with the MTSA of 2002 and the Maritime Security Improvement Act (MSIA) of 2018, the agency’s power to regulate cybersecurity at port facilities is clear. Such authority could be used to modernize U.S. Coast Guard regulations and incorporate cybersecurity-centric rules into its enforcement and compliance programs. Rather than taking that authoritative step, the agency made a more subtle move in February 2020 by offering a modern cyber-centric interpretation of the agency’s 17-year-old regulations. Perhaps more should be done.

The Dormant Cyber Rule

The United States’ maritime facility security regulations, as implemented under the MTSA of 2002, reside in Part 105 of Title 33 of the CFR. As alluded to earlier, the word “cyber” is absent from these regulations. To some, this absence might indicate that U.S. Coast Guard regulations omitted cybersecurity. In its February 2020 Navigation and Vessel Inspection Circular (NVIC), “Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities, NVIC 01-20,” the U.S. Coast Guard announced a new interpretation of Part 105 in which it ostensibly takes the position that cybersecurity requirements were not omitted from Part 105—they were dormant.

A brief description of Part 105, entitled “Maritime Security: Facilities,” helps bring context to the seemingly latent cyber rules. The U.S. Coast Guard enacted Part 105 in October 2003 to harmonize domestic regulations with security measures adopted by the IMO (i.e., ISPS Code). Combining international requirements and existing domestic policy, Part 105 is extensive. It consists of five separate subparts, 54 individual sections, and just over 100 pages of regulatory text. Put plainly, Part 105 is the U.S. Coast Guard’s rulebook for security at U.S. maritime facilities.

A critical mandate in Part 105 is a requirement that port facilities periodically conduct a Facility Security Assessment (FSA). Generally, the FSA evaluates a facility’s threats, vulnerabilities, and protective measures in order to inform the development of a facility’s Facility Security Plan (FSP). The Facility Security Officer (FSO) is responsible for developing and implementing the FSP. When preparing the FSP, the FSO must analyze certain factors enumerated in Part 105. While Part 105 does not expressly require the FSO to consider cybersecurity vulnerabilities, among the listed factors the FSO is required to consider are “[m]easures to protect radio and telecommunications equipment, to include computer systems and networks.” This provision is the source of Part 105’s seemingly dormant cyber rules. In short, NVIC 01-20 interprets the provision on “radio and telecommunications equipment” to encompass cybersecurity because it uses the phrase “computer systems and networks.” Under this interpretation, Part 105 has required FSOs to assess and address cybersecurity vulnerabilities since it was enacted in 2003.

The Path Forward: Holistic and Affirmative Cyber Requirements

Recognizing this tacit cybersecurity provision is a meaningful step, but the dormant cyber provision recognized by NVIC 01-20 is too ambiguous and inoperative to embody the degree of governance sufficient to mitigate known cyber risks. The U.S. Coast Guard should explore whether it could do more to integrate cybersecurity into its maritime security regime. If the Service aims to better incorporate cybersecurity into existing enforcement and compliance programs, it could leverage domestic rulemaking to implement enforceable and uniform standards.

An FSO must consider measures to protect radio and telecommunications equipment, including computer systems and networks, when developing an FSP. Although this requirement seems clear at first, closer examination reveals an ambiguity that may confuse those trying to understand its scope and application. Considering how vital Part 105’s assessment requirement is to mitigate potentially catastrophic cyber threats, any amount of confusion is undesirable. Fortunately, ameliorating this confusion may be relatively easy.

As the U.S. Coast Guard recognizes in NVIC 01-20, the maritime industry presently uses cyber systems for various critical functions (e.g., administration, operations, engineering, safety, security, and navigation). IMO Guidelines on Maritime Cyber Risk Management also recognize that modern cyber systems are used for an array of Information Technology (IT) and Operational Technology (OT) purposes. The IMO considers this variety of cyber functions “essential to the operation and management of numerous systems critical to the safety and security of shipping and protection of the marine environment.” Of note, IMO’s 2017 guidelines identify “communication systems” as only one of the many types of cyber systems. Despite the variety of integral cybertechnologies, Part 105, on its face, implicates computer systems and networks used for just one purpose—radio and telecommunications. This is all to say, based on a plain reading of Part 105’s text, one may reasonably conclude that the FSO is only required to consider vulnerabilities with cyber systems used for communication, not cyber systems used to perform the variety of other critical IT and OT functions at maritime facilities.

Highlighting this ambiguity in Part 105 is more than an academic, textual critique. Doing so underlines a fundamental regulatory problem—a lack of clear standards—that undermines effective enforcement and compliance. This ambiguity is significant enough that Canada brought it to the attention of the IMO over five years ago and recommended an update to the ISPS Code.

The U.S. Coast Guard already has the authority to remedy enforcement and compliance problems brought on by the ambiguity in Part 105’s dormant cyber language. Through the domestic rulemaking process, the agency can amend Part 105 to create a distinct cybersecurity requirement that encompasses a variety of cyber systems. Coincidentally, in the MSIA of 2018, U.S. Congress provides a sample of a modern-day cyber requirement. Specifically, the MSIA, codified at 46 U.S.C. § 70103(c)(3), expressly requires FSPs to “include provisions for detecting, responding to, and recovering from cybersecurity risks…” and violating this rule subjects the facility to a civil penalty. This 2018 mandate in the law is clear and enforceable. Its express use of the common, up-to-date term “cybersecurity” without limiting itself to any one cyber system avoids any confusion caused by innovative interpretations. U.S. Coast Guard regulations could be amended to achieve a degree of clarity equal to that in the law.

Ambiguity aside, the dormant requirement recognized by the NVIC is also largely inoperative. As NVIC 01-20 states, although FSOs must assess and address cybersecurity vulnerabilities, the facility has discretion to decide how it identifies, assesses, and addresses those vulnerabilities. In light of this discretion, there is essentially no regulatory framework on which to base uniform enforcement and compliance decisions. The United States’ current port facility cybersecurity model is akin to a safe speed law that allows drivers discretion to set and clock their own speeds. This approach may be suitable for certain regulatory areas, but it is an insufficient approach for guarding against such a serious threat to the global economy and national security. Contrasting the quantity of effort expended governing physical security at ports with the meager scope of governance now envisioned for cybersecurity illustrates the point.

The kinetic attacks on 9/11 led to comprehensive rules, both domestically and internationally, on maritime physical security. Pioneering those rules took colossal effort by the U.S. Coast Guard. Today the agency has a similar opportunity with cybersecurity. Twenty years ago, Part 105 could have been distilled into a single line—FSOs must assess and address physical security vulnerabilities when developing FSPs. Obviously, the U.S. Coast Guard opted for a more comprehensive approach, choosing a holistic, affirmative governance model. This approach might be applied today to cybersecurity. There are too many contrasting examples of physical security requirements to list here, but a summary of Part 105’s Subpart B is useful.

Subpart B consists of 25 regulatory sections collectively entitled “Facility Security Requirements.” These sections contain, among other things, requirements on staff responsibilities; personnel knowledge and training; recordkeeping; physical searches; drills and exercises; controlling access; hiring employees; screening individuals; arming guards; designating restricted areas; policing grounds; equipment maintenance and testing; handling cargo; delivering stores; and receiving passengers, dangerous cargo, and barges. Importantly, across these requirements, Subpart B includes about 175 provisions unique to physical security.

As for cybersecurity, even with NVIC 01-20 on the books, existing regulations seemingly establish no explicit requirements. There are no unique cyber requirements related to staff responsibilities (e.g., security responsibilities of IT or OT personnel). Likewise, there are no distinct cyber training or knowledge requirements (e.g., requiring the FSO to be familiar with IT and OT terminology or requiring employees to take a basic computer hygiene course). There are no affirmative rules related to cyber drills, cyber exercises, or cyber recordkeeping. Unlike with systems used for physical security, there currently are no maintenance or testing requirements unique to IT or OT systems. Most importantly, in contrast with the unequivocal governance over elements fundamental to physical security (e.g., access controls, restricted areas, personnel screening), Part 105 is silent about any element associated with and tailored for effective cybersecurity programs.

Conclusion

Returning to the metaphor of the safe speed law, some might contend the current cyber model is not only akin to empowering drivers to set and clock their own speeds, it also affords them such discretion, but without requiring them to possess any driving experience, complete driver education classes, maintain or test vehicle systems, consult traffic reports, or obtain drivers licenses.

Effective cybersecurity, in this age of pervasive and expanding cyber threats, benefits from holistic and explicit governance. Just as it did with physical security after the 9/11 attacks, the U.S. Coast Guard could again leverage the domestic rulemaking process to implement a clear, uniform, and more rigorous cybersecurity regime. In so doing, the U.S. Coast Guard would again be the standard-bearer, leading the way in the global fight to protect port facilities. 

Commander Michael C. Petta, USCG, serves as Associate Director for Maritime Operations and professor of international law in the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the views of the U.S. Coast Guard, the Department of Homeland Security, the U.S. Navy, the Naval War College, or the Department of Defense.

Featured Image: Evergreen container ships in the port of Los Angeles (Wikimedia Commons)

Fostering the Discussion on Securing the Seas.