By LCDR Ryan Hilger
In feudal times, a king measured the security of his or her kingdom by the size of the city walls, the capacity of the granaries, and the ability of the archers. A strong defense meant the ability to withstand a siege and repel attacks while maintaining an acceptable quality of life inside the walls. Siege warfare brought the rise of asymmetric tactics to breach the walls: ballistas, catapults, and trebuchets, tunneling and sappers with explosives, siege engines, boiling pots of oil, and even biological warfare. Siege warfare has a long history, going all the way back to Odysseus and the Trojan Horse – the progenitor of the trojan attack in cybersecurity. But the Trojan Horse revealed the fundamental flaw in early defenses: once you were inside the walls, there was little that could be done to stop the adversary short of a heroic effort by your knights and militia at the point of the breach. Successfully resisting sieges is not particularly common in history.
At least until a decade or so ago, cybersecurity took a very similar approach to network defense. Strong firewalls, air gaps, intrusion detection systems, and alert network defense personnel were the best defense anyone could proffer in cybersecurity. The goal was simple: keep the adversary – amateur hacker or nation state – out of your systems. The attack methods were analogous to siege warfare: overwhelming of systems through denial-of-service attacks, buffer overflows to stop systems cold, trojans, and more.
But like the ancient and medieval eras, as the economic patterns changed, fortified cities found that the walls offered less and less protection. Insider threats, the increase in trading activities and the merchants present, among other vectors, all brought more threats inside the city walls and put more resources and people outside the walls. And this was well before defenders often realized an attack was underway–much like our digital domains today. Bubonic plague, or the black death, could easily be viewed in cybersecurity terms as a particularly vicious worm that spread easily among the population and caused nearly one in four to die. The plague generally came into cities on fleas or rats, not from an adversary easily seen. Though in the cyber arena, the losses can be much higher, as Saudi Aramco found out the hard way.
It would take several centuries for new forms of defense to emerge and supplant city and castle walls as the preferred form of protecting a nation state. Defending a country from a cornucopia of attacks is no easy matter, and the problems are not simple, but rather volatile, uncertain, complex, and ambiguous. Perhaps the most iconic failure of legacy defenses came at the outset of World War II, where the Germans simply went over and around the French Maginot Line, circumventing all defenses and moving rapidly on Paris. The French, purportedly with one of the best armies in continental Europe, were out of the war in less than two months. But fighting in cities, with a myriad of rooms, walls, sewers, potentially hostile populations, and more, proved exponentially harder and more bloody, as both sides learned during the following five years.
In 2017*, the maritime industry collectively shuddered when the NotPetya attack, originally targeting Ukrainian utilities infrastructure, spread beyond the region and into the global information commons. The malware spread through a backend software program developed by the Linkos Group in Ukraine. Like SolarWinds in the United States, the software was widely used, and Maersk ran it on their systems. Their saving grace was a single, offline service in Ghana. Not exactly a comforting plan to ensure resiliency. The crippling attack had economic ramifications on a global scale, costing Maersk alone an estimated $250-300 million in damage and lost revenue, and more than $1.2 billion worldwide. After the attack, Maersk moved rapidly to improve their cybersecurity posture, and the company continues to place a premium on information and cybersecurity.
In the modern cybersecurity age, defenses like firewalls, air gaps, and encryption still have their place, but a reliance on a strong defense to prevent catastrophic defeat only makes the fall that much worse. The best defense, as with recent military history, is to assume that your position must be dynamic and your system able to respond and continue its mission despite intrusion or attack. In the language of the maritime industry, approaches need to be looked at from the perspective of containerships, not car carriers. Car carriers, like the fatal voyage of the MV Tricolor in 2002, show what happens when their hull is breached. MV Tricolor went down in less than an hour and a half as water surged through the voluminous open spaces. On the other hand, the containership it collided with, the MV Kariba, managed to escape with superficial damage. Containerships are hard to sink, at least as long as they do not lose too many of their containers.
Today, cyber and information security is effectively siloed throughout the broader cybersecurity community, regardless of which industry it serves. Product teams working to deliver products to market and maximize returns are doing the minimum possible to get the products to market. They rarely, if ever, talk with the IT teams who run the enterprise infrastructure that they develop their products on. If they do, it is to improve services, capacity, and more, not to improve security or address threats to the product from the enterprise side. Yet that is the attack vector that both NotPetya and Solarwinds exploited, and it shows just how intertwined the enterprise environments are with both products and operations.
A modern approach to cybersecurity requires the maritime industry acknowledge three things. First, that security is complex, and we must treat it as such. Oversimplification of security measures and failure to acknowledge the complex adaptive system that cybersecurity lives in threatens the resiliency of products and reputations. Complex is different from complicated. Complicated requires understanding and can be fully described and managed, but does not allow for new or emergent behaviors to occur. Complicated systems are deterministic. Complexity acknowledges that systems may be used in ways different from how they were originally intended, or display emergent capabilities or behaviors that could not have been anticipated.
Second, they must accept that adversaries are already in their networks and control systems and act accordingly. The fundamental attribute of these complex ecosystems must be the absence of trust. This means that systems must be designed to produce resilience and mission assurance in the face of constant attacks and be able to continue operating. Zero trust manages all users, assets, and resources as inherently untrustworthy, and seeks to ensure credibility and trustworthiness.
Third, that the common element to the first two considerations is people. We do not design systems to operate fully autonomously, and general artificial intelligence is still a long way off. Every system, both enterprise and operational products, requires people at every step of the process. Currently, cybersecurity practitioners tend to focus primarily on technical solutions and processes to ensure the security of products and networks. But attacks require people to launch them, and networks require people to defend, patch, update, and otherwise correctly operate them, even as things become more automated. Electronic systems, whether embedded in the products or deployed on vast scales in the cloud, do not deliver value until people use them to create and maintain business value or desirable outcomes. Therefore, people must be treated as an integral part of the system, prone to failure, irrational or unexpected behaviors, turnover, and fatigue. Systems must be designed with people in mind.
Secure systems require the adoption of an ecosystem-centric approach to cybersecurity. Ecosystems are incredibly dynamic environments where actors – people, animals, microscopic organisms, whatever – continually work to survive, control resources, and at a minimum maintain the status quo and ensure the viability of future generations and operations.
The ecosystem from a cyber perspective includes everything discussed thus far: the products and operational systems, the enterprise systems that enable their creation, deployment, and maintenance, adversary systems, the neutral domains between them, and the people operating these systems on both sides. The closest analog is the program-level, which is inclusive of the enterprise system and product lines.
The Department of Defense has recently started to refer to this approach as “mission engineering,” but even that definition does not fully capture the dynamics of an ecosystem. The industry must place operational resilience or mission assurance as the ultimate objective, regardless of what havoc people may bring. Designing for resilience of the ecosystem means accounting meaningfully for the more chaotic events like geopolitical or geoeconomic actions, weather and natural disasters, and perpetual tension and conflict – the black swans and the pink flamingos.
Designing for resilience requires a markedly different approach from security. But as cyberattacks only continue to grow in pace, scope, and impact, we must engineer and operate for resilience to ensure that the company or mission does not irrevocably lose the credibility and trust needed to survive in the ecosystem. Beyond practical approaches like expansive defense in depth, zero trust architectures, and redundancy or watchdog mechanisms to balance against complex or emergent behaviors, the approach must separate the systems from the information. Understanding not only the desired operational outcomes that the coupling of the system and information provides, but making fully transparent the data and information flows to enable resilient defense of both systems and data. This must occur at the ecosystem level, not the individual system or enterprise-only levels. Failure to account for the defense of the program, not just the products, courts failure and the consequences that it brings.
The underpinnings of the global economy rely not on centralized control of a benevolent organization, but on the collective efforts of the global maritime ecosystem to take the necessary actions to ensure that the maritime commons remain credible and viable to transport the world’s goods. But the maritime industry must acknowledge that they are already under siege and act accordingly. As former Commandant of the Marines Corps General Robert Neller stated in 2019, “If you’re asking me if I think we’re at war, I think I’d say yes…We’re at war right now in cyberspace. We’ve been at war for maybe a decade. They’re pouring oil over the castle walls every day.”
*This article originally stated the NotPetya attack occurred in 2015, it occurred in 2017.
Lieutenant Commander Ryan Hilger is a Navy Engineering Duty Officer stationed in Washington D.C. He has served onboard USS Maine (SSBN 741), as Chief Engineer of USS Springfield (SSN 761), and ashore at the CNO Strategic Studies Group XXXIII and OPNAV N97. He holds a Masters Degree in Mechanical Engineering from the Naval Postgraduate School. His views are his own and do not represent the official views or policies of the Department of Defense or the Department of the Navy.
Featured Image: Operation Specialist 1st Class Jonathan Hudson, assigned to the Ticonderoga-class guided-missile cruiser USS Shiloh (CG-67), prepares to take tactical air control over a MH-60R Seahawk Helicopter, attached to the “Warlords” of Helicopter Maritime Strike Squadron Five One (HSM-51). (U.S. Navy Photo by Fire Controlman 2nd Class Kristopher G. Horton/Released)