By Henrik Schilling
“Cyber War does not take place in the present, and […] it is unlikely that Cyber War will occur in the future,”1 stated German political scientist Thomas Rid several years ago, arguing that no cyberattack can be viewed as an act of war on its own. It does indeed seem difficult to imagine a war waged just by way of cyberattacks, although the quick development of new technologies makes predicting the possibilities of cyberattacks in the future increasingly difficult. What is already noticeable, however, is the sharp increase in attacks related to cyber incidents worldwide, with the maritime area being particularly affected. By the end of July 2020, cyber-attacks targeting the maritime sector had already risen by 400 percent since the outbreak of the coronavirus. The number of attacks in 2021 is likely to be much higher.
The maritime sector is especially vulnerable to cyberattacks because of its dependence on well-functioning technology for navigation, its communication requirements, and the logistics involved. The problem with cyberattacks is the multitude of challenges they present at different levels, requiring a multidimensional approach. It is insufficient to see cyberspace as a standalone domain. Even though NATO declared cyberspace as a fourth operational domain, stating that NATO “must defend itself [in cyberspace] as effectively as it does in the air, on land, and at sea,”2 this domain has the crucial feature of not only heavily affecting other domains but being directly linked to them. As the digitization and automation of systems progresses, this linking of cyberspace and all other classical operational domains will deepen even further. Moving from the technical to a more geographical and political perspective, cyber threats confront present even more problems that call for multidimensional analysis.
What Makes Cyberattacks so Harmful?
The irrelevance of geographical borders in cyberspace is connected to the dissolution of the linkage between attacks and a defined territory. Cyberattacks are not limited to defined geographical or political borders, and at the same time, no physical presence is needed for the execution of an attack. At the same time, increasingly wide range of possible actors are capable of performing cyberattacks, and cyber skillsets and capabilities are proliferating. While more sophisticated attacks require large financial and organizational resources and especially time, which makes them exclusive to state actors or their proxies, other types of attacks are becoming easier to perform for a range of actors. These factors can pose a challenge in how attacks can originate from even supposedly safe and stable regions. Military strategists know that attacking at the source of strength or the center of gravity is a viable approach, but even so, they might find it difficult to obtain political top cover for retaliation once they properly attribute cyber aggression.
The lack of a clearly identifiable actor in the cases of some cyberattacks presents states and private stakeholders with several problems. One of the most urgent difficulties is determining the consequences for such an attack. Without knowledge of the origin of the attack, possible responses, such as sanctions or counterattacks, are very difficult if not entirely impossible to implement. There is a lack of international contracts that define what kind of cyberattack is actually an act of war. The declaration of the need for immediate national defense of a country would be without real meaning without knowing the source of the attack.
The need for attribution is crucial because the consequences of such an attack vary depending on the attacker and their aim. While criminal groups may launch cyberattacks mainly for financial benefit, state actors could try to gain access to closely-held military-technological secrets, and competing business firms could launch attacks for the purpose of commercial espionage. Knowing the the origins of an attack establishes options for responses.
The attribution and retaliation problem varies in its actionability for the private maritime sector. While state actors, especially national navies, should remain capable of answering an attack, private actors are often unable to answer a cyberattack appropriately, except for improving internal defenses. They usually cannot conduct offensive cyberattacks in retribution without fear of prosecution.
The indirect and often surprising nature of cyberattacks make any defense other than preemptive defense rather difficult. Even if an attack is detected, questions remain over when and how to respond to it. Should defenders try to deny access to a specific portion of a system, or should the whole system be taken offline? What should be done if an attack is only noticed when a system is already down? These are only some of the dilemmas that have to be taken into consideration and which are especially crucial for seaborne operating systems that cannot be easily shut down without major consequences.
The Vulnerability of the Maritime Domain to Cyberattacks
The key issue of maritime cybersecurity is the systemic need for reliable cyber technology while vessels’ onboard systems are aging as technology advances. While a cargo vessel is deeply dependent on communication systems while operating, it is challenging to reliably ensure a vessels’ cybersecurity during its whole lifespan. This is especially true when the average service life of a cargo vessel lies between 25 and 30 years, during which technology could have advanced greatly without the vessel’s own technological assets being updated to keep pace.
The maritime domain consists of multiple additional gateways for cyber threats, especially related to critical infrastructure, such as facilities for energy, resource extraction and transportation, undersea cables and communications, as well as harbor and port infrastructure. Cyber threats are also becoming increasingly crucial for military purposes in the maritime domain, which cannot necessarily be neatly separated from the civil context of commercial maritime infrastructure. This is particularly evident when assessing the possibilities of blocking a critical geographic chokepoint, such as a canal, by manipulating the systems of a vessel in such a way that it physically blocks the channel, or manipulating the controls for the canal itself.
Another method would be the direct manipulation of the propulsion system of a vessel by either deactivating the propulsion or, for example, activating the bow thruster to maneuver a vessel crosswise to block a waterway. Another possibility, especially in canals or harbors that rely on locks, would consist of either manipulating these directly or causing a vessel to damage or obstruct locks, making these facilities even more predisposed to disruption. While the risk of attack against these structures are not new and the consequences are severe, as the blockages of the Suez Canal between 1967 and 1975 demonstrate, the key difference with cyberattacks is the lack of proximate physical presence of a perpetrator.
The implication that such attacks would have for both civilian and military actors can also be illustrated by the Kiel Canal in Northern Germany. By ship numbers it is the busiest artificial waterway of the world. The canal connects the North Sea with the Baltic Sea, and reduces the distance for vessels travelling from one region to the other by up to 250 nautical miles. Up to 140 million people live in the area. The importance of the canal for commercial shipping is evident, but a cyber-related closure of the canal could have major consequences strategically. It would make it more difficult for allied navies to enter the Baltic Sea in case of a crisis or conflict, thereby threatening timely access for potentially upholding alliance guarantees.
Proposals for a Multidimensional and Multi-Stakeholder Approach to Maritime Cyber Threats
These linkages between a broad set of actors that come together in the maritime domain, all depending on reliable cyber infrastructure, makes it indispensable to create a multidimensional cross-stakeholder approach to cyber threats. Multidimensional in this case means consisting of different defensive elements against cyberattacks, combining political, strategic, and legal components, while also keeping in mind the ability of cyber threats to compromise also all other domains. This makes it essential to cooperate with non-maritime stakeholders as well. Such an approach will require a considerable effort and will confront difficulties regarding the ever-changing technical conditions and the ambiguity over the question of responsibilities in the defensive and offensive aspects of cyberspace.
International law shall be implemented to define rules regarding the offensive and defensive use of cyber operations. The Tallinn Manual 2.0, a broadly recognized publication on the relationship between international law and cyber operations, could inform the possibility of incorporating cyber operations into international maritime law.
Apart from the law itself, implementing cyber operations into international law would create a certain degree of consent between international actors regarding the handling and use of cyber operations. These measures will not solve illegal cyberattacks, but they might provide actors a common ground of action in terms of defending against such attacks or initiating consequences or counterattacks.
Efforts should be made to clarify responsibilities for cybersecurity both within state and non-state levels. Cooperation between maritime stakeholders regarding cybersecurity is a major challenge, not because there is an unwillingness to cooperate, but because the structures and responsibilities for cybersecurity are often too complex, not clarified enough, or widely different, for example due to varying laws in different countries. A major reason for complexity is the outsourcing of cybersecurity, which is not as problematic in itself, but complicates the process of coordinating cybersecurity between stakeholders. Subsequently, the role that the state must play in ensuring cybersecurity for important maritime players should be examined critically.
This is of major importance for the naval forces of a state, which should have enough capability to defend themselves against cyberattacks and engage in cyberattacks themselves. The role of the state is also important for private operators of harbors, critical infrastructures or energy suppliers, where service outages or interruptions would have a direct effect on national security. Therefore, reliable cybersecurity for key stakeholders of the maritime industry, infrastructure and naval forces is of high importance for the state itself, which should assess implementing methods of control or minimum standards to ensure its own national security.
One possibility of effectively connecting private and state, as well as multinational-actors, would be to conduct joint exercises or simulations. These would firstly encourage all stakeholders to ensure a comparable level of cybersecurity and secondly ensure a more efficient way of cooperative defense in case of an actual maritime cyberattack.
Joint exercises are already a key component for naval forces and ensure a level of professionalism and readiness. Some of the best examples are the numerous exercises that the Standing NATO Maritime Groups conduct year-round. Naval forces can become the prime victim of cyberattacks in case of a conflict, which makes it inevitable to include cyber defense measures into exercise programs. Such exercises would not need whole new structures since NATO has already created the basis for them by establishing its Centers for Excellence. While there are three different Centers for Excellence (COE) based on the maritime domain, there is a COE for Cyber Operations. Joint exercises between the two domains could therefore be conducted by the coordination of these Centers.
There are several ways a cyberattack can be aimed against naval forces. While some of them only affect a vessel in a non-physical way, like stealing intelligence-data, many cyberattacks will at some point affect the physical factors of a vessel. By manipulating a vessel’s systems directly, the propulsion, navigation, or weapons systems could be affected. A third-party vessel could also be attacked to cause harm to a target military vessel. This option is especially dangerous in frequently used waterways, canals, or even for vessels operating in civilian convoys or naval task groups. In a cyberattack conducted against a multinational aircraft carrier strike group, the vessel with the weakest cyber defenses could be attacked, such as a logistics vessel, even if the actual target would be the carrier. Gaining access to a target network through the weakest link could enable attacks against its strongest link.
While training against a solely non-physical attack may be of great difficulty, especially for smaller crewed vessels, it is possible to train for a cyberattack that culminates in a physical action. Since many cyberattacks can be classified as support operations to a physical attack, like manipulating a propulsion system to compromise navigation and safety, preparing for such attacks would be more feasible. At the same time, these exercises are becoming more and more urgent. More than a decade ago a computer virus was already able to ground French Navy fighters by simply compromising flight data downloads.
While the U.S. Navy is training its sailors in astronomic navigation again, which can indeed be very helpful in case of a cyber-related failure of digital navigation, the solution is not to return to pre-cyber era systems. Earning serious proficiency in offensive and defensive cyber capabilities will become fundamental. Especially in the maritime domain, with its vast interdependencies, cyber threats must be faced cooperatively to ensure a resilient and reliable cyberspace, which has become indispensable for the functioning of the global maritime commons.
Henrik Schilling is a research assistant at the Center for Maritime Strategy and Security (CMSS) at the Institute for Security Policy at Kiel University (ISPK), Germany. He is currently earning his Masters in International Politics and International Law and has recently published the German Navy Fleet Tracker Report for 2020 together with Dr. Sebastian Bruns.
1. Rid, Thomas: Cyber War Will Not Take Place. In: The Journal of Strategic Studies Vol. 35, No. 1, 5-32, February 2012
2. NATO Warsaw Summit Art. 70: https://www.nato.int/cps/en/natohq/official_texts_133169.htm
Featured Image: Locks at Brunsbüttel connecting the Kiel canal to the River Elbe estuary, and thence to the North Sea (Wikimedia Commons)