Since 1790, the Coast Guard has been on the frontline protecting the United States and its resources domestically and abroad from all threats and hazards that affect the maritime domain. In the 21st century, the threat vectors have expanded beyond fighting the war on terrorism, protecting marine fisheries, interdicting narco-traffickers and illegal migrants, prevention operations, and saving lives in peril on the high seas. Continual improvements in computer technology, specifically decryption (“hacking”) software, has invoked a new threat that requires the Coast Guard to add maritime cyber security to its mission set considering 90 percent of the goods used by Americans are transported by sea.
The World of Maritime Cyber Security
The issue of potential cyber intrusions in U.S. infrastructure is not unique to the Coast Guard, but the maritime specific threat falls squarely on the shoulders of the nation’s smallest military branch. The Coast Guard is quickly learning to adapt to potential threats in the cyber domain, but given its unique responsibility for oversight of the maritime industry with millions of cruise ship passengers and billions of dollars of cargo sailing on technologically sophisticated vessels, the stakes are extremely high.
A cyber attack on any ship’s (including liquefied petroleum gas or liquefied natural gas vessels) computer-controlled navigation system could have devastating effects. With respect to the cruise ship industry, the thought of a vessel not in the control of its crew is beyond frightening. The threat can exploit a variety of modern software systems that control commercial vessels such as electronic Chart Display and Information System, Automatic Identification System (AIS), Automatic Radar Plotting Aid, computerized automatic steering systems, and other software based systems. Between 2013 and 2015, several cybersecurity companies tested these systems and found each had inherent weaknesses and would make a tempting target to a motivated hacker.1 A serious attack on shipping lines could harm or even cripple the US economy.
Exercise, Train, and Defend the Maritime Cyber Domain
Within the Coast Guard’s Force Readiness Command (ForceCom) is a small group of dedicated professionals known as the Exercise Support Division. This group is responsible for helping prepare Coast Guard units and partner agencies for contingency exercises including Mass Rescue Operations (MRO), Area Maritime Security Training and Exercise Program (AMSTEP), Preparedness for Response Exercise Program (PREP), hurricane response (HUREX), active shooter drills, and cyber security exercises. An increase in the number of cyber exercises could give Coast Guard units and the maritime industry a degree of confidence they could respond effectively to cyber threats. This increase would well align with the Coast Guard’s 2015 “Cyber Strategy.” Given the Coast Guard does not have access to the software systems of the shipping industry, it would require a degree of trust and cooperation to allow port Area Maritime Security Committees involved in exercises to establish cyber ranges of various configurations to test vulnerabilities, and examine in a secure setting what forms an attack/intrusion would look like and discuss “countermeasures.” Given the magnitude and seriousness of this threat, these exercises should expand in scope to include other agencies with a direct nexus into terrorism and cybercrime such as the National Security Agency, Central Intelligence Agency, Federal Bureau of Investigation, Department of Defense Cyber Command, and private industry software developers.
In requiring mandatory industry and government-led maritime cyber security exercises as part of the regular Coast Guard exercise cycle, the service can take on the challenges of the 21st century with the best workforce available. In so doing, the Coast Guard can be forward leaning and find more efficient ways to execute missions while minimizing the risks to personnel.
- Dr Joseph DiRenzo, USCG Research and Development Center and CCICADA, The Little-Known Challenge of Cyber Security (2015).
Lieutenant Commander Stenson is a member of the Force Readiness Command Exercise Support Division where he travels to Coast Guard sectors, air stations, districts, and areas to assist units in planning and executing exercises in preparation for mass rescue operations, Area Maritime Security Training and Exercise Program, Preparedness for Response Exercise Program, hurricane exercises, active shooter drills and maritime cybersecurity contingencies. He is a prevention officer, DHS-certified level II program manager and operations research analyst.