In the oft-cited essay, “Why Software Is Eating the World,” tech entrepreneur Marc Andreeson wrote, “We are in the middle of a dramatic and broad technological and economic shift in which . . . software companies are poised to take over large swathes of the economy. . . . Companies in every industry need to assume that a software revolution is coming.”1 More than a decade later, this near-global transformation of all economic sectors into data-driven, software-automated, increasingly wholly human-autonomous technology is nearly complete. This is certainly true in the maritime sector. The combination of digitization, automation, autonomy, and robotization has led to ships being launched in 2022 that have nearly twice the container capacity of the largest ships of a decade prior, have improved fuel efficiency, and require smaller crews.2
Software-driven efficiency, however, has come at a cost. In this same period of technological transformation in the maritime sector, connectivity and automation have presented increasingly strategic cybersecurity risks. As the Atlantic Council recently noted, “The maritime cybersecurity risk landscape has real consequences for the integrity of global trade and energy markets.”3 The most financially destructive military attack against the commercial maritime sector happened without warning in 2017 and affected global port operations for weeks. Yet that attack was collateral damage from a Russian military cyberattack on the Ukrainian financial sector. Protection of maritime trade—one of the primary reasons for a navy—is now increasingly a cyber task. The U.S. Navy, however, has hitherto demonstrated a reluctance to invest in and scale its cyber forces.
The Navy’s Cyber Dilemma
Current Navy leaders and members of Congress have recently questioned both the wisdom and efficacy of the past decade or so of Navy cyber efforts. Some are even calling for the Navy to completely divest from the cyber mission and rely on national and joint cyber capabilities.4 While the Navy is obligated to provide qualified cyber personnel to U.S. Cyber Command in Fort Meade, Maryland, the value of Navy “service-retained” cyber forces—those specifically assigned to operate in support of Navy commanders—is still not firmly established. With immense cyber dependencies and risks in the maritime environment, the lack of an operational Navy cyber presence in maritime systems and networks inhibits the Navy’s ability to fight and protect sea lines of communication.
Other Navy leaders believe the Navy should retain and grow its own cyber force, and that its failure to do so has put the service in a dire situation. In 2019, then–Secretary of the Navy Richard Spencer released his Cybersecurity Readiness Review, which made the Navy’s high-end cyber warfighting gaps alarmingly clear: “[The Navy] is losing the current global counter-force, counter-value, cyberwar. . . .The systems the United States relies upon to mobilize, deploy, and sustain forces have been extensively targeted by potential adversaries to such an extent that their reliability is questionable.”5 The Navy’s inability to defend itself from adversary cyberattacks has its civilian leaders questioning its viability in high-end conflict.
Absent a common understanding of how Navy cyber forces fill capability gaps in fleet commanders’ day-to-day operational needs, most Navy leaders prefer that resourcing be aligned to enable things such as more underway time, shipyard improvements, and tactical aircraft support—traditional Navy capabilities—rather than vague promises of “cyber power” and “advantage.” A cursory examination of cyber threats to sea lines of communication, however, illustrates that naval cyber forces are needed to address clear and present dangers to U.S. economic security and Navy forces alike.
The Economic Security Service
In Federalist no. 11—which could be retitled “The American Navalist Manifesto”—Alexander Hamilton wrote:
Absent the ability to defend lines of communication] our commerce would be a prey to the wanton intermeddlings of all nations at war with each other; who, having nothing to fear from us, would with little scruple or remorse supply their wants by depredations on our property, as often as it fell in their way. The rights of neutrality will only be respected, when they are defended by an adequate power. A nation, despicable by its weakness, forfeits even the privilege of being neutral.6
Hamilton’s rationale for a U.S. Navy was three-fold. First, for a country that then comprised 13 interdependent coastal states with a primitive interstate road system, a navy had an outsized role in protecting domestic trade up and down the eastern seaboard. Second, in that the entirety of U.S. international trade was Atlantic-borne commerce with Europe and its Caribbean possessions, the ability to defend transatlantic lines of communication was essential to ensure the long-term economic viability of the fledgling nation. Finally, a sufficiently formidable navy was needed to protect the trade and offer a credible, forward deterrent to hostile actors. Hamilton’s navalist argument can also be found in Article 1, Section 8, of the Constitution, in which the establishment of congressional authority to govern and manage trade is followed by a mandate that it shall “provide and maintain a Navy.”
During the post–Cold War period of unthreatened maritime trade, globalized supply chains became ubiquitous. Automation at ports and on vessels has made it possible for larger vessels to be unloaded and loaded faster and operated by fewer and fewer mariners. Massive amounts of cargo are now quickly transferred from vessel to truck and train with less human interaction. “Fully autonomous vessels” seem to be right around the corner. Supply chains have become hyperefficient—and more reliant on maritime trade than ever. As the Atlantic Council puts it: “No global supply chain is independent of the maritime transportation sector, and most, in fact, are existentially dependent. The MTS feeds a quarter of U.S. gross domestic product (GDP).”7
Enabling this increased scale of maritime trade, however, is a sprawling, interconnected network of operational and information technologies. Every ship built in the past 20 years has miles of network cabling, linking routers and switches to sensors and controllers and connecting these devices to crew computers around the ship. The computers are connected to the internet through a combination of cellular and satellite connections. The information systems on which vessels and terminal operations depend are now maritime trade’s most critical enabler.
Presidential Policy Directive 21, signed in 2013, directs some combination of U.S. Cyber Command, the Department of Homeland Security, law enforcement entities such as the FBI, and other interagency liaisons to coordinate to defend against cyber disruption, destruction, and theft against economic infrastructure sectors deemed “critical.”8 While this directive designates the Department of Homeland Security (including the Coast Guard) as responsible for the domestic portions of the Maritime Transportation System, its mandate effectively stops 12 miles offshore.
The Cyber Vulnerability of Maritime Trade
The Navy’s mandate to protect U.S. maritime trade interests now includes a cyber dimension. Yet, cyber threats to international maritime commerce remain under-addressed by both the Navy and other agencies.
In summer 2017, the maritime transportation sector suffered its first major cyberattack when malware targeting Ukrainian businesses spread uncontrolled to non-Ukrainian businesses. Within a few minutes, the malware commonly referred to as “NotPetya” was spreading around the world, irrecoverably encrypting data on any computers to which it could spread. One affected network of systems belonged to AP Moller Maersk, the world’s largest terminal operator and sister company to one of the largest vessel operators in the world. System outages resulted in ports from India to Los Angeles—including 15 U.S. ports—being disrupted for weeks. Personnel working at the terminals compensated by attempting to manage container transfers by pen and paper, which was orders of magnitude slower than what was possible with functional automated cranes, port-operating systems, and other logistics management systems.
Maersk was able to nominally recover after a few weeks—but just barely. A fortuitous power outage at one of its African operations hubs left a key server unaffected by NotPetya, and the company was able to clone and reuse this server to restore services globally. That Maersk’s ships were not affected was equally serendipitous. The terminal and vessel operations businesses did not share key infrastructure because their configurations were inherited through decades of mergers and acquisitions. While Maersk was lucky it had not completed network consolidations that would have made its entire enterprise more vulnerable, it still reported public losses of nearly $500 million. In terms of maritime trade disruption, a two-minute-long cyberattack against Maersk terminals caused greater financial losses than all the money lost to Somali piracy from 2005 to 2015.9
The Implications of a Maritime Cybersecurity Plan
In the closing weeks of the prior Presidential administration, the White House released a National Maritime Cybersecurity Plan, which describes several lines of effort to address shortfalls in U.S. maritime cybersecurity posture.10 This plan largely addresses cybersecurity matters within 12 nautical miles from the coastline. As such, it either assumes the Navy or U.S. Cyber Command is securing sea lines of communications beyond that point. Given the Navy’s lack of service-retained cyber forces, that may be a bad assumption.
Chief of Naval Operations Admiral Michael Gilday announced early in his tenure that the Navy would create “small tactical cyber teams” to support fleet commander objectives.11 Three years later, no teams have been formed, and none were resourced in the last round of budget (program objective memorandum—POM) planning. In contrast, both the Army and Air Force have recently expanded their service-retained cyber forces, with both services publicly articulating the criticality of cyber superiority for successful core service competencies. While Admiral Gilday’s high-level explanation of who would employ naval cyber forces follows the established contours of how Navy warfare communities generate warfighting capability to support fleet commanders, it does not explain why such forces might be integral to naval warfighting success beyond suggesting that their antebellum employment can create warfighting advantage.
One would expect that the defense of sea lines of communication from cyber threats would fall to U.S. Tenth Fleet/Fleet Cyber Command, the Navy component to U.S. Cyber Command, or to the Navy cyber forces assigned to the geographic fleets. While such a capability may exist behind a veil of classification, believing this requires a leap of faith given the CNO’s 2019 announcement that the Navy would create such forces in 2019. It seems unlikely the Navy or the Department of Defense would find national security benefit in having a clandestine maritime cybersecurity capability.
The cyber defense of sea lines of communication, after all, necessarily involves operations in and on commercial ships and shipboard networks. Like the Navy’s traditional surface warfare maritime interdiction capabilities, maritime cybersecurity operations are likely to benefit most when done in cooperation with a ship’s crew. An entirely clandestine operational force, therefore, is both ill-advised and unduly constrained. While there may exist situations in which clandestine maritime cyber capabilities might be advantageous, like any organization tasked with defending civilian infrastructure, the Navy benefits most by approaching commercial maritime owner/operators in a cooperative and proactive fashion—much like what the Department of Homeland Security is attempting to do with commercial operators of U.S. critical infrastructure.
An assumption that the joint cyber national mission force or another joint entity can protect maritime trade is risky. While maritime cyber vulnerabilities and operations are like terrestrial ones, the Navy will be pressed first and hardest for meaningful interventions should maritime trade be threatened. Likewise, should cyber actors target Navy platforms, it is hard to imagine a joint force of Army, Air Force, or cyber agency teams plugging their joint laptops into systems that are the operational responsibility of a Navy commanding officer.
Instead, Navy cyber operations to defend—or interdict—commercial shipping will likely require some degree of focused effort by Navy cyber operators properly resourced and authorized to develop whatever special tools and tactics are required. Furthermore, Navy cyber teams will need time to build the trust of the commanders they serve.
While the Maritime Cybersecurity Plan makes more frequent mention of the Coast Guard than the Navy, it is almost certain that any insights developed by one maritime service will be of use to its sisters. The Plan’s specific identification of the need for increased numbers of Coast Guard personnel with cybersecurity expertise, for example, is almost certainly going to be a prerequisite for the Navy to conduct similar missions in international waters.
Admiral Gilday is clear in articulating the stakes of ceding maritime advantage. “Failing to maintain our advantage at sea will leave America vulnerable,” he says in the opening of his 2021 Navigation Plan. If the Navy fails to develop a robust cyber warfare capability, it invites both national security vulnerability, and, in the worst case and as Hamilton recognized, national economic calamity. While Congress’s recent legislative proposals call into question and mandate the reform of how the Navy performs in manning, training, and equipping its portion of the joint cyber force, merely providing well-trained, well-equipped sailors to joint mission teams is inadequate for the maritime security challenges at hand.12
There is a clear through line that connects Federalist No. 11 with Admiral Gilday’s identification of contemporary maritime threats. The current economic and national security realities of a software- and connectivity-enabled maritime domain require the Navy to stand watch not just above, on, and below the physical seas, but also throughout the maritime cyberspace domain.
1. Marc Andreeson, “Why Software Is Eating the World,” The Wall Street Journal, 20 August 2011.
2. Margherita Bruno, “Ever Alot Breaks World Record for Largest Containership,” Port Technology, 27 June 2022; and “Video: China’s First 24,000 TEU Containership Delivered to Evergreen.”
3. William Loomis, Virpratap Vikram Singh, Gary C. Kessler, and Xavier Bellekens, Recommendations: Cooperation on Maritime Cyber Security, The Atlantic Council, 4 October 2021.
4. United States Senate Committee on Armed Forces, “Reed and Inhofe File 2023 National Defense Authorization Act,” 18 July 2022.
5. HON Richard Spencer, Cybersecurity Readiness Review (Washington, DC: March 2019).
6. Alexander Hamilton, Federalist No. 11, in The Federalist Papers, ed. Clinton Rossiter (New York: New American Library, 1961): 84–91.
7. William Loomis, Virpratap Vikram Singh, Gary C. Kessler, and Xavier Bellekens, Raising the Colors: Signaling for Cooperation on Maritime Security (Washington, DC: The Atlantic Council, October 2021).
8. The White House, Presidential Policy Directive—Critical Infrastructure Security and Resilience (Washington, DC: 12 February 2013).
9. The World Bank, The Pirates of Somalia: Ending the Threat, Rebuilding a Nation (New York: 2013).
10. The White House, The National Maritime Cybersecurity Plan to the National Strategy for Maritime Security (Washington, DC: December 2020).
11. Mark Pomerleau, “The Navy Will Build Tactical Cyber Teams,” C4ISRNet, 6 December 2019.
12. Mark Pomerleau, “Senate Armed Services’ Committee Questions Navy’s Future Role, Contributions to Cyber Operations,” FedScoop, 19 July 2022; and Pomerleau, “House Armed Services Committee Concerned with State of Navy Cyber Readiness,” FedScoop, 28 June 2022.
