The United States has maintained its primary role in the global order since the end of World War II. As a result, today’s service members have never witnessed their nation at war with a peer adversary. However, today’s turbulent geopolitical environment has the potential to change the status quo. China, the United States’ principal adversary, currently enjoys two large advantages in modern naval warfare: a larger fleet and the superior means to employ cyber warfare. Therefore, U.S. command of the seas cannot be assured in a future conflict.
Despite the growing importance of cyber warfare, fleet size will still be an important factor in future conflicts. In 2020, China’s fleet of more than 350 ships officially became the world’s largest navy. This is a significant lead over the U.S. fleet of approximately 290 ships. In addition, the Chinese industrial base will continue to produce ships at a faster rate than the United States can match. According to the Office of the Secretary of Defense, the Chinese fleet may have up to 460 ships by 2030. The negative implications of such a gap in naval combatants could be tremendous, but that gap may not be the only determining factor for future naval conflicts.
Former Chief of Naval Operations (CNO) Admiral Vernon Clark challenged the idea that ship numbers would solely win battles during his congressional testimony in 2005. He stated that “the number of ships is no longer adequate to gauge the health or combat capability of the Navy. The capabilities posture of the Fleet is what is most important.” The “capabilities posture” the admiral referenced is a plan to better equip naval ships and decrease overall required ship numbers while maintaining readiness levels. By advocating for increased spending on relevant technology, Admiral Clark called to redirect efforts from inefficient ship construction toward sensor technology, cyberspace, and undersea warfare capabilities because these areas were, and still are, projected to have the most influence in future conflicts.
However, this vision for a Navy with an effective capabilities posture has not been fully realized. Ships are being retired earlier and faster than expected because of a lack of congruency with current missions. This is evident in the early decommissioning of littoral combat ships and the halted construction of Zumwalt-class destroyers. The Navy’s struggles with effective ship construction become that much more alarming when compared with the rise in capabilities of U.S. adversaries: The Navy spent billions constructing ineffective, resource-draining ships while its adversaries “designed sound, affordable ships . . . in large numbers.”
Yet, the next naval conflict will have a greater focus on cyber warfare dominance, rather than ship numbers. Given this, the U.S. Navy must reevaluate its stance in preparation for the next great power conflict.
Global Maritime Cyber Warfare
Global maritime cyber warfare may have a profound effect on future conflict. Cyberattacks on ships can cut off logistical support and firepower capabilities for many nations. Furthermore, cyberattacks on commercial ships can be disastrous for military vessels and global commerce alike. According to the 2019 Secretary of the Navy Cybersecurity Readiness Review:
It is not beyond imagination that someday a naval combatant would fail to sail because the supply system vectored the wrong grade of lube oil for the LM2500 engines; upon reaching its rendezvous point, a tanker was not available to refuel a hungry bomber because the tanker was maliciously directed elsewhere; or all electricity and backup systems to a satellite control station failed during a complex Ballistic Missile Defense or Tomahawk missile strike.
Real examples of malicious maritime interference exist. U.S. adversaries such as China, Russia, and North Korea have tested their hostile ship-hacking methods on foreign vessels. From exploring sinking capabilities to navigation equipment disruption, U.S. adversaries are gaining experience on how to manipulate maritime activity for their benefit. To make matters worse, it seems that hacking a vessel’s navigation and steering systems are relatively easy, even to inexperienced hackers. It is possible that hacking ships—not even warships—can be a dangerous and unsuspecting way of causing damage to other vessels, slowing down international supply chains, and endangering the lives onboard and around the ship. Two cybersecurity scholars recently wrote:
The maritime cyber environment is abysmally insecure. The technical means to exploit these ships is well distributed across land-based hackers with no prior maritime systems experience. It doesn’t take much. . . . The opportunities are well-known, from the chokepoints and the ship dependence on external networks, clouds, and satellite navigation communications.
Commercial ship vulnerability to cyberattacks typically results from using outdated security measures and equipment. The permeability between onboard internet networks is also a major threat to vessels. There are often two main shipboard networks: the IP/ethernet network (used for business systems, crew mail, and web browsing) and the serial network (used for steering, propulsion, ballast, and navigation data). To gain access to a ship’s critical systems, one must only infiltrate the day-to-day internet and find the connection to the serial network before wreaking havoc. It is clear that vulnerable commercial vessels may inadvertently threaten the readiness of U.S. naval combatants. In preparation, the Navy’s cybersecurity environment must be properly attuned to face these threats.
The Navy’s Cybersecurity Readiness
The Navy’s current cybersecurity system leaves much to be desired, according to the 2019 Cybersecurity Readiness Report. Many systems within surface ships and critical naval infrastructure need to be upgraded or replaced with superior ones. Some of these reported missteps include: the USS Gerald R. Ford (CVN-78) being delivered with Windows XP; the LCS and DDG-1000 being developed with IT networks not brought under a secure, joint umbrella of cybersecurity protocols; and old warfare systems kept in service without updates or added cybersecurity. These examples highlight the Navy’s complacency in the cybersecurity realm. The 2019 report goes on to state that “the Navy has waived known material readiness standards mandated by the [Department of Defense Risk Management Framework] and knowingly continues to field high risk vulnerability systems.” The Navy should expect the compounding magnitude of fleet cybersecurity insufficiency to be a major weak spot in the future.
The inspection process for these deficient systems is also inadequate. Cyber components are often reviewed by undertrained personnel who lack the skills to complete the hands-on portions of a true audit. This inspection process differs from the red-teaming and audits that many other parts of the Department of the Navy use. This is concerning because the Navy may not have a valid estimate of the number of systems that truly need to be upgraded or replaced. It is crucial for the Navy to secure its information networks against adversarial cyberattacks to maintain deterrence and stability. It also goes without saying that a secure cyber defense foundation is critical for supporting offensive cyber capabilities. These offensive capabilities will be necessary to support the 2022 National Security Strategy, which declares securing cyberspace as one of this administration’s pertinent priorities.
Although the maintenance and manipulation of the cyber realm has been repeatedly highlighted as a crucial portion of warfare in the upcoming decades, the Navy’s cybersecurity practices are not up to the challenge. The Cybersecurity Readiness Review shows that the Navy does not meet the Department of Defense’s standards because of an abundance of waivers, old equipment, and personnel complacency. The people, structures, processes, and resources that support naval cybersecurity are making forces vulnerable to extreme risks.
Improved Cyber Culture and Authority
The lack of responsibility and accountability for cyber warfare readiness has been a significant detriment to the fleet. The Cybersecurity Readiness Review states that “the DON [Department of the Navy] cybersecurity culture can be characterized by distrust, a lack of knowledge or accountability, a willingness to accept unknown risks to mission, a lack of unity of effort, and an inability to fully leverage lessons learned at scale.” It appears that different echelons of leaders have varying commitments to cybersecurity as well. This results in cybersecurity priorities being left on the back burner or viewed as a problem for another person and another time. Calls for an improved cybersecurity culture have been made before, but the implementation proves difficult. In times such as these, it is important to remember that the Navy’s best asset is its people.
U.S. Navy research into cyber defense organizations shows that private sector personnel “aspire beyond mere compliance” and seek to “understand the operational importance of their behavior.” To improve the Navy’s cybersecurity culture, sailors must mirror the private sector’s approach. This change may be achieved by implementing procedures that highlight the importance of maintaining and expanding cyber defense capabilities. For example, cybersecurity or computer science–related training should be ingrained into the basic training environments for sailors and officers. For sailors, this can take place during boot camp or as a part of rating-specific education. Future officers commissioning via OCS or NROTC should have computer science coursework added to the list of mandated courses in calculus, physics, world cultures, and national security—to mirror changes already made at the U.S. Naval Academy. To educate those already in the fleet, sailors should receive incentives to obtain additional levels of cybersecurity training ahead of advancement and promotion boards.
The Navy’s leaders will also have a role to play in improving cybersecurity and cyber defense. Regarding command structure, cybersecurity should be managed by specially designated billets to prevent oversight and mismanagement among the differing echelons of command across the fleet. To mirror the private sector, naval cybersecurity leaders should strive to: “constantly communicate, advocate, and measure understanding of cybersecurity [,] . . . review daily system performance dashboards, [and] demand their systems and people are constantly tested.” This can be achieved with naval combatants by strictly enforcing cyber readiness requirements during predeployment workups and certifications. If a ship cannot prove that it will safely operate on deployment, it cannot leave port. The same standard should be adhered to for cybersecurity.
The Navy should prioritize cybersecurity to the same level as other warfare areas, if not higher, because cyber capabilities will be key to winning future conflicts. Securing and supporting cyber defense is necessary to ensure the Navy’s stability and effectiveness in this critical geopolitical era.