Cyber vulnerabilities in the maritime domain are expanding at an alarming rate; unfortunately, proficiency in guarding against those vulnerabilities is struggling to keep pace. In a recent speech at the Center for Strategic & International Studies, Vice Admiral Jan Tighe, former Commander of U.S. Fleet Cyber Command, warned industry and the military against falling victim to ‘cyber fatigue’—a sense of helplessness in the face of endless cyber-based attacks and a lack of urgency to remain vigilant in identifying and protecting against cyber vulnerabilities. While networked computer systems and satellite based navigation systems offer tremendous efficiencies to naval forces and the commercial shipping industry, they also create potential vulnerabilities, which often evolve faster than the ability to counter them.

The surest way to combat ‘cyber fatigue’ is to become the expert and, as suggested in the U.S. Fleet Cyber Command Strategic Plan, raise the level of understanding of and confidence in cyber effects, operations and the cyber environment ‘from the Pentagon to the deck plate’. This call to raise awareness and increase proficiency is echoed in both the European Union (EU) Maritime Security Strategy and the EU Cyber Security Strategy, as well as in the International Maritime Organization’s Guidelines on Maritime Cyber Risk Management.

Cyber vulnerabilities in navigational tools

The scope of cyber vulnerabilities in the maritime domain ranges from the third-party supply chain—that often develops, manufactures and even installs networked systems—to poor end-user habits, and everything in between. Perhaps the most pressing cyber vulnerability, however, is the increased reliance on satellite based navigation systems, particularly by merchant vessels. Approximately 87% of the merchant shipping fleet relies upon global navigation satellite systems (GNSS), technology that makes merchant vessels ‘soft targets’ for cyber-based attacks, due to weak signals used by GNSS systems that lack encryption or authentication. As a result, the GNSS systems are susceptible to ‘spoofing’—false signals sent to the ship’s GNSS receiver, often via a software-defined radio (SDR) receiver, designed to disrupt or misdirect navigation. This vulnerability is not merely speculative. In 2013, in a controlled experiment, a team of PhD students from the University of Texas sent an $80 million superyacht sailing in the Mediterranean Sea off course by generating a false GNSS signal from a laptop and homemade receiver costing less than $3,000.00.  More recently, in what was described as the one of the ‘first well documented examples of GPS spoofing’, the GNSS systems of approximately twenty vessels sailing in the Black Sea each reported their vessel location as being 32km inland, in the middle of a regional airport.

Further aggravating matters, other vital navigational tools—such as automatic identification systems (AIS) (used to transmit vessel position, course, speed and class to other vessels and shore based facilities) and electronic charts displays (computer based navigational charts)—also rely in part on satellite-based systems that are becoming increasingly susceptible to ‘spoofing’. The cybersecurity firm Trend Micro famously demonstrated the ease of AIS compromise at both the vessel and shore-based AIS service provider level, generating fictional ‘ghost ships’ in the Mediterranean Sea and causing service providers to misreport the locations of several actual vessels.

The Trend Micro demonstration, the University of Texas experiments and the recent Black Sea ‘spoofing’ incident highlight the danger an overreliance on satellite-based navigational systems poses to vessels. Vessels disappearing from AIS or being misdirected through GNSS ‘spoofing’ could lead to collisions, groundings or worse. And though military navigational systems are better protected than their civilian counter-parts, it is nevertheless telling that the U.S. Naval Academy is making celestial navigation a requirement for students after a nearly two decades long hiatus.

Despite enhanced protection of their own systems, naval forces must be concerned over the vulnerabilities in the systems of their civilian counterparts. Two recent collisions involving U.S. warships and merchant vessels in the Pacific highlight this potential vulnerability. To be clear, despite early speculation, no evidence was cited in the official investigation into these tragic collisions indicating that either the U.S warships or the merchant vessels involved were the victims of a cyber-based attack. Nevertheless, the collisions provide a potential blueprint for would be cyber actors’ intent on attacking naval forces; why attempt to comprise heightened military grade systems when you can achieve the same affect by taking control of a less protected civilian system?

Cyber vulnerabilities in maritime critical infrastructure and shipping

The maritime sector’s reliance on networked-based computer systems and technology extends far beyond navigational tools. Ports and other maritime critical infrastructure are becoming increasingly reliant on computer operated systems to facilitate—and in some cases, fully automate—their operations. These operations include cargo handling and container tracking systems, safety and environmental control systems and even physical security and access control systems. Increased efficiency is accompanied by increased vulnerability. Over 80% of global trade (to include food and energy) moves through seaports. Even a temporary disruption to the ‘just in time’ supply chain could have significant economic and national security impacts. One need only consider the devastating ransomware attack this summer against A.P. Moller-Maersk, the largest shipping company in the world, and its subsidiary APM Terminals to see the shocking potential a cyber-based attack could have on the global supply chain. The attack completely shut down Maersk’s logistics systems in under seventeen minutes, causing terminal operations in several major ports—to include Rotterdam and Los Angeles—to be temporarily suspended. The naval blockade of the future could be executed entirely from a laptop, and this raises a myriad of international humanitarian law issues (for a discussion, see Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Michael N. Schmitt ed., 2017, 504–511).

Attribution and responses to cyber attacks

Just as the range of cyber vulnerabilities continues to grow, so too does the range of threats capable of exposing those vulnerabilities. The list includes transnational criminal organizations, State actors and non-State actors, not to mention poorly trained end-users. Understanding the actor determines in part what the lawful response to a cyber-based attack is, but therein lies part of the problem. Cyber-based attacks, for technological, forensic, strategic and political reasons, can be difficult to attribute to a specific individual or group, and, often, even more difficult to attribute to a specific State. Even when there is sufficient forensic evidence of a malicious cyber-based attack, there will rarely be sufficient proof of State involvement to legally attribute the attack to a State. Generally, the conduct of private entities—to include malicious cyber operations—may not be considered an act of a State under international law, unless that private entity is acting on the instructions of, or under the direction or control of a State (Articles of State Responsibility, Article 8). But the legal assessment is complex and there is considerable ambiguity in practice as to where the attribution threshold lies (for further discussion see Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, Michael N. Schmitt ed., 2017, 79–111). To complicate matters further, private entities that are the victim of a State sponsored cyber attack are limited in how they may respond; their range of actions—particularly direct action against the State—may be restrained under international and domestic law.

What can be done?

Notwithstanding the potential challenges in attributing and responding to a cyber-based attack, nothing prevents naval forces and the maritime industry from constantly work toward reducing their vulnerability to attack. In U.S. doctrine, this is known as ‘reducing the attack surface’—understanding cyber effects, operations and the cyber environment and taking the requisite steps to guard against malicious cyber-based attacks. This ranges from large scale modernization of network architecture to encouraging good end-user habits, like basic cyber security training and updating software. As a case in point, some speculate that the ransomware attack against Maersk could have been avoided—or at least minimized—if Maersk employees more diligently pursued basic cyber security protocols, like downloading security updates for outdated software with known vulnerabilities and conducting regular data back-ups. Though it requires constant vigilance, reducing the attack surface—on both an organizational and individual level—is ultimately the most direct way to combat ‘cyber fatigue’ in the maritime domain.

***

Commander Sean Fahey, United States Coast Guard, is a professor of international law and the Associate Director for the Law of Maritime Operations in the Stockton Center for the Study of International Law at the U.S. Naval War College. The views and opinions expressed here are the author’s and are not intended to represent the views of the United States Coast Guard, the United States Navy or any other government department or agency.