In the nineteenth century, American strategist Alfred Thayer Mahan helped define a new understanding of maritime security and the role of the U.S. Navy in ensuring American global influence. Mahan believed that a strong Navy and robust maritime trade were both integral to national and economic security. He also recognized the importance of port security, eloquently stating “the ships that thus sail to and fro must have secure ports to which to return.” In an age of profound and evolving cyber threats to critical infrastructure, Mahan’s philosophy takes on renewed importance. Port security must be reconsidered in all its facets to safeguard this cornerstone of global trade and national influence.
Today, the safe passage and facilitation of commerce by sea remains a foundational element of security. Ninety percent of global trade is conducted on the world’s oceans. U.S. ports and waterways alone handle more than two billion tons of domestic and international cargo annually. The total volume of cargo shipped by water is expected to double 2001 volumes by 2020.
Disruption of the flow of goods through U.S. ports would have grave and immediate effects on the U.S. and global economies. Consider the economic impact of the 9/11 terrorist attacks on the container shipping industry. The U.S. closed its sea ports and airports for one week following the attacks, and container shipping lost a billion dollars a day for months as a result. In response, the U.S. government implemented the Maritime Transportation Security Act (MTSA), which remains the Coast Guard’s security authority to protect maritime critical infrastructure against kinetic terrorist attacks. But the MTSA neglects to confront a fundamental element of today’s domain: cybersecurity. The United States’ ability to defend its maritime assets against malicious cyber actors is in this sense virtually nonexistent.
Ports today are confronted with a variety of threats stemming from state actors, terrorists, organized criminals, and pirates, among others. These actors aim to disrupt trade, steal for financial gain, smuggle drugs and other contraband, and even conduct espionage operations. They now have a full range of cyber tools at their disposal with which they can attack ports, unlike the purely kinetic ones of Mahan’s time.
Cybersecurity and physical security are not mutually exclusive. While commerce is driven by the maritime movement of cargo, it increasingly relies on a variety of integrated Industrial Control Systems (ICS) and Information Technology (IT) systems to connect it to the global supply chain. These cyber-dependent and integrated systems are utilized in navigation, freight management, traffic control communications, engineering, and security monitoring. The development of new technologies provides significant benefits to the Maritime Transportation System but presents new vulnerabilities. Cyber threat actors utilize a variety of methods to breach networks, whether it is through Wi-Fi Ports and USB-introduced threats or via the installation of malware as seen in the Stuxnet attack against Iran’s nuclear program. Cyber actors will continue to find new methods of access, prompting the maritime security community to erect adaptable systems to counter a panoply of emerging threats.
More importantly, actors can resort to traditional methods to extract sensitive information from systems, as the U.S. government learned so well in the case of Edward Snowden. Insiders could use privileged access to infiltrate port systems and steal proprietary information at the least, or inflict catastrophic damage to port infrastructure at the worst, depending on their goals. In fact, an insider attack on port infrastructure was the basis for the first call to secure U.S. ports in 1916, when port security and federal oversight were virtually non-existent. Agents of Imperial Germany sabotaged an arms depot on Black Tom Island in New York Harbor, detonating over two million pounds of ammunition that obliterated the facility. The U.S. was using the depot to ship munitions to Great Britain, which had blockaded Germany in the First World War. The explosion was so powerful that it was felt over 90 miles away and shattered windows in lower Manhattan. Insiders recruited by German intelligence provided German saboteurs access to the facility. Congress subsequently passed the Espionage Act of 1917, giving authority to the U.S. Coast Guard to regulate the anchorage and movement of ships in U.S. waters. Today, the problem is exacerbated by a gross lack of security at foreign ports exporting goods to the United States, often due to insufficient funds and poor government oversight.
Advances in technology have enhanced efficiency driven by the rapid sharing and processing of information in the maritime industry. But these same advances have provided malicious cyber actors with a more lethal set of tools. For instance, Somali pirates have used open source information found online to target valuable cargoes. By breaking into the computers of ship owners and shippers, pirates have accessed sensitive information, including the blueprints of ships and the insurance they carry.
A secondary benefit of these breaches for the pirates is that they can tailor their ransom demands based on an understanding of the funds available to their victims. Facing increased pressure from modern navies equipped to guard today’s ships, pirates are developing their own practices to work harder and smarter using lapses in information security to obtain precise information on itineraries, cargoes, crews, locations, and specific pieces of intelligence, such as lack of armed guards on board.
The U.S. Coast Guard has taken actions to improve cybersecurity at ports, including the August 2015 roll out of a Cyber Strategy aimed at defending ports, companies, and infrastructure from cyber attacks. The uncovering of a 2013 drug smuggling operation in which smugglers successfully hacked cargo tracking systems at the Port of Antwerp to avoid detection, as well as a seven-hour GPS signal disruption that shut down operations of a major U.S. port in 2014, demonstrate the seriousness of the cyber threat. The Cyber Strategy identifies a path forward, but does not fully address the current risk environment, including the incorporation and sharing of risk information, the training of personnel, and the upgrading of security systems for existing company and port authority facilities.
It is time to bring our maritime defense in line with the realities of the modern age. While the threat of a physical attack remains potent, port security stakeholders need to reassess and adjust measures to account for new cyber dangers. Defense against these threats, while affecting physical systems, cannot be guaranteed using traditional methods. Much has changed since the days of Mahan, but national and economic security continues to rely on the strength and security of our ports, and we have a duty to protect them.