12 September 2021

CYBER THREATS AND CHOKE POINTS: HOW ADVERSARIES ARE LEVERAGING MARITIME CYBER VULNERABILITIES FOR ADVANTAGE IN IRREGULAR WARFARE

Diane Zorri and Gary C. Kessler

The grounding of the container ship Ever Given in the Suez Canal in March 2021 caused a complete blockage of the maritime passageway for more than six days delaying an estimated $9.6 billion in goods each day. The cause of the accident has been attributed to a combination of environmental factors like high winds and human error in navigational inputs by the bridge team. While this event was not an intentional or malicious attack, it is prudent to consider the potential for a malign actor to orchestrate a similar incident in the Suez Canal, Panama Canal, Kill Van Kull, or any other narrow transit point. To that end, understanding the increasingly complex challenges presented by cross-domain threats and cybersecurity vulnerabilities in the maritime domain is important for irregular warfare policymakers and practitioners alike.

The twenty-first century has seen near-coastal waters become the most active setting for discord in the maritime domain. The littoral zone is the frontier where territorial claims are tested, nations confront one another, and major political affairs unfold. Instead of major sea battles between capital ships, conflict in the littorals typically involves irregular adversaries, especially as smaller forces act as proxies for larger nation-states and near-peer competitors. This trend was on display in a July 2021 drone attack on an Israeli tanker off the coast of Oman that left two dead, the latest in a series of such incidents that the United States and Israel have attributed to Iranian proxies.

As engagements with irregular forces and nonstate conflict in the maritime domain have ebbed and flowed throughout history, the US armed forces must constantly adapt to engage and preempt the tactics of adversaries in the littoral zone. The reorientation toward great power competition notwithstanding, the Irregular Warfare Annex to the National Defense Strategy recognizes that irregular warfare is a core competency for the entire joint force—both conventional forces and special operations forces. Moreover, although relatively well understood at the strategic level, little has been discussed about the cybersecurity impacts on irregular warfare in the littoral zone. Like so many other technological vulnerabilities, the implications of a fragile cybersecurity infrastructure are generally an afterthought rather than a core facet in the design and planning phases of the force. Indeed, even ship design, planning, and acquisitions evolve at a much slower rate than changes in the cybersecurity threat landscape, making it difficult for ship infrastructure to keep pace with cyber counterparts.

To further complicate matters, the nature of the littoral zone is such that civilian vessels will always be an interposing factor. Irregular adversaries routinely co-opt civilian vessels for use as cover, or weaponize them to counter traditional military forces. The presence of civilian vessels, their relative ease of exploitation, and their potential to become threats to military operations necessitates a maritime strategy that encompasses civilian security measures. This was certainly true of the Tanker War in the 1980s, where attacks on civilian shipping led to a military escalation between Iran and Iraq.

In the future, it is highly plausible that hostile regimes, nefarious substate actors, and hosts of proxy organizations will create unprecedented havoc in the littoral zone. Cyber and other electronic threats are particularly salient in the maritime domain and have grown dramatically over the last decade. Malign actors understand that the maritime realm depends on automation, and they seek to exploit vulnerabilities in shipboard systems. While there is appropriate concern given to traditional great power adversaries—namely, China and Russia—tactical and strategic sabotage on information and information-dependent systems are becoming so commonplace and inexpensive that smaller nation-state adversaries and organized groups can take advantage of this deficiency by acting on their own or as proxies for great powers. More rogue states and substate actors are using cyber threats as a line of effort against US security interests. Coupled with the relative ease of weaponizing information, this is a formula for a new form of irregular warfare.

Global Navigation Satellite Systems

In 2034: A Novel of the Next World War, authors Elliot Ackerman and retired Admiral James Stavridis describe a scenario where America’s adversaries jam the global navigation satellite systems (GNSS) and communication electronics employed by US warships. GNSS is the overarching term for the array of satellites, such as the Global Positioning System (GPS), that provide position, navigation, and timing (PNT) information on which so many of our critical infrastructures rely. Jamming GNSS not only makes vessels and airplanes unaware of their own precise locations, but also makes them blind to the locations of enemy ships and aircraft. Consequently, the jamming renders the ships’ command-and-control technology and other active defense systems worthless.

While the scenario painted by Ackerman and Stavridis might be FICINT—a fictional but realistic imagining of future security challenges—events over the last few years demonstrate its feasibility. There has been a clear escalation and weaponization of GPS jamming and spoofing over the last five years. GPS jamming refers to any device or method intended to interfere with the GNSS satellite signals. Jammers work by distorting or otherwise overpowering the GNSS signal so that the receiver cannot obtain its navigational fix. Spoofing refers to actions that cause a receiver to lock on to a bogus signal and miscalculate its position. Unlike jamming, where a false signal merely needs to overwhelm a legitimate one, a spoofed transmission needs to have the same structure and timing as a legitimate GNSS navigation message.

Recent events such as the July 2019 incident where the UK-flagged Stena Impero ventured into Iran’s territorial waters while traversing the Strait of Hormuz demonstrate the fragility of GPS and other satellite-based navigation systems. GPS jamming is already well within the technical and financial reach of most adversaries. Spoofing is more difficult but not as hard today as it was a few years ago. While encrypted military GPS signals are hardened against spoofing, key compromise is still a very real possibility—and one that would only be realized when an adversary exploits the key. Notably, today’s civilian GPS can be used in indirect attacks against military assets. Maritime analysts have suggested the Iranian Revolutionary Guard Corps Navy spoofed Stena Impero’s GPS signals as retaliation against the United Kingdon for holding an Iranian tanker under suspicion of transporting oil to Syria. In the future, these incidents may become more commonplace and much more complicated to assign attribution.

Automatic Identification Systems

Spurious GPS signals can also cause the transmission of false Automatic Identification System (AIS) information. AIS is a situational awareness and safety system whereby ships broadcast their position, course, speed, and other status information. The International Maritime Organization, the UN organization charged with setting safety and security standards for international shipping, requires AIS for almost all large ships, although there is a warship exemption. With AIS, vessels are aware of each other’s presence, and maritime authorities in littoral states can identify and monitor vessels and cargo in their areas of responsibility. AIS is critically important in the littorals and plays a vital role in maritime domain awareness by keeping crowded water passages safe. AIS, however, has several security vulnerabilities, including a lack of message timestamps and sender authentication. AIS vulnerabilities are most likely to be exploited in the nearshore waters of the littoral zone because this is where it can do the most harm.

In the future, a small irregular force could employ AIS spoofing techniques to masquerade as a larger force, pretend to be in a different position than it really is, direct commercial or military traffic into undefended or indefensible waters, or coax movement away from a safe port. In July 2019, there was a GPS/AIS spoofing incident involving the US-flagged Manukai in the port of Shanghai. Manukai’s captain noted several irregularities with ships appearing and disappearing from the AIS display. While the captain initially thought his GPS signal had been jammed, an investigation revealed the ship’s location had also been spoofed, meaning that the AIS data indicated the ship was in another location. With navigational mistakes causing most of the collisions and blockage at sea, AIS spoofing has the potential to cause unprecedented damage to vessels, their crews, and their cargo. More recently, vessels in the eastern hemisphere have found their positions to be spoofed to a position near San Francisco.

AIS spoofing also has the potential to damage international relationships. In the weeks prior to NATO’s annual exercise in the Black Sea, AIS spoofing caused friction and terse exchanges between historic adversaries. In June 2021, AIS tracking information showed two NATO vessels leaving Odesa on a direct path to Sevastopol, Crimea, passing within two nautical miles of Russia’s Black Sea fleet headquarters. On the contrary, live webcam videos, real-time images from third-party weather sites, and eyewitnesses attested both vessels had remained in Odesa. Days after the AIS spoofing event, Russian policymakers complained that their maritime patrols were forced to fire warning shots in defense of Russian territorial waters. The United Kingdom denies the event ever took place. Days later, false AIS traces showed USS Ross near Sevastopol, although it was still pier-side in Odesa. Weeks later, Russian president Vladimir Putin issued veiled threats of attack on the UK and US navies. Students of history can certainly draw parallels to the 1964 Gulf of Tonkin incidents and how misread radar images led to an escalation of hostilities in Vietnam; it is the specter of USS Maddox, as well as USS Maine and RMS Lusitania before it, that reminds us that close encounters between naval warships are always fraught with danger and far-reaching implications.

Malware

Malicious software, or malware, is a threat to all computer systems and the information that they contain. In June 2017, malicious actors released a ransomware worm called NotPetya. One of NotPetya’s victims—although not its specific target—was the largest shipping company in the world, APM-Maersk, whose IT systems were shut down across its network. The attack forced Maersk to rebuild the company’s entire network infrastructure of more than forty-five thousand computers and four thousand servers. The ripple effect caused by this single malware attack was massive, as Maersk is responsible for seventy-six ports worldwide and operates eight hundred vessels that carry tens of millions of tons of cargo every year. Its computer systems manage a complex operation representing nearly 20 percent of the world’s cargo shipping capacity. The shipping giant had an estimated $300 million in lost revenue due to the attack. Ransomware campaigns target shipping lines, ports, and maritime service companies. The maritime industry reported a 400 percent increase in such attacks between February and June 2020. Even the International Maritime Organization was affected by a denial-of-service attack in September 2020.

The international commercial trade organization BIMCO (Baltic and International Maritime Council) routinely publishes industry advice, technical guidance, and security warnings for a host of the world’s cargo fleet. BIMCO’s recent publication on the guidelines for cyber security on ships, highlights a malware incident that caused the malfunction of a (non–publicly named) ship’s electronic chart display and information system (ECDIS). The ship was designed for paperless navigation and did not carry paper charts, so the departure of the ship from its port was delayed by several days. While the crew mistook the failure of the ECDIS as a technical problem, ultimately, the ECDIS’s manufacturer diagnosed it as a viral infection. The ECDIS malware incident highlights a crucial issue facing all maritime personnel. While there is a concerted effort to secure highly sophisticated navigation platforms, they are increasingly vulnerable due to their complexity. Today’s systems contain hundreds of thousands of component parts and their manufacturers rely on a global supply chain. At any point during the lifecycle of any of a ship’s components, nefarious actors can damage or weaken parts, alter blueprints, insert malware, or create a disruption that harms the end user via any number of cyber vectors. These vulnerabilities are quickly becoming the Achilles’ heel of the maritime domain. This creates an unusual dilemma. As the industry moves increasingly toward fully integrated cyber-physical systems, they must also maintain a reserve of knowledge, and the skills and ability to navigate without technology; otherwise, malicious actors will have leverage over the entire sector.

Beyond the Horizon

Cyber vulnerabilities in the maritime domain do not only affect commercial shipping. For example, the Department of Defense’s nearly complete reliance on GPS for its primary maritime positioning, navigation, and timing (M-PNT) puts military personnel, aircraft, vessels, vehicles, and armament systems at risk due to the aforementioned vulnerabilities of GPS, including jamming and spoofing. Moreover, DoD appears committed to keeping GPS as its primary M-PNT solution and will only employ other PNT technologies either as a complement to GPS or as an alternative when GPS signals are degraded or unavailable.

Encouragingly, the US government has started to recognize the need to mitigate the cyber vulnerabilities inherent in the maritime domain. In 2020, it issued an executive order to strengthen the PNT system by increasing the nation’s awareness of the extent that critical infrastructure relies on PNT, and building resiliency into the PNT architecture. Furthermore, in 2021, the US government issued its first National Maritime Cybersecurity Plan to address cybersecurity challenges and safeguard the American economy. Meanwhile, academics and practitioners have proposed and implemented their own mitigations and solutions to the vulnerabilities in this domain. For instance, while analog technology training was removed from much of the military’s curricula in the late 1990s, it has since returned at the US Naval Academy. Midshipmen are now charged with learning the basics of celestial positioning, giving them a contingency if GPS fails.

However, despite these positive developments, cyber vulnerabilities will certainly proliferate as all facets of maritime life become increasingly integrated and interconnected. Therefore, it is important to build awareness of this challenge and its implications in irregular warfare, particularly in the littorals.

The maritime domain enables US global reach and global power. While great power competition looms on the horizon, the importance of IW in the littoral zone will remain a central facet in limiting the maneuver capability of hostile forces. Likewise, while advances in the integration of technology have greatly enabled US forces, without fully functional ancillary systems or the fundamental knowledge of how and why these systems were designed, maritime operators are increasingly likely to encounter destructive and debilitating cyberattacks. Let’s hope that policymakers and practitioners alike can use the notoriety of the Ever Given­ incident—the ship that launched a thousand memes—to highlight the complex, cross-domain challenges at the intersection of cybersecurity and irregular warfare in the littoral zone.

No comments: