This week, the Coast Guard participated in a maritime cybersecurity learning seminar and symposium with the American Military University and Command, Control and Interoperability Center for Advanced Data Analysis, or CCICADA, at Rutgers University. The organizers of the event plan to publish a comprehensive book on cybersecurity as an outcome of the symposium. The attendees included participants from government, private sector and academia. CCICADA is the Department of Homeland Security’s University Center of Excellence on cybersecurity.
Maritime Commons is providing you with a condensed version of remarks from the symposium. Comments shared in this post are from the Deputy Commandant for Operations, Vice Adm. Charles Michel. In his remarks, Michel provided an early look at the Coast Guard’s Cyber Security Strategy.
Subscribe and stay tuned for more on this event!
Delivered by Vice Adm. Charles Michel
For the first time in decades, the Coast Guard is stepping off into new operating domain. In the early 20th Century it was the aviation domain; today it is the world of cyber. Whatever stakes we put into the ground here are going to reverberate for decades to come.
Today, I have the pleasure of sharing the first public preview of the Coast Guard’s Cyber Strategy. The strategy has not yet been signed but is very near completion and will be the Coast Guard’s first cyber strategy ever. The caveat in my sharing this with you today is that some of this may change as it goes through the final clearance process. I want to hear your comments and criticisms if you have them. The Coast Guard needs your candid feedback because we want to make sure we get the right strategy in place.
The Maritime Transportation Security Act, or MTSA, appoints the Secretary of the Department of Homeland Security, who further delegates to the Commandant of the Coast Guard, the responsibility of preventing transportation security incidents, or TSIs.
Following the events of September 11th, the Coast Guard worked with stakeholders to develop a set of physical security standards for critical maritime infrastructure, to prevent access by terrorists and ensure that restricted areas were protected.
The Coast Guard’s vested interest lies in those cyber areas that could potentially cause a transportation security event, or TSI. The beauty of the MTSA is that it allows for the inclusion of cybersecurity as well. In order to prevent a TSI, we need to collaborate and develop a set of cybersecurity standards to complement our physical security standards.
Probably the most important part of the Coast Guard’s Cyber Strategy is in its key organizing principle: The strategy is all about embracing a policy framework that will allow our enterprise to begin to tackle these challenges. The strategy also provides a glossary with definitions to improve communication and understanding through standardized language to the whole of government in dealing with a cyber incident.
The Coast Guard’s Cyber Strategy connects with a number of other different strategies and national-level documents. Our service is going to use this document to maximize and press forward to the fullest extent possible in this new domain.
The strategy outlines three strategic priorities and underlying goals:
• Identify and harden systems and networks: this is not about building a higher fence; it is about predictive operations, building agile firewalls, and other types of protections that are necessary.
• Understand and counter cyber threats: identifying the adversary and what they are doing and active controlling of your networks.
• Increase operational resilience: building a resilient network; asking questions such as, ‘should you have all of your data in one place?’
• Incorporate cyberspace operations into mission planning and execution
• Deliver cyber capabilities to enhance all missions: the equipment training, experience, architecture needed to get the mission done.
• Risk assessment: promote cyber risk awareness and management.
• Prevention: reduce cybersecurity vulnerabilities in the maritime transportation system.
The strategy also outlines seven cross-cutting factors as foundational elements for success in the cyber domain:
• Recognize cyberspace as an operational domain
• Develop operational cyber guidance and defining mission space
• Leverage partnerships
• Communicate in real-time
• Organize for success
• Build a cyber workforce: The key is not equipment or architecture; it’s human minds. Attract, retain and develop employees
• Invest in the future
One of the biggest differences between physical security and cybersecurity are the actors involved. Cyber threats can come from anywhere in the world.
So what level of security is adequate? In the physical realm, we don’t require the prevention and planning for every type of potential threat. What is the balance between security and functionality and ensuring that our maritime transportation system remains economically viable? The United States could become economically uncompetitive if we pose onerous requirements on our partners.
I’ve been asked whether or not our maritime partners are even interested in implementing cybersecurity? Interestingly, I have been told by members of industry that they absolutely want cybersecurity standards, at least to the extent of better defining liability. If a cyber incident were to occur, it would probably go to court to determine if a reasonable level of security was in place. The beauty of having standards and a Coast Guard approved security plan is that if you are in compliance, it can provide evidence that you are providing reasonable security measures.
Here are some research opportunities that regulators need assistance with:
• Analysis to identify greatest vulnerabilities in maritime domain
• Identify best options for operational and system cyber resilience
• Analysis and tools to map and predict dynamic maritime cyber threats
• Impact analysis for the maritime transportation system and cascading consequences to nation and economy
• Nodal and system analysis to identify single-points of failure in maritime transportation system
• Networking analysis solutions to support optimal information sharing with partners
This is a great opportunity if we can get this right. If we can get this figured out in the maritime sector, we can share this with other intermodal sectors. The maritime realm has always been on the cutting edge of competition and characterized by technological innovation.
Read the series:
Remarks from the Office of Port and Facility Compliance
Remarks from the Coast Guard 11th District Staff Judge Advocate
This blog is not a replacement or substitute for the formal posting of regulations and updates or existing processes for receiving formal feedback of the same. Links provided on this blog will direct the reader to official source documents, such as the Federal Register, Homeport and the Code of Federal Regulations. These documents remain the official source for regulatory information published by the Coast Guard.