Poor cyber hygiene practices that could lead to crippling disablements in critical ports need to be called out on a continuous basis to motivate and inform better cybersecurity, the Coast Guard’s cyber chief said.
Rear Adm. David Dermanelian, assistant commandant for C4IT (CG-6) and commander of Coast Guard Cyber Command, said at the Government Technology and Services Coalition’s USCG Day that the Coast Guard is focused on defending its portion of the network to ensure mission support and making sure information gets to and from the people who need it.
That extends to protection of portions of maritime operations that depend on cybersecurity – if crane operators were disabled, for instance, it could cause chaos at that port.
Dermanelian noted that “there are many different places where you could disrupt a port and cause hundreds of millions of dollars’ impact if you disrupt a port for a day.”
“Cyber is not a self-licking ice cream cone – it’s got to be linked to a larger operation,” he said, stressing that while the Coast Guard can’t defend all of cyberspace the most important aspects of cyber terrain must be identified and one “better have a plan for when things go bump in the night.”
The Coast Guard is standing up a 39-person cyber team in which a team of three to five cyber experts can respond to a port cyber event, advise the sector commander and ask them to exercise a remediation plan. In addition, the Coast Guard can call upon its relationship with the Department of Homeland Security’s cyber response team to bring its expertise and support when needed.
Dermanelian said one of the challenges in enforcing good cyber hygiene is “compliance doesn’t motivate folks very much.” Sharing actionable threat information, though, “motivates folks to then go back and comply because they know there’s someone who’s actually taking advantage of [the vulnerability].”
“If an adversary was successful, highlight it,” he said. “Let’s hold ourselves accountable for how that happened.”
Commercial firms, Dermanelian said, often don’t understand when an adverse event happens on the cyber front that bad cyber hygiene is “like shaking a hundred hands at a conference and not washing your hands before picking up a burger.”
Cameron Naron, director of the Office of Maritime Security at the Maritime Administration (MARAD) and a retired Coast Guard officer, stressed that ports are not unitary entities and the cyber defense ops within are segmented. On the ship side, larger operators do a “pretty good job” with fairly robust IT departments, he said, “although they don’t have everything locked down.”
“Most of the U.S. flag carriers do not have their own IT or cyber departments,” he noted. Most ships also don’t have IT staff aboard vessels.
A major deficiency, Naron said, is the lack of a maritime information sharing and analysis center (ISAC) to ensure carriers know the “nitty gritty details” of events such as the 2017 NotPetya malware attack that knocked out operations at Maersk. MARAD is working with industry to support the creation of a maritime ISAC, he said, “but they’ve got to get it off the ground.”
MARAD is also working to ensure that the Ready Reserve Force is equipped to confront cyber challenges as well as national emergencies. “How do we train for operating in a contested environment?” Naron asked. “Who are we training? There is a need; we’re just in a nascent phase of getting proper training to the ships when needed.”
“Then you’ve got to do something like that for industry, too,” he added.
Lt. Kevin Kuhn of the Coast Guard Office of Design and Engineering Standards highlighted a recent survey that asked maritime companies if they are prepared for a cyber attack. Ninety-four percent of small companies said there were completely unprepared.
Small companies, Kuhn said, lack the pressure from corporate leadership to shore up cyber defenses. Maritime hackathon events similarly draw large companies.
“That advances the body of knowledge, but how do we take that knowledge and put it in an easy-to-understand way for the smaller companies?” he asked.
Commander Jamie Embry of the Cyberspace Planning and Resources Division at the Office of Cyberspace Forces said it’s “going to take a cultural shift to recognize it’s more than IT” as the Coast Guard cyber domain continues to evolve.
“We are beginning to make that change starting with the cyber strategy,” she said.