Cyber Piracy: Clear and Present Danger?

It started with Stuxnet. You remember Stuxnet – the mysterious computer worm that appeared suddenly two years ago and that no one has ever taken responsibility for? According to an article published last January in the New York Times, which cites a number of computer experts, nuclear enrichment experts and former government officials, Stuxnet was likely the work of American and Israeli scientists, who created it for the specific purpose of attacking and destroying Iran’s nuclear weapons-making capability. And it succeeded. The Stuxnet worm was able to infiltrate Iran’s major uranium-enrichment center at Natanz and disable its industrial control systems, sending the nuclear centrifuges that govern the enrichment process spinning wildly out of control. The damage was not total and was finally contained, but in the process Iran’s nuclear ambitions had been set back by at least three years. Instead of having to bomb the Natanz facility and risk the resultant global and regional backlash (and likely war) – an option that was under serious consideration and had been employed against Iraq in 1981 and Syria in 2007 – Israel was able (with the U.S.’s help) to achieve its objective through an effective stealth attack.

None of this was ever officially acknowledged, of course, although the Iranian President finally admitted last November that a cyber attack had caused “minor problems with some of our centrifuges.”

A New Type of Warfare
According to the Times article, Stuxnet is “the most sophisticated cyber weapon ever deployed,” and it signaled a new era in the war on terror. Oh, there had been previous incidents – the SoBig virus in 2003 that affected rail service, the Sasser worm in 2004 that disabled oil platforms – but nothing came close to Stuxnet in terms of sophistication and efficacy. The fact that it was used in support of a worthy goal – by the good guys and against the bad guys – highlights the involvement of nation states in this new type of warfare.

Savvy MarEx readers are familiar with the activities of so-called “hacktivists” and “black hat” groups like LulzSec, whose motives range from extortion and greed to ideology and old-fashioned pranksterism. Sony, Fox News, Citibank and other companies too numerous to mention have been subject to attack recently, and the number of companies coming forward and warning customers and the general public that they have suffered a “security breach” and consequent loss of data has been increasing dramatically. But the involvement of nation states takes the issue to a whole new level.

The online newsletter, Knowledge at Wharton, noted in its July 6th edition that a “watershed breach” occurred in 2009 “when Google and other Silicon Valley companies were attacked in what some security experts believe was a hacking attempt sponsored by the Chinese government. Google stated that the attackers were out to access the Gmail accounts of anti-government activists in China.” The article went on to say that an attack in June on the IMF was conducted on behalf of an unnamed government and was “designed to steal secret economic data that could be used to destabilize currencies or trade.” On a lighter note, it related that British newspapers in June reported that the UK government had hacked into an al-Qaeda Web site and replaced an article on how to make bombs with a recipe for cupcakes!

Maritime security expert Chris Mark, Chief Intelligence Officer of the Greyside Group, an international risk management and maritime security firm based in Herndon, Virginia, cites the March 2011 breach at security giant RSA as an example of how serious these attacks have become. RSA makes the ubiquitous SecurID tokens used by thousands of banks and military contractors worldwide to protect access to their computer systems. Millions of compromised tokens had to be replaced, including those at companies like Wells Fargo and Lockheed Martin, the nation’s biggest military contractor. Mark, a former Marine reconnaissance instructor, scout/sniper, and data security expert, points out that the attack on Lockheed was likely motivated by the desire to steal weapons specifications or secret military information or other data useful to a rogue state. “Cyber attackers have three basic motives,” he states. “They want to make a political statement; they want money, or they’re seeking intelligence.”

It’s a sad fact that most of the hackers are never identified, and most attacks go unreported since the victims are often unaware they’ve been attacked. “Less than two percent of data breaches are detected,” Mark states. Many are mistaken for normal equipment failure or dismissed as technical glitches. 

New Pentagon Strategy
In July the Pentagon issued a new report on cyber warfare, citing the repeated intrusions of unnamed foreign governments (think China and Russia) into its files and the files of top military contractors. These attacks resulted in the theft of thousands of classified documents covering everything from missile tracking systems and satellite navigation devices to top-of-the-line jet fighters. “A great deal of it concerns our most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems and network security protocols,” stated Deputy Defense Secretary William J. Lynn. The Pentagon went on to say that it would regard future attacks as “acts of war” and, depending on their efficacy, that it reserved the right to respond with military force. “There is no penalty to attacking us now. We have to figure out a way to change that,” said Marine General James Cartwright, Vice Chairman of the Joint Chiefs of Staff.

The Pentagon report added that, while it had previously relied on firewalls and the like to protect its systems from attack, it would now take a more aggressive approach and seek out and punish intruders before they have a chance to act, in much the same way the war on terror has been waged. “If you’re going to attack me, and I’m not going to do anything other than improve my defenses every time you attack me, it’s very difficult to come up with a deterrent strategy,” Cartwright added.

The new Pentagon strategy – and its admission that documents had been stolen on a number of occasions – raised the entire issue of cyber warfare to a new level of visibility and concern. And the reason is obvious: Nuclear facilities, water treatment plants, electric utility grids, traffic lights, pipelines, airport operations, refineries, finance and banking – all aspects of the global infrastructure are governed by computer networks known as industrial control systems (ICS). Hijacking or disabling an ICS could have catastrophic results, including disruption of services, economic chaos, and loss of life. And it’s not just the U.S. that’s concerned – although the U.S. is the biggest target – it’s nations everywhere.

The Maritime Connection
Ninety percent of global commerce travels by ship, and almost all aspects of the global supply chain – navigation and control, communications, ports and terminals, cranes, the movement of containers – are automated. Anything automated is part of an ICS and therefore subject to cyber piracy. Recognizing the threat, the U.S. Coast Guard began forming a Cyber Command two years ago in order to “identify, protect against, and counter electromagnetic threats to the maritime interests of the United States” with a specific focus on maritime critical infrastructure and key resources. USCG’s Cyber Command works closely with sister organizations at the Transportation Security Administration and Department of Homeland Security as well as U.S. Cyber Command and the other four military services. DHS has identified dozens of critical infrastructure and key resource areas, one of which is transportation.

“If you really want to think about impact,” states Captain John Felker, Deputy Commander of USCG Cyber Command, “compare a cyber outage caused by intrusions that slow or stop cargo movements or safe navigation with the economic losses that occurred when the longshoremen went on strike in LA/Long Beach.” Similar intrusions in the movement of military material could cause delays or the failure of planned missions. Felker says the goal of USCG Cyber Command is “to get in front of the threat by raising awareness in the maritime community of the importance of cyber security.”

Charles McCarthy, Project Engineering Manager at the Volpe National Transportation Systems Center in Boston, a unit of the Department of Transportation, agrees: “There are a number of cyber vulnerabilities in vessels, terminals and ports that need to be looked at and fixed.” The Volpe Center is a think tank whose employees are encouraged to devise worst-case scenarios and then solve them. McCarthy worries about terrorists disabling a cruise ship’s navigation system and perhaps sinking it with 5,000 people aboard, or pirates hijacking an oil tanker via an act of cyber piracy rather than physical assault, or a prankster remotely operating a gantry crane at a major port like LA/Long Beach and wreaking havoc. The possibilities are endless, of course, but the goal is clear: Identify “vulnerabilities” in control systems and fix them before the bad guys strike.

To do this effectively requires a concerted effort on the part of international agencies, governments, industry, trade groups and academia. “No one party can do it alone,” McCarthy points out, “partnerships are needed.” Or as the Commander of U.S. Cyber Command, General Keith Alexander, USA, so aptly puts it: “Cyber is a team sport, and industry and government must work together in a game where offense has the advantage.”

Industry is doing its part. Companies like PortVision provide vessel tracking and terminal surveillance services to enhance port security. The Container Security Initiative has led to the development of a host of container security devices by companies like Textron and Northrop Grumman to detect a nuclear weapon or other dangerous device concealed in a container. Raytheon’s Athena “domain awareness” system uses sensors, geo-location data, tracking and operational information to provide security in and around ports and other strategic maritime facilities. Even the much-maligned Transportation Worker’s Identification Card (TWIC) has provided a measure of security not previously available at port entrances and on port property.

The American Association of Port Authorities is among the trade groups taking the lead on the issue. It held a Cyber Security Webinar in January to discuss initiatives and best practices that included presentations by the Coast Guard’s Cyber Command and TSA’s Cyber Security Awareness and Outreach teams. The South Carolina State Ports Authority detailed its cyber security awareness plans and hardware and software initiatives, while the Port of Fourchon in Louisiana discussed data leakage prevention and social networking/social engineering policies. The Port of Long Beach’s approach focuses on “the people, processes and procedures that ensure the confidentiality, integrity and availability of information assets.”

Brave New World
But is all of this enough? Greyside’s Chris Mark points out that anyone can go online to sites like www.marinetraffic.com and see vessel movements anywhere in the world. He adds that, compared to the security controls in use at credit card companies and financial institutions, which are highly regulated, the security controls of most shipping companies are less sophisticated and easier to access. “They’re like the credit card industry 12 years ago,” he stated – before cyber piracy was on anybody’s radar.

So the beat goes on. The game continues. Only the stakes are much higher, and the consequences of failure greater. “Security is a process, not a product,” says the Volpe Center’s McCarthy. And he’s right. There is no silver bullet. There are only silver bullets. – MarEx

Jack O’Connell is Senior Editor of The Maritime Executive.