Rear Adm. Marshall Lytle, assistant commandant for cyber command, spoke at the maritime cybersecurity learning seminar and symposium held at Rutgers University. His condensed remarks were originally published on Maritime Commons.
Rear Adm. Marshall LytleCyber permeates every aspect of our lives. While this technology transformation has spawned incredible innovation and improved efficiencies throughout the world, it has also given rise to major new vulnerabilities and emerging threats that transcends international boundaries. Physical security is about gates, guards and guns – things that we have been comfortable with for years; cybersecurity is not as straightforward, but is clearly a critical area that we need to pay attention to.
Cybersecurity is a national priority directly linked to the success of our economy and the security of our nation. Cyber intrusions and attacks are not some futuristic concept that we might see someday. The threat is very real and these intrusions and attacks occur every day. The media is filled with stories of cyber attacks, stolen information, stolen proprietary information, hacking into credit cards and major department stores.
So what is this cyber environment that we’re talking about? We’ve come to understand the existence of four physical domains: land, sea, air and space. Now there’s this other thing, this cyber domain. The other four are natural; they exist in physical form. Cyber is not natural; we created it. We created the internet and we can modify it…which we do regularly. We are constantly affecting how the internet works and what direction it takes.
What is the cyber environment made up of?
• Geographic layer: the physical domains: land, sea, air and space; they make up the base layer where cyber operates.
• Physical infrastructure: what cyber runs on such as switches, cables and satellites that bounce signals in the maritime environment.
• Information layer: how information moves from one place to another or bits, bytes and pathways.
• Cyber identity: the different cyber identities that people, governments, organizations, etc. create for themselves to include accounts, emails, web service accounts and user devices.
• People: each person uses different devices, has a number of accounts and cyber information on the internet; this includes the actual physical people and how they interact in cyberspace.
There are a number of critical sectors across the United States. The Coast Guard is a sector specific agency for the maritime component of the transportation sector. In collaboration with our partners in the Transportation Security Administration and the Department of Transportation, we try to manage, regulate and protect the industry.
Why is this maritime transportation system important? Ninety-five percent of U.S. overseas trade goes through 360 ports within our nation. We also have an internal built-in maritime highway system on our rivers and we them to move a lot of goods in our country. In our world of just-in-time inventory, our retailers depend on containers coming in from suppliers. Getting through ports to points of distribution is critical.
Times have changed in the world of maritime transportation. Early ships consisted of high frequency communication; today our modern ships are completely computerized. Everything is connected on networks. Today’s modern ships have complex cargo operations that are entirely connected through cyber space. Cranes are moved by GPS. Most everything happens through automation and it’s all connected in cyber space.
Cybersecurity is complex; not only do we have to defend against what happened in the past, we must anticipate where the adversary is going in the future. It is not an easy environment to operate in and you can’t just buy an extra strong, barbed wire, fence that’s good for 10 years. That’s not how it works in cyber. Whatever defense you come up with is only good for a brief time and then it’s time to start looking for something else.
All business operations rely cyber and the bits and bytes involved in them. Perfect cyber security would be to unplug from the network but this is not a viable solution; we need to operate in this environment.
We need to manage risk. There is a pendulum swing between disconnecting entirely and ignoring risk entirely. You’ve got to find the position on the pendulum where you are willing to accept risk and ensure your business can support that level of risk.
The Coast Guard is training our ship commanding officers that it is no longer just about land, sea, air and space. When they get underway, a CO knows how much fuel he has on board, how much ammunition, how many people, what their training is, how much food is on board, how all of the systems aboard the ship are working…we want them asking, what is my cyber risk? Are my systems up to date? Am I going to be pulling into any foreign ports? Everyone needs to pay attention to their cyber risk.