By Christopher Porter – When security professionals address threats to transportation security, the discussion usually centers on aviation risks. After 9/11, counterterrorism efforts naturally focused on preventing future disasters in the air—spectacular, lethal risks to passengers. As cyber threats have proliferated and become a greater focus of public attention and government effort, aviation has remained at the forefront of security preparation, including my own testimony before the House Homeland Security Committee in September.
But that singular focus doesn’t necessarily reflect the diversity of threats to transportation in cyberspace. Those worries extend far beyond lethal cyberthreats to passengers from terrorist groups, which remain a real theoretical possibility but rarely come together even conceptually without state assistance. Maritime cyberthreats, on the other hand, are particularly overlooked despite the fact that sophisticated nation-state actors such as China with the capability to cause serious damage to vessel operations and safety are routinely targeting ocean faring shipping and communications to obtain economic intelligence, gain an advantage in international trade, or steal critical next-generation naval technology.
It is no surprise that China, with its voracious appetite for sucking up any bit of information that will provide its own companies with a competitive edge, would target maritime operations and ports in the U.S., its leading economic competitor. According to the U.S. Bureau of Transportation Statistics, “water is the major mode for U.S. foreign trade. Approximately 69 percent, 1.4 billion freight tons valued at $1.5 trillion, of U.S. foreign trade moved by water in 2016.” Air freight moved less a third the tonnage and at only two-thirds of the value. Further, China has become the top U.S. trade partner, changing the shape of shipping in the U.S. toward larger Pacific ports.
It should come as no surprise then that China sponsors groups of hackers, such as the one we call APT40, specifically to pursue maritime targets. Historically, APT40 went after naval intelligence, but by 2017 had taken a sharp turn to also gather information on civilian port infrastructure, international trade, and technology developments in universities and the private sector such as those supporting undersea communications and autonomous vessels. Determined to support China’s $1 trillion Belt-and-Road Initiative linking ports throughout southeast Asia, the Middle East, and Europe with China at the center of a new global trade ring, APT40 has gathered military and economic intelligence in equal part, with U.S. companies and anyone involved in global maritime shipping on the front lines of this renewed, whole-of-society effort.
China, Russia, Iran, and perhaps some non-state actors all likely have some ability to take their cyber operations to the next level and attack the infrastructure of the ships themselves. Russia has been particularly aggressive by spoofing GPS signals and engaging in other forms of electromagnetic disruption targeting shipping. Despite efforts to segment digital networks supporting ship operations from those used for personal internet access, modern vessels present a broad attack surface against which adversaries that have invested in capabilities to target ships can find vulnerabilities: hull, mechanical and electrical systems that enable machinery control, fuel fill and transfer, and ballast systems are prime targets for military organizations; bridge and navigational systems, now integrated with plotting aids and position fixing systems, can be targeted at their points of data integration to poison routes; and onboard and onshore IT networks used to monitor, register, and guide operations for entire fleets are attractive targets for states and criminal enterprises alike.
Beyond the economic impact on the maritime industry, these cyber threats have a direct impact on U.S. national security. America’s domestic fleet transports military cargoes during times of conflict. The ability of the nation to maintain a robust and competitive shipbuilding capacity is a strategic asset for both commercial and security reasons.
I am confident that adversaries can jump onto critical systems and, having made that leap, could disable or tamper with some or all of these systems. That has been the experience of other industries defending against cyberphysical attacks: electric grids, medical equipment, rail and air travel, and even passenger vehicles have all eventually been compromised and taken control of by hostile actors once those groups became dedicated to the task.
We know that there are a number of state sponsors of cybercrime that are dedicated to creating significant risks for U.S. companies, for both economic gain and inflicting national security consequences, and those threats are constantly evolving. But it’s no longer just the security analysts that are identifying these risks or addressing primary modes of transport we read about in the press; the Navy as well as the domestic maritime industry are learning from other attacks and readying their fleet for the next generation of threats.
Christopher Porter is the CTO for Global Cybersecurity Policy at cybersecurity company FireEye. A Senior Fellow at the Atlantic Council, Christopher is a veteran of the Central Intelligence Agency and was cyber threat intelligence briefer for White House National Security Council Staff in 2015.