By Leischen Stelter, editor of In Public Safety
The United States Coast Guard (USCG) has made cybersecurity a top priority and enlisted the assistance of universities around the country to help identify and protect the agency from cyberattacks.
On February 29, American Military University (AMU) faculty member Dr. Eduardo Martinez and AMU student Lieutenant Eric Casida, USCG, presented maritime cybersecurity research findings to top USCG officials. AMU was joined by Rutgers University and the University of Southern California to present their findings on related cyber topics at the Port of Long Beach Maritime Operations Center near Los Angeles, California.
This presentation was part of AMU’s ongoing collaboration with the USCG that started more than a year ago. In March 2015, AMU collaborated with the Command, Control and Interoperability Center for Advanced Data Analysis (CCICADA) at Rutgers University to organize the Maritime Cyber Security Learning Seminar and Symposium. During that seminar, USCG Vice Admiral Chuck Michel discussed the critical nature of maritime cybersecurity.
“It’s a very dynamic time for the Coast Guard,” he said. “And I have to say that cyber security, and the cyber realm, are really the single most dynamic areas that I have responsibility for.”
Then in June 2015, AMU faculty members attended the Maritime Cyber Research Summit in California.
That summit resulted in the identification of six research challenges in maritime cybersecurity, which experts agreed warranted further investigation. These questions were the need to identify vulnerabilities, resilience, threats, impacts, critical points, and information sharing.
The USCG asked participating universities to conduct further research on one of the topics and then present their findings to USCG leadership.
AMU’s Role in Cyber Research
The question posed to AMU was very broad in scope: “How does the USCG promote the use of sound cyber risk management principles?”
To address this question, in November 2015, the university started an eight-week independent research course within its intelligence studies program. AMU faculty member Dr. Eduardo Martinez led the research course with seven selected students, all of whom had professional backgrounds in either the civilian sector or the military.
The students initially took a broad approach to addressing this question and then narrowed their focus to the maritime environment. “The project was a puzzle of sorts since the information was limited in scope,” said Dr. Martinez. “We took the subject and formed two teams. One team took on the literature review using open-source material and the group undertook the methodology aspect with each team supporting the other.”
“We conducted a lot of research about what IT experts and cybersecurity folks were finding and proposing to safeguard other organizations,” said Lieutenant Frank Hooton, who is with the Texas State Guard and was one of the students in the course. “Then we narrowed down how those solutions could be applied with regards to maritime,” he said.
Conducting Research on Maritime Cybersecurity
Lt. Hooton’s role in the research project was to lead the literature review. “We included a little bit of everything about cybersecurity,” he said. Students could not just rely on peer-reviewed journals as sources, which is typically the norm for research projects. “Most journal articles are delayed about two years between when research is conducted and when it’s published. In the cyber world, that might as well be the 1940s,” he said. Therefore, students sought unclassified materials, national cyber alerts, and an abundance of verifiable open-source information to base their recommendations.
“Everyone on our team was driven,” said Lt. Hooton. “Every day, in addition to gathering regular materials, we were going through 30 to 40 IT and cyber alerts to see if they have anything to do with what we were researching about maritime cybersecurity threats.” Having a mixed approach that combined current events with scholarly research helped the team build a complete and up-to-date picture of the threat landscape for the USCG.
The students compiled this research to help them evaluate the risks to the USCG—as well as the risk to their partners and vendors—and determine ways to mitigate these risks. The class organized its findings into five areas:
- Awareness: All personnel must realize there is a threat. Research indicated that the threats posed and the level of sophistication of adversaries is much greater than personnel realize. These threats are rapidly evolving and there must be continual education, awareness and training.
- Flexible and Adaptive Security: Security measures must be scalable in order to be usable by all levels of internal personnel and external vendors.
- Domain Understanding: The maritime environment presents a broad range of potential threat domains. In order to effectively deal with all the threats facing USCG and their partners, there must be enhanced awareness of the challenges present in each of these domains.
- Enabling the Mission: All parties must be enabled to deal with threats in the cyber environment. Regardless if individuals are working in sensitive and secure locations or open and unsecured locations, personnel must receive appropriate security information and be enabled to share information about potential risks and/or vulnerabilities.
- Risk Management: Leadership must realize that not all threats can be stopped, blocked or immediately dealt with. There must be a planned risk-management structure to deal with the range of threats and how to manage them.
Recommendations for Promoting Cyber Awareness
Involve External Parties
Students recommended that USCG work to involve all those in the maritime industry and formulate a comprehensive cybersecurity strategy. For example, according to Dr. Martinez, the USCG must work with outside vendors who may or may not have cybersecurity measures in place. A single vendor could accidentally insert a thumb drive that contained a virus into a computer that may interface with USCG software and possibly corrupt the network. The USCG must work with vendors to establish strong cybersecurity protocols and inform vendors of recent threats.
Recognize Cyber/IT Personnel
Students found that the agency lacked proper recognition of personnel dedicated to cybersecurity and IT. One recommendation was to add prestige to the IT/Cyber/Intel sectors of the agency. For example, there is currently no military occupational specialty (MOS) code that acknowledges cybersecurity as a primary military field of responsibility. Thus, when personnel are seeking promotion, their expertise in this field may not be properly recognized as it is currently a secondary skill, and not considered in primary capabilities. As a result, many individuals leave the field in order to stay in the USCG or take their talents elsewhere where such skills are recognized.
AMU’s research was compiled into a white paper. On March 1 and 2, this paper was presented during meetings held at the USC Center for Risk and Economic Analysis of Terrorism Events (CREATE). Here, breakout groups discussed various components of each of the three white papers presented by AMU, Rutgers and USC. The groups developed additional questions and recommendations for further research.
Being involved in such a research effort was an exciting opportunity for students and faculty. “It was amazing how much the students did to research and offer recommendations to USCG in such a short time frame,” said Dr. Martinez. “We took an enormous challenge and broke it down into components to research in an intelligently aggressive manner and succeeded in fulfilling our goals on time. The best part was being able to brief the USCG personnel the day after the class ended.”