WASHINGTON: “What is modern warfare going to look like in the 21st century?” asked Adm. Paul Zukunft. “Not that long ago,” he said, workers aboard a mobile offshore drilling unit unwittingly downloaded malware that scrambled the system that kept the floating platform stable. “They drifted off the well site,” the Coast Guard commandant said — with the drill pipe still attached and the well still pumping oil.
“Fortunately, the blowout preventer kicked in and shut it down,” Zukunft continued, preventing a disastrous spill. (It was the blowout preventer that failed on the Deepwater Horizon, where Zukunft coordinated the federal response in 2010). But a more sophisticated cyber attack on US oil and gas could be devastating, and there are people out there with the motive and the means to do it. Russia just happens to have some of the sharpest hackers on the planet, a worsening relationship with the US, and a massive share of the European and Asia natural gas markets.
As US gas exports rise, “what if we’re now taking some of that market share?” Zukunft asked yesterday at the Center for Strategic and International Studies. “If tensions escalate…does Russia conduct electronic warfare against our military, or might they want to conduct electronic warfare against our critical infrastructure?”
You don’t even have to be a hacker to mess with crucial electronics: GPS jammers, for example, are cheaply and widely available. As shown by the near-disaster with the drifting oil platform, Zukunft said, “in some ways you have a single point of failure with the GPS signal.”
That’s the kind of crisis the Coast Guard is supposed to prevent — on a shoestring budget. By repurposing funds and personnel, Zukunft said, “we’ve created just recently a cyber command within the US Coast Guard.” It’s all of 70 people strong. Compare that to the 6,000-strong cyber mission force the Pentagon is building.
In fact, as a military service operating dot-mil websites, the Coast Guard is part of the Department of Defense Information Networks (DoDIN) and depends on Pentagon initiatives like the Joint Regional Security Stacks (JRSS) to help protect its system.
The Coast Guard’s cyber self-defense effort “relies on the support that we get from DoD,” Zukunft told me after his public remarks. “We are supported by DoD as an element that’s on the dot-mil domain, so it’s up to me to be a responsible user of that domain.”
Being a “responsible user” requires the Coast Guard to have some cybersecurity personnel of its own, and taking them out of hide is painful. “I never built it into my program of record,” Zukunft told the audience at CSIS. “It was much quicker for me to reprogram [existing] billets.” But money is the Coast Guard’s biggest shortfall, he said, and now it’s time to put its cyber mission on a surer footing: “The reason I wanted this strategy is we needed to build out a program of record.”
That’s the new Coast Guard Cyber Strategy, which Zukunft unveiled yesterday at CSIS. The Coasties actually finished the document in November but wanted to get feedback and buy-in from a host of other agencies before going public.
Like most policy documents released after such extensive vetting, the strategy itself is painfully bland, although its insights reflect sensible consensus policy. Zukunft’s remarks showed the fine line the cash-strapped service is trying to walk. In essence, the Coast Guard wants to do better in cyber without reinventing wheels that already exist at the Defense Department — which it can hardly afford to do — and without requesting new legal authorities.
“I just need awareness that a facility has a vulnerability,” Zukunft continued. “I don’t want to identify [it]. I clearly do not want Coast Guard officers or petty officers accessing those systems that may have personal identifiable information, financially sensitive information.” The service simply needs to know what’s happening and share an aggregated report stripped of personally identifiable information with other agencies so analysts can watch for signs of a systematic attack on US infrastructure.
“Anonymity is certainly a key component,” he said, “which means i wouldn’t need more legislative authority.”
A voluntary approach to security proved highly effective against physical piracy on the high seas: “It wasn’t required,” Zukunft said, “but if you had a privately armed security team on your ship… there were 200 attacks against those ships and not one pirate gained access.” If government agencies can share best practices and establish voluntary standards in cybersecurity, he argued, enlightened self-interest will prompt private companies to adopt them.