As is so often the case, there is no single, magic bullet "solution" to this public policy concern. There are, however, choices we can make in public policy to minimize negative outcomes. As in other public policy matters, the maritime cybersecurity challenge isn't going to be solved by a quick cash dump from government coffers. Improvement is going to take long term policy focus and a shift in culture.
The US Coast Guard took some first steps in this direction with NVIC 01-20 last year. The policy, for the first time "provides guidance to facility owners and operators on complying with the requirements to assess, document, and address computer system and network vulnerabilities." For MTSA facilities that have never had a requirement to even think about cyber security until now, a gradual approach to implementing governance standards makes sense. It will take time, and iterative updates and course corrections, hopefully with private sector input. If it is done correctly, it could foster greater cybersecurity awareness in maritime industry culture, and that will have more impact than installing firewalls and IDS.
A second significant step in the right direction was the US maritime national security strategy released in January. Josh Steinman, the senior cyber policy advisor on the Trump administration's National Security Council staff, and a Navy veteran, certainly seemed like he grasped the essence of the matter. He was even our keynote speaker for the first year of Hack The Sea village at DEF CON.
The policy, as I pointed out in my interview with Cyberscoop, it is far from perfect. There is little in the policy to address the supply chain threats I've mentioned in my previous post. But the policy is a good start. The goals it outlines for workforce development, for instance, are certainly laudable. Poor training and certification standards, and a poor quality workforce have plagued cybersecurity for years. It is my sincere hope the Biden administration will follow through with the strategy released in January, and not let it fall victim to partisan rancor.
It is also my hope that improvements can be made with respect to the supply chain dilemma. The FDA's efforts to improve security in the medical device industry, for example, could be used as a template for fixing the security of maritime operational technology (OT).
Gradual progress, along the course set by the two policies I've mentioned here, could partially mitigate the threat of a scenario like the one I described in my last post.