NATIONAL HARBOR, Md. – The best way to achieve future cybersecurity is scrapping the web of today and start over by baking protections into the new version, according to the top security official at the Maritime Administration.
However, a dramatic shift to a new web is unlikely to occur any time soon, Cameron Naron said on Tuesday at the 2019 Sea-Air-Space symposium.
“We’re wedded to the current web, [but] it was never designed for cybersecurity,” Naron said. “We’re unprepared for what comes next” because the web was designed to flow data.
Preparing regulations to cover cyber may prove fruitless without a fresh start, Naron said, questioning what value of relying on regulations to offer protections in an ever-evolving domain. Written guidelines and rules “generally are not nimble” in adapting to a changing environment, he said, yet digital technology moves relentlessly onward.
Another way of looking at cyberspace is to consider it as “all about information for us,” said Gregg Kendrick, the executive director of the Marine Corps Cyber Command. “We have a great possibility to recalibrate” how we think about cyberspace now, considering cyber is a contested domain.
When put into a military or security context, Kendrick said one of the questions becomes “how do we move into continuous collaboration” with a secure back and forth flow from ship to shore, on shore to other units and elements, allies and partners.
“We don’t just want to be patching vulnerabilities; we want to be defending forward” in cyberspace, Kendrick said.
Interoperability, to meet the needs of the Department of Homeland Security in protecting critical infrastructure, and also to work with the Department of Defense, is the emphasis for the Coast Guard, said Coast Guard Rear Adm. David Dermanelian.
“We have to have common TTPs [tactics, techniques and procedures] … and have a common methodology or you’re stepping on toes” in trying to address cyber threats and anticipating future challenges in the private and government sectors.
Threats and changing actors are a constant challenge even for digital giants like Google. The company is a “big believer in open standards. We provide a lot of support to open sources,” who may be prey for intruders, said Matthew O’Connor, who represented Google at the symposium. “We spend a lot of time worrying about low-level [problems]” that can annoy and fester open source users as well as the more substantial threats.
With 1 billion users daily, “we’ve got a fairly large investment in vulnerabilities,” O’Connor said. The company’s Project Zero team’s job is “to get those vulnerabilities fixed” and deliver to users as quickly as possible information about what happened and what’s been done about it.
“Security and privacy is our first priority [and] everybody’s job” at the 20-year-old company, O’Connor said.
At MARAD, the situation is very different from Google for the mariners in the Ready Reserve Fleet, Naron said. “They’re hiring folks for their mission [and] they’re very well trained in maritime skills.”
But when it comes to cybersecurity, Naron said their knowledge is not so in-depth. Across the maritime industry, there is no standardization of training and operating in cyber. Each company follows its own track, directly following policies entirely contrary to collaboration.
Kevin Tokarski, a top official at MARAD, told USNI News, he looks at cyber in a different way – not focused on people but the systems.
When it comes to buying used vessels, as MARAD is now going to do as it modernizes its aging fleet, “we’re buying them with eyes wide open.” Before the vessels come into service, they will have to meet security and operating standards for cyber as well as being certified for safe maritime operation.