Coast Guard Cyberdefense Office: Small but Mighty

By Eric Beidel
Like the Army, Navy, Air Force and Marine Corps, the Coast Guard suffers thousands of attacks on its networks each month.

The Army has some 21,000 personnel devoted to network defense.

The Coast Guard: just 18.

Coast Guard Cyber Command, which is still in its infancy and awaiting a final stamp of approval, has aspirations to carry out a variety of missions. As a force that straddles the law enforcement and military realms, it is in a unique position, its leaders say.

“We’re smack dab in the middle of this,” says Coast Guard Lt. H. “Lars” McCarter, who is now assigned to a tactics branch at U.S. Cyber Command.

Officials say the threat to the Coast Guard is real. In late 2009, the service suffered the largest ever intrusion of its unclassified network. Dozens of systems were affected, some in geographically remote locations. There is a high probability that the attackers were able to exfiltrate sensitive information to foreign locations, though the initial source of the hack remains unknown, officials say.

But there are currently more Coast Guard personnel being funded by the Defense Department and assigned to U.S. Cyber Command in Fort Meade, Md., than there are back at the service’s own operation in Washington, D.C. McCarter is one of 20 from the small service currently focused on carrying out the Pentagon’s cyberspace mission. They will return to the Coast Guard when they finish their assignments, but there may or may not be space for them in network security roles.

The 18 personnel that currently make up Coast Guard Cyber Command come from a variety of information technology, operational and intelligence backgrounds and have a tall order ahead of them. In addition to defending their networks and protecting more than 45,000 workstations and users, they plan to use the Internet to keep tabs on drug runners and other criminals and keep critical infrastructure at the nation’s ports running safely. The service would like to beef up the command to carry out these missions, but potential budget cuts could put a damper on some of these efforts.

The Coast Guard already takes advantage of network security and intelligence training offered by other services and had to cut spending on other programs just to carve out the 18-person detachment. The chronically underfunded service is likely to have to trim some more in the current fiscal environment.

“I think what we find with cyber is that it’s more expensive to ignore it than to deal with it,” McCarter says. But as money dwindles, clear priorities must be established. “What is more important? The southern border or protecting domestic cyberspace? That is a very challenging question.”

The Coast Guard has begun looking internally for redundancies within its network security and across the board. The service recently found that it had 130 processes related to information assurance spread throughout its operations. Officials streamlined those and assigned them to appropriate entities. But as budgets get tighter, they will have to lean even more on agencies with abundant resources. Eventually, the service would like to imbed personnel with related outfits at the Department of Homeland Security and throughout the government.

On the high seas, Navy ships often carry Coast Guard detachments because the larger service can’t board vessels for law enforcement purposes. Officials are pondering what the equivalent of such actions would be in cyberspace. The smallest service’s title authorities place it at the crossroads of defense, homeland security and law enforcement missions. That versatility could prove crucial to a government that is still trying to figure out exactly how it should handle the spectrum of operations in cyberspace, officials say.

After all, there may be situations when U.S. Cyber Command just can’t pull the trigger on a law enforcement measure, but the Coast Guard can.

“That’s still being worked out right now,” says Commander Cliff Neve, chief of operations at Coast Guard Cyber Command. “We’ve not gone down that path, but I believe we will be going there.”

Coast Guard Cyber Command has its hands full with the missions it has already established. The most difficult and complex of them will require a level of cooperation between the federal government and private sector rarely achieved.

In addition to protecting its own networks, the Coast Guard is tasked with ensuring the safe travel of goods upon the nation’s waterways. This means working with commercial partners to assess and respond to threats to key infrastructure at ports around the country. These ports are becoming increasingly automated, providing new avenues for adversaries to break into them. All of the padlocks in the world can’t keep a hacker from gaining access to a computer system that controls a drawbridge, for instance.

“They could drop a bridge on a ship at the wrong time,” Neve says. “Anything that has a sensor — like an oil rig that has remote sensors — there’s a connection there and that connection could potentially be abused.”

A cyber-attack on a U.S. port could be devastating to the local operation and to the global economy. The Coast Guard must keep an eye on supervisory control and data acquisition (SCADA) systems, or the means by which industrial infrastructure and port facilities are connected to a network so they can be remotely operated. Hacking into these controls is a sure-fire way to wreak havoc, officials say.

“If you want to bring a port down, shut the electricity off or turn off the terminal operating system,” says John Holmes, a retired Coast Guard captain and executive deputy director of operations at the Port of Los Angeles. “If you shut down the terminal operating system, which tells them where every container is going, they are dead.”

It’s not “if” but “when” this type of attack will occur, he says during a recent maritime security conference.

“Something’s going to happen in a major port, and every port should know how to get their infrastructure running again.” This resiliency will require better communication between government and businesses, Holmes says.

“You don’t want a port to shut down because somebody closed a bridge and won’t let it open because it was connected to the Internet somehow,” McCarter says.

The Coast Guard already has ties to the commercial port industry and now must translate those relationships to the cyberspace domain to assess network vulnerabilities at U.S. ports.. The .mil and .gov networks are under constant attack, McCarter says, but it is harder to get a handle on the same kind of activity within commercial systems at the ports.

Companies often are reluctant to share information about intrusions for fear their reputations would be damaged. The Coast Guard is working on a way to increase reporting by allowing parties to announce intrusions while remaining anonymous.

“We know the threats are there,” McCarter says. “Whether or not threat actors have actually acted on it is a challenge, because somebody would have to tell us that it happened.”

Earlier this year, National Defense University, which is located near Coast Guard headquarters, issued a solicitation for an expert that could help the service’s Cyber Command establish a baseline for its maritime mission. The one-year position would involve studying a specific port for the purposes of identifying problems and ways to solve them. The contractor sought by NDU also was to help the Coast Guard understand all of its authorities and how they can be applied to cyberspace.

It appears that the service will have its hands full just defending its own network.

During a typical month, emails carry about 25,000 viruses into the Coast Guard network. And attacks on computer systems have been increasing wholesale. In November 2009, a little more than 150 Coast Guard workstations showed infections, according to data from the service. By February 2010, viruses had been planted on more than 1,000 computers. That same month saw an additional 20,000 or so attacks that the service’s response system handled automatically.

“One of the problems with cyber-attacks is that they happen in machine time. Once you’ve found out about it, it’s already occurred,” Neve says. “As a result, part of the defense system for intrusion prevention is to automate that process.”

But attacks are becoming automated too. Hackers will rent out botnets, or groups of compromised computers, by the hour for others to conduct denial of service attacks under a cloak of anonymity.

“It used to be that hackers were very specialized. There were very few people who could carry out a computer attack,” Neve says. “Now you can go find computer [software] online and leverage it with a couple clicks of the mouse.”

Even seemingly harmless hackers can cause disarray across the Coast Guard network. If the service has to take down a server to fix it, operations in the field could be affected.

“You have to make a pretty quick call on whether or not you’re going to pull the plug on it to stop the infection from spreading or keep it up and maintain operations,” Neve says. “You have a security person saying, ‘Take it down.’ Then you have an operator saying, ‘You can’t take it down. We’re running a search-and-rescue mission’ or ‘we’re running a counter-drug mission.’”

It is a delicate balance. The service used to rush to kick an intruder off the network, take the server down to fix it and then put it back up. Now, though, Coast Guard security professionals see the value in being more patient, Neve says. They may want to let someone troll around a bit to see if they can gather more information on the offender. They may even allow the hacker to get away with some data to see where it is being taken.

Sometimes, the Coast Guard will have to ask for help from the Defense Department, other times from the FBI or DHS. And the service will focus on strengthening those relationships while the whole of government waits for the laws of cyberspace to be defined.

“The Coast Guard is so small it’s imperative that we team very closely with other organizations,” Neve says. And with just 18 people in its Cyber Command, the service must find a way to borrow personnel and resources from larger organizations.

“Having those 20 people up at U.S. Cyber Command is a big deal, because those folks will come back to the Coast Guard with a tremendous knowledge base,” Neve says.

But not all of them will come back to Coast Guard Cyber Command. McCarter, whose assignment with the Defense Department ends in the summer, knows he probably won’t. He most likely will find himself back in a communications engineering role.

“There is just not going to be an available job at Coast Guard Cyber Command for me next summer,” he says. “That doesn’t mean I won’t go back there in a couple of years, but I don’t know.”    

Topics: Cybersecurity, Homeland Security

Comments (0)

Retype the CAPTCHA code from the image
Change the CAPTCHA codeSpeak the CAPTCHA code
Please enter the text displayed in the image.