To support its multiple operational duties – law enforcement, navigation aids, icebreaking, overseas military support to the Department of Defense (DOD) when requested, etc. – the U.S. Coast Guard provides IT support to 823 global sites and more than 54,000 users. However, recent assessments by both the U.S. Coast Guard and the Government Accountability Office (GAO) have determined this infrastructure – both IT and the physical facilities housing it – is critically outdated and in need of restructuring and improved security.
As the principal federal agency responsible for maritime safety, security, and environmental stewardship in U.S. ports and waterways, the Coast Guard protects and defends more than 100,000 miles of U.S. coastline and inland waterways. It also safeguards the largest Exclusive Economic Zone (EEZ) in the world, encompassing 4.5 million square miles stretching across nine time zones, from north of the Arctic Circle to south of the equator, from Puerto Rico to Guam.
The size and complexity of the Coast Guard’s mandate makes a top-of-the-line IT infrastructure critical. The service’s “Coast Guard Strategic Plan 2018-2022” calls for greater cyber strength and efficient IT infrastructure, which has led to a request for sources in an apparent move to contract private industry support for cybersecurity and network optimization as part of an Infrastructure Managed Services approach.
“The security environment is also affected by the rising importance of the cyber domain – where adversarial nation-states, non-state actors, and individuals are attacking our digital infrastructure and eroding the protections historically provided by our geographic borders,” the Strategic Plan states.
“USCG recognizes it must partner with industry,” the request confirmed.
Maritime cybersecurity is the third of six strategic priorities in the Plan.
“Cybersecurity is one of the most serious economic and national security challenges we face as a nation,” according to the Coast Guard. “Government systems encounter a mounting array of emerging cyber threats that could severely compromise the Coast Guard’s ability to perform its essential missions. These growing threats also pose significant risks to our nation’s Maritime Transportation System and critical infrastructure. With over 90 percent of the nation’s goods moving via increasingly networked maritime conveyance, preserving cybersecurity is essential to overall safety, security and effectiveness.”
The Strategic Plan sees the Coast Guard as a vital part of the nation’s national defense effort against transnational criminal organizations (TCOs) and other malicious non-state actors that erode maritime governance, the rule of law, and regional stability. It also recognizes the Coast Guard’s role in confronting what it calls “the return to great-power competition,” in which rival powers, primarily China and Russia, exploit pockets of weakness to challenge “rules-based international order through inter-state aggression, economic coercion, maritime hybrid warfare, gray zone activities, and overreaching territorial claims.”
Central to all of that is the rising importance of the cyber domain and attacks by TCOs, adversarial nation-states, and even individuals on America’s digital infrastructure.
“At the stroke of a key, rivals in remote regions of the world can attack, disable, and alter our critical infrastructure and financial networks. These bad actors can unleash volatile malware that could have devastating consequences worldwide. While improved interconnectivity expands our capabilities, we must be wary of the corresponding increase in risk,” the Plan warns. “Rapid technological advancements are changing the character of maritime operations. The accelerating pace of innovation manifests itself through increasingly complex vessels, high traffic volumes, and greater demands on the Marine Transportation System (MTS).
“Our ability to set and enforce effective standards that advance maritime safety and environmental stewardship must keep pace with rapid technology application in the afloat, ashore, and cyber elements of the MTS,” the Plan states. “Aging surface and aviation assets, as well as antiquated shore- and information-technology infrastructure, challenge our operational readiness. While we are working to recapitalize essential assets, we also require the resources to sustain and operate them.”
Part of this effort will involve moving parts of USCG IT data to the cloud. Toward that end, the Coast Guard is closely monitoring DOD’s $10 billion, up-to-10-year Joint Enterprise Defense Infrastructure (JEDI) cloud contract with Microsoft. Despite its size, JEDI is only one of several contracts DOD has let or is competing for cloud-based support for its massive IT requirements.
For example, in August 2019, DOD and the General Services Administration awarded a $7.6 billion contract to General Dynamics Information Technology for another cloud project, Defense Enterprise Office Solutions (DEOS), for email, collaboration, and other office services, relying on Microsoft’s Office 365 cloud platform.
While the Coast Guard is part of the Department of Homeland Security (DHS), not DOD, it shares many of the same IT issues and requirements. Thus any successes DOD has with JEDI are likely to have a major influence on the Coast Guard’s IT cloud migration effort.
An IT managed services provider typically handles such functions as:
- Software – production support and maintenance
- Systems management
- Data backup and recovery
- Data storage, warehouse, and management
- Network monitoring, management, and security
- Human resources and payroll
Moving these operations to the cloud not only reduces the number of points of access an adversary could exploit, but provides a single point of access for authorized users and enables faster integration of data. However, a single point of access also can be a fatal flaw if not properly – and extensively – secured.
In its 2019 report “Reducing Risk in Cloud Migrations,” Centrify Corp., proponent of Zero Trust Privilege (“never trust, always verify, enforce least privilege”), said “just enough, just in time” access to IT infrastructure, from physical terrestrial components to the cloud, is a mandatory part of maintaining security.
“As the enterprise threatscape expands, organizations are faced with new challenges to secure modern attack surfaces, and this report makes it clear that the cloud is no exception,” Centrify CEO Tim Steinkopf stated in a press release about the report. “We know that 80 percent of data breaches involve privileged access abuse, so it’s critical that organizations understand what they are responsible for when it comes to cloud security and take a least privilege approach to controlling privileged access to cloud environments. Too much access and privilege puts their workloads and data at risk.”
While moving a major part of its IT operations to the cloud will resolve many problems – while raising some new ones – for the foreseeable future, the bulk of the Coast Guard’s IT operations will remain housed within its ground-based infrastructure. That means that, in addition to upgrading and restructuring its IT, the service also must make sure the physical structures housing that infrastructure are secure, not only from cyber attack, but from storm damage and the deleterious effects of aging.
A February 2019 GAO report found the Coast Guard’s $18 billion portfolio of shore infrastructure is deteriorating, with almost half of it past its service life. The report cited Coast Guard data that it would cost at least $2.6 billion to address maintenance and recapitalization project backlogs, but that hundreds of projects had not been factored into those estimates.
As a component of DHS, the Coast Guard also is subject to DHS-wide efforts to upgrade, restructure, and improve the security of IT, both internally and as part of DHS overall. Following GAO recommendations, DHS developed and implemented a department-wide process to facilitate data sharing and coordination among its various agencies that conduct or require vulnerability assessments. That included pilot projects to expand access to its IP (Infrastructure Protection) Gateway portal, which houses infrastructure data.
In September 2017, DHS reported the Coast Guard had used the IP Gateway more than 200 times to access assessment-related information in a proof-of-concept in using the IP Gateway to share assessment information and help minimize the risk of potential duplication and gaps in vulnerability assessments.
While the GAO found the Coast Guard has taken initial steps toward improving how it manages its shore infrastructure, including conducting an initial assessment of shore infrastructure vulnerabilities, it also found the Coast Guard has not fully applied leading practices and key risk management steps in managing that infrastructure.
In the February 2019 report, GAO said the Coast Guard needs to:
- employ models for predicting the outcome of investments and analyzing tradeoffs;
- dispose of unneeded assets; and
- implement DHS’s Critical Infrastructure Risk Management Framework.
In 2018, according to the report, the Coast Guard graded its overall shore infrastructure condition as a C-, based on criteria derived from standards developed by the American Society of Civil Engineers. At that same time, the service estimated it would take almost 400 years to address just the $1.774 billion recapitalization and new construction backlog at current funding levels – an estimate that does not include a $900 million deferred depot-level maintenance backlog nor hundreds of other recapitalization and new construction projects.
“Our previous reports have identified various steps the Coast Guard has taken to begin to improve how it manages its shore infrastructure,” the GAO’s 2019 report said. “Some of the steps the Coast Guard has taken align with leading practices for managing public sector backlogs and key practices for managing risks to critical infrastructure, including identifying risks posed by the lack of timely investment, identifying mission-critical facilities, disposing of unneeded assets, and beginning an assessment of shore infrastructure vulnerabilities.”
Specifically, the report said the Coast Guard has:
- identified risks posed by lack of timely investment;
- identified mission-critical and mission-supportive shore infrastructure; and
- assessed selected buildings for vulnerabilities.
The report also recommended the Coast Guard fully implement DHS’s Critical Infrastructure Risk Management Framework’s five steps: (1) set goals and objectives, (2) identify critical infrastructure, (3) assess and analyze risks and costs, (4) implement risk management activities, and (5) measure the effectiveness of actions taken.
“The Coast Guard agreed with our recommendation. It stated that it plans to make progress towards implementing the recommendation while developing and implementing its Component Resilience Plan, in accordance with the recently mandated DHS Resilience Framework,” Nathan Anderson, director of Homeland Security and Justice, told the House Subcommittee on Coast Guard and Maritime Transportation on Sept. 25, 2019.
“It intends to complete these efforts by the end of 2021. The Coast Guard also intends to develop, by July 2020, goals and objectives for measuring the effectiveness of actions taken to identify resilience readiness gaps and resource needs. We will continue to monitor these efforts.”
The Strategic Plan acknowledges the shortcomings, requirements, and future expansion of Coast Guard operations, including infrastructure and cyber.
“Our increasingly digital world requires a balance between reliable access to Coast Guard information systems for our people and assets and the ability to capably defend our networks against cyber threats. To leverage the massive benefits of information technology, connectivity, and data, we will:
- Ensure information is readily and securely available to operators and mission support personnel in a full, degraded, or disconnected environment;
- Deliver reliable mobile capabilities and improved remote access for frontline operators;
- Prioritize resources and recapitalization efforts to ensure the reliability and effectiveness of C5I [Command, Control, Communications, Computers, Collaboration, and Intelligence] systems;
- Treat the C5I enterprise mission platform as a mission enabler like other operational assets, grounded in capability requirements; and
- Accelerate the adoption of cloud computing offerings.
“The rapid advancement in technology across our personal and professional lives presents game-changing opportunities for the Coast Guard, if properly harnessed. To fully understand the potential impacts of emerging technologies on Coast Guard operations, we will:
- Evaluate emerging technologies, such as unmanned platforms, data analytics, block chain encryption, artificial intelligence, machine learning, network protocols, information storage, and human-machine collaboration for possible use in mission execution;
- Capitalize on DHS and DOD research and development efforts, national labs research, and academic partnerships;
- Seek opportunities to leap from existing technologies and competencies to new capabilities; and
- Assess the Coast Guard total force laydown and capability mix across all mission areas.”
This article originally appears in the 2020 edition of Coast Guard OUTLOOK, which can be opened using the viewer found below.
Interested in receiving a print copy of the upcoming edition of Coast Guard OUTLOOK? Sign up here.