Seaports Magazine - Summer 2017 - 30

have some function or data that can be
monetized or weaponized by intruders.
On-board ship electronics, port command
and control systems and archived data are all
targets for criminals. Further, nation states
regularly penetrate the systems of allies and
adversaries to acquire intelligence or interfere
with sensitive operations. China, Russia and
North Korea are regularly in the news for
such activity. One illuminating example is the
Stuxnet computer worm that was reportedly
developed as an American-Israeli cyber
weapon to sabotage Iran's nuclear program.
The virus, first identified in 2010, lay
dormant in a Microsoft Windows operating
system until it detected the command and
control software for a particular nuclear
centrifuge whereupon it came to life and
destroyed several centrifuges. Although
designed to be loaded by an infected USB
flash drive, once installed, it propagated itself
to every device on the network and beyond.
Elements of Stuxnet are still believed to
be dormant in many of the world's PCs
running Microsoft Windows software, with
unknowable interactions with commercial
software subsequently added to an infected
computer. The resources arrayed against IT
professionals mandated to protect ports are,
for most intents and purposes, unstoppable.
Stuxnet required human intervention
to invade its first target. Indeed, human
action is still responsible for most successful
cyber-attacks. Authorized users choose
weak passwords, open email attachments
containing malicious code, click on harmful
links, lose laptops, tablets and cell phones, and
have their user IDs and passwords harvested
by ever increasing numbers for phishing
scams. Professional system administrators
are not immune to human error and too
often fail to properly configure their systems
or are slow to install security updates for
newly discovered vulnerabilities. One study
found that many companies regularly take
100 or more days to install security updates.
Because criminals know this, the probability
of an attack is extreme within 60 days of the
commercial release of a security update.
Commercial computer operating systems
and applications are extremely complex
and contain many known vulnerabilities.
The current versions of Microsoft Windows
and Apple OS each have more than 50
million lines of code, and together they have
thousands of known vulnerabilities. Although
these companies continually strive to fix and
30

AAPA SEAPORTS MAGAZINE

update code, that new code contains new
vulnerabilities. Add to that the vulnerabilities
inherent in applications, such as email,
browsers, database systems and document
processing, and the impossibility of stopping
every attack becomes apparent. The difficulty
is compounded when computers join a
network where malicious software can come
from any direction and in any form. Malware
can be embedded in an invoice emailed by
a supplier, propagate from an application
initially resident on only one computer, or
travel over Wi-Fi from a tablet or cell phone.
Moreover, commercial software license
agreements invariably absolve vendors from
liability for flaws in their products; buyers
agree to take their products "as is."

"In the face of
increasing threat,
there is hope. A
robust cyber-security
industry is continually
developing new
protections and more
secure systems."
Connectivity adds great value and great
vulnerability to computer systems. In 1989,
a Cornell graduate student exploited MIT's
computer systems to infect more than 6,000
university, research center and military
computers. The Morris Worm, believed
to be the first worm virus, collapsed 10
percet of the existing Internet before it was
stopped. More recently, an international
anti-cybercrime coalition, the Anti-Phishing
Working Group, reported a 250 percent
surge to a record 289,371 unique phishing
sites in Q1, 2016. Clearly, criminal cyber
activity and related cyber-risk are on the rise.
The increase in malware is certain to
be accelerated by the Internet of Things.
Developers of Internet-enabled "things"
reduce their operating systems to the
absolute minimum, often removing security
features to make room for higher priorities
including wireless access. One researcher
reported nine separate vulnerabilities in a
manufacturer's newly introduced range of
Internet-enabled light bulbs. These "things"
will bring new and dangerous vulnerabilities.

Software and hardware market forces
further exacerbate cyber-vulnerability. If
a vendor takes too long to get a product or
update to market, they lose market share
to faster suppliers. For that reason, vendors
limit the time spent on finding and fixing
problems and regularly release products
with known vulnerabilities. While license
agreements protect vendors, companies that
use commercial software that suffers an attack
that harms others are regularly held liable for
the damage. Both regulatory scrutiny and civil
lawsuits are steadily increasing.
In the face of increasing threat, there is
hope. A robust cyber-security industry is
continually developing new protections and
more secure systems. Software vendors are
adding automation to their development
processes as well as secure coding standards.
Communications can be encrypted or
employ safer modes of transmission, such
as fiber optics rather than Wi-Fi. Although
it is important to continually upgrade cyber
security, technology alone is insufficient to
properly address the threat. Prudent boards
of directors recognize that resilience, not
prevention, is the key to cyber security.
Prevention, detection and remediation are
all equally essential to cyber-resilience.
Virtually all industries now have best
practice cyber-resilience standards that
include practical advice for directors. Among
the best-evolved sources for governance of
critical infrastructure such as ports is the
U.S. Department of Commerce National
Institute of Standards and Technology
("NIST"). NIST regularly provides updates
on its Cyber-Security Framework including
analysis of the role of cyber-insurance, vetted
"white hat" cyber-hack testing, data breach
communications planning and more.
Prudent port authorities must accept the
likelihood of a cyber-attack penetrating even
the best prevention and take the lead in
setting priorities and approving contingency
and remediation plans. Currently, port
authorities have a choice about how they
address cyber-responsibility, as legislation,
regulation and civil liability develop, any
element of choice is likely to disappear.  ●
Art Linton is an internationally successful
and digitally literate Canadian business
leader and lawyer. This article is intended
only to inform or educate; it is not legal
advice. The reader must contact a lawyer to
obtain legal advice on any specific matter.



Table of Contents for the Digital Edition of Seaports Magazine - Summer 2017

AAPA Headquarters
From the President’s Desk
Stakeholders: A Seaport’s Secret Resource
Why Ports Need Allies: Maintaining a Working Waterfront Takes a Network of Supporters
The Next Generation of Leaders — Succession Planning Provides Security, Guidance for Future
Port Security — An Exercise in Partnerships
Lessons From the Past: A Renewed Commentary on Port Security
Cyber Security: What Port Authorities Need to Know
Tomorrow’s Leaders Need More Than On-the-Job Training
Index of Advertisers
Seaports Magazine - Summer 2017 - Intro
Seaports Magazine - Summer 2017 - bellyband1
Seaports Magazine - Summer 2017 - bellyband2
Seaports Magazine - Summer 2017 - cover1
Seaports Magazine - Summer 2017 - cover2
Seaports Magazine - Summer 2017 - 3
Seaports Magazine - Summer 2017 - 4
Seaports Magazine - Summer 2017 - 5
Seaports Magazine - Summer 2017 - AAPA Headquarters
Seaports Magazine - Summer 2017 - 7
Seaports Magazine - Summer 2017 - From the President’s Desk
Seaports Magazine - Summer 2017 - 9
Seaports Magazine - Summer 2017 - Stakeholders: A Seaport’s Secret Resource
Seaports Magazine - Summer 2017 - 11
Seaports Magazine - Summer 2017 - 12
Seaports Magazine - Summer 2017 - 13
Seaports Magazine - Summer 2017 - Why Ports Need Allies: Maintaining a Working Waterfront Takes a Network of Supporters
Seaports Magazine - Summer 2017 - 15
Seaports Magazine - Summer 2017 - 16
Seaports Magazine - Summer 2017 - 17
Seaports Magazine - Summer 2017 - The Next Generation of Leaders — Succession Planning Provides Security, Guidance for Future
Seaports Magazine - Summer 2017 - 19
Seaports Magazine - Summer 2017 - 20
Seaports Magazine - Summer 2017 - 21
Seaports Magazine - Summer 2017 - Port Security — An Exercise in Partnerships
Seaports Magazine - Summer 2017 - 23
Seaports Magazine - Summer 2017 - 24
Seaports Magazine - Summer 2017 - 25
Seaports Magazine - Summer 2017 - Lessons From the Past: A Renewed Commentary on Port Security
Seaports Magazine - Summer 2017 - 27
Seaports Magazine - Summer 2017 - Cyber Security: What Port Authorities Need to Know
Seaports Magazine - Summer 2017 - 29
Seaports Magazine - Summer 2017 - 30
Seaports Magazine - Summer 2017 - 31
Seaports Magazine - Summer 2017 - Tomorrow’s Leaders Need More Than On-the-Job Training
Seaports Magazine - Summer 2017 - 33
Seaports Magazine - Summer 2017 - Index of Advertisers
Seaports Magazine - Summer 2017 - cover3
Seaports Magazine - Summer 2017 - cover4
Seaports Magazine - Summer 2017 - divider1
Seaports Magazine - Summer 2017 - divider2
Seaports Magazine - Summer 2017 - 41
Seaports Magazine - Summer 2017 - 42
Seaports Magazine - Summer 2017 - 43
Seaports Magazine - Summer 2017 - 44
Seaports Magazine - Summer 2017 - 45
Seaports Magazine - Summer 2017 - 46
Seaports Magazine - Summer 2017 - outsert1
Seaports Magazine - Summer 2017 - outsert2
http://www.nxtbook.com/naylor/AAPQ/AAPQ0118
http://www.nxtbook.com/naylor/AAPQ/AAPQ0417
http://www.nxtbook.com/naylor/AAPQ/AAPQ0317
http://www.nxtbook.com/naylor/AAPQ/AAPQ0217
http://www.nxtbook.com/naylor/AAPQ/AAPQ0117
http://www.nxtbook.com/naylor/AAPQ/AAPQ0416
http://www.nxtbook.com/naylor/AAPQ/AAPQ0316
http://www.nxtbook.com/naylor/AAPQ/AAPQ0216
http://www.nxtbook.com/naylor/AAPQ/AAPQ0116
http://www.nxtbook.com/naylor/AAPQ/AAPQ0415
http://www.nxtbook.com/naylor/AAPQ/AAPQ0315
http://www.nxtbook.com/naylor/AAPQ/AAPQ0215
http://www.nxtbook.com/naylor/AAPQ/AAPQ0115
http://www.nxtbook.com/naylor/AAPQ/AAPQ0414
http://www.nxtbook.com/naylor/AAPQ/AAPQ0314
http://www.nxtbook.com/naylor/AAPQ/AAPQ0214
http://www.nxtbook.com/naylor/AAPQ/AAPQ0114
http://www.nxtbook.com/naylor/AAPQ/AAPQ0413
http://www.nxtbook.com/naylor/AAPQ/AAPQ0313
http://www.nxtbook.com/naylor/AAPQ/AAPQ0213
http://www.nxtbook.com/naylor/AAPQ/AAPQ0113
http://www.nxtbookMEDIA.com