New Executive Order Targets Cybersecurity of US Ports

A new executive order issued by the Biden-Harris administration is looking to improve the cybersecurity of U.S. ports by giving the Department of Homeland Security more authority to directly address maritime cyber threats. 

The nation’s Marine Transportation System’s (MTS) increased use of technology has exposed it to more vulnerabilities from cyberattacks. The order gives the Coast Guard permission to require MTS transportation vessels, facilities and harbors to improve unsatisfactory cyber conditions. Additionally, Coast Guard captains can now control the movement of vessels that pose suspected or known cyber threats to the U.S. maritime infrastructure. 

Additionally, the order codifies rules that require incidents and active threats be reported. 

“It’s a shift from requesting to requiring,” Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger said during a roundtable with reports according to a White House transcript. “The Coast Guard is the regulator for ports, and the executive order takes their existing physical authorities to set security rules for ports and extends that to the cybersecurity domain. So ports will be required to report that to the Coast Guard.” 

The administration also revealed additional measures government is taking to improve cybersecurity in the manufacturing industry. A Maritime Security Directive issued by the Coast Guard will outline steps to secure ship-to-shore Chinese-manufactured cranes at the U.S. Commercial Strategic Seaports.  

“The People’s Republic of China-manufactured ship-to-shore cranes make up the largest share of the global market and account for nearly 80% of cranes at U.S. ports,” said Coast Guard Cyber Commander Rear Adm. John Vann. “By design, these cranes may be controlled, serviced and programmed from remote locations. These features potentially leave PRC-manufactured cranes vulnerable to exploitation.” 

The Maritime Security Directive will give crane owners and operators a set of new cybersecurity steps that they must follow. 

“Our captains of the port will work directly with crane owners and operators to deliver the directive and verify compliance within a reasonable timeframe,”  said Coast Guard Deputy Commandant for Operations, Vice Admiral Peter Gautier during a Wednesday press conference on the order.

The order is an effort to bring more crane manufacturing to the U.S.-based subsidiary of Mitsui E&S Co., U.S. PACECO Corp., and plans to revitalize crane manufacturing in the United States, according to officials. The order comes after the Biden-Harris Administration said it was investing more than $20 billion into U.S. port infrastructure over the next five years. 

“PACECO has a deep history in the container shipping industry manufacturing the first dedicated ship-to-shore container cranes in 1958, and it continued U.S.-based craned manufacturing until the late 1980s,” Neuberger said. “PACECO intends to partner with other trusted manufacturing companies to bring port crane manufacturing capabilities back to the United States for the first time in 30 years.”  

Along the MTS order, proposed rulemaking aims to set minimum cybersecurity requirements for MTS technology to meet. The new standards would be subject to a public comment period, upon which they would be formalized, including outlining the specifics for how failures to report attacks will be punished.

“After we receive public comment and input on the regulations, regulations will be finalized to include enforcement actions being defined,” Vann said. 

Strengthening control systems and networks to industry-recognized standards would add an additional layer of protection against malicious cyber actors who try to gain daily unauthorized access to MTS technology. Officials noted that ports are a key critical infrastructure target for hackers.

“Our goal is focused that new investment is secure, and then the steps are being outlined here — minimum cybersecurity requirements, the Maritime Security Directive — being used to secure the existing infrastructure,” Neubuerger said. “These actions are part of the president’s strategy to secure our nation’s critical infrastructure online and build on steps the administration has taken via DHS to make good cybersecurity practices the norm across our nation’s pipelines, railways and airports.