A rising tide lifts all boats in maritime cybersecurity
This past March, the world watched as the container ship Ever Given clumsily blocked a major artery in the global supply chain – leading to a six-day blockage of the world’s most important shipping corridor, the Suez Canal.
The disruption held up an estimated $9 billion of trade per day. Today, the Port of Los Angeles and the Port of Long Beach are experiencing disruptions leading to a record number of ships waiting off the coast of California. These disruptions have permeated throughout the supply chains for goods that Americans rely on from computers and chips to cars and clothing.
The lesson is clear: The maritime industry is full of chokepoints which, if manipulated, can cause cascading economic impacts that affect Americans.
While these recent disruptions were not caused by hacks or bad actors in cyberspace, they demonstrate the vulnerable chokepoints in the global marketplace. We aren’t dealing in hypotheticals, either – this is already beginning to be a new front in the 21st century fight against cybercriminals. The 2017 NotPetya ransomware event disrupted the Port of Rotterdam and Danish shipping giant, Maersk. As “Raising the Colors,” a recently released Atlantic Council report notes, “In 2020, cyberattacks targeting the [Maritime Transit System] increased by 400 percent over the span of a few months.” Recognizing this concerning trend, the Trump administration issued the National Maritime Cybersecurity Plan in December 2020, to provide a roadmap for the U.S. government to begin pushing back against growing cyber risk in the sector.
As the National Maritime Cybersecurity Plan notes, the U.S. is a “maritime nation,” highly dependent on the network of coastal and inland waterways, ports, shipyards, bridges, and more which “contributes to one quarter of all United States gross domestic product.” Many of these same ports are critical for U.S. military mobilization and hard power projection. These nodes in this intricate system are the very definition of systemically important critical infrastructure – which we have advocated for stronger protections. They are critical to safeguarding our military operations, and will prove invaluable as the federal government works toward continuity of the economy planning.
The National Maritime Cybersecurity Plan highlights three areas of focus for the U.S. government to help meet the challenge of growing maritime cyber risk: risk and standards, information and intelligence sharing, and workforce development.
Now, less than a year later, the Atlantic Council report highlights many of the same challenges which continue to persist, and provides a series of recommendations to help the U.S. better understand and ultimately manage cyber risk facing the maritime transportation system.
The first step is to collectively understand the risks and, as the Atlantic Council puts it, “raise the baseline.” The National Maritime Cybersecurity Plan proposes better risk modeling to inform standards and best practices. This is a good start, and it should be accompanied by a sector-specific cybersecurity framework, building on the Cybersecurity Framework of the National Institute of Standards and Technology. The maritime sector is not monolithic. It consists of everything from ports and bridges to the boats that traverse the waters. This reality needs to be reflected in these standards. But this process cannot start and end with the production of a framework.
Policymakers must also better understand barriers to implementation in the sector and work with the maritime transportation system’s owners and operators to ensure they are properly resourced to meet the threat through targeted grants and investment.
In its final report, the Cyberspace Solarium Commission highlighted the need to pull the least mature aspects of our critical infrastructure up by the bootstraps. This included initiatives to improve the state of government support to critical sectors through the identification and designation of systemically important critical infrastructure, as well as by improving the maturity of sector risk management agencies, the government agencies that serve as the primary liaisons with critical infrastructure owners and operators.
One way the federal government can add value to these critical infrastructure owners and operators is through the sharing of critical cyber threat intelligence and information, a common request from nearly all critical infrastructure sectors, but one that the federal government has been slow to answer. The federal government should work towards a more free flowing exchange of information and cyber threat intelligence with the private sector owners and operators in the maritime system, but there exist today many of the same barriers to doing so that the Cyberspace Solarium Commission pointed to more than one year ago in its final report.
Intelligence policies and procedures, including those that drive collection priorities and declassification, “have not been sufficiently modernized to account for the unique challenges of cyberspace.” As a result, the intelligence community is limited in its ability to provide sufficient intelligence to U.S. entities. To move towards more intelligence support for critical infrastructure, including in the maritime sector, we must do more to address these shortcomings and codify processes for identifying broader private-sector cybersecurity intelligence needs.
A final pressing challenge is that of training, recruiting, and retaining a cybersecurity workforce tailored for the sector. While this issue is not unique to the maritime sector, it is nonetheless challenging.
The National Maritime Cybersecurity Plan states that the U.S. will work to “produce cybersecurity specialists in port and vessel systems.” The Atlantic Council suggests that “Maritime Cyber Education and Certifications” could do the trick there, but this work must also extend to awareness building and cross-sector collaboration. The Cyberspace Solarium Commission proposed several recommendations that could help move the needle on cybersecurity workforce development broadly, many of which could be relevant to the maritime sector, like supporting upskilling programs for veterans, building a more robust ecosystem of cybersecurity apprenticeships (including in the maritime sector), and establishing talent exchanges between competent federal agencies and core maritime infrastructure providers.
The Suez Canal blockage and the disruptions in American ports underscore the importance of the maritime sector to our economy and way of life and the sector is woefully unprepared to meet the looming challenge of cyber risk.
Now is the time for Congress and the executive branch to collaborate with one another and take the steps necessary to help manage the risk to the maritime sector. The National Maritime Cybersecurity Plan is a good first step, and the Atlantic Council’s report builds on that plan and provides a good roadmap for implementation. The time for action to improve maritime cybersecurity is now.
Sen. Angus King, an Independent, represents Maine and is the co-chair of the Cyberspace Solarium Commission, an intergovernmental body charged with developing a strategic approach to improving cybersecurity in the U.S.
Rep. Michael Gallagher, a Republican, represents the state of Wisconsin, and serves on the Cyberspace Solarium Commission.
