Foreign states, ransomware threaten U.S. ports, says maritime security analyst
The nation’s critical maritime industry — which includes waterways, ports and land-side connections, moving people and goods to and from the water — is under an increasing threat of cyberattacks, one expert told StateScoop.
A successful cyberattack against a complex maritime ecosystem in the United States could be devastating — more than 75% of the nation’s trade relies on the maritime sector, totaling $5.4 trillion in economic activity, $1.5 trillion in imports and more than 30 million jobs, according to a 2023 report by the Cyberspace Solarium Commission.
“So from my point of view, there’s two big threats: Nation states with malware insertion as part of operational preparation, environment and criminal actors practicing ransomware,” Mark Montgomery, senior fellow at the nonprofit think tank Foundation for Defense of Democracies told StateScoop in a recent interview.
Since the Maritime Transportation Security Act of 2002, which directed the federal Department of Transportation to develop security measures for domestic maritime facilities and the vessels that call there, U.S. government and industry efforts to protect the industry against such attacks have been lagging, Montgomery said.
And over the past few years, he said, cybercriminals have increasingly targeted the maritime industry, disrupting port operations and financially damaging affected companies and the global economy.
In 2021, the Port of Houston discovered a breach in its systems and prevented attackers from disrupting operations and corrupting or stealing data. The Cybersecurity and Infrastructure Security Agency testified before a Senate committee hearing that a “nation-state actor” was behind the attack.
The Colonial Pipeline, the nation’s largest fuel pipeline, halted operations in 2021 after a ransomware attack. It eventually paid $4.4 million to the Russian ransomware group responsible.
To bolster maritime cybersecurity, President Joe Biden signed an executive order in February giving the U.S. Coast Guard authority to respond to cybersecurity incidents. It also requires the maritime sector to strengthen its digital defenses and report cyber incidents that impact ports and waterways.
But seven of the the nation’s biggest ports — in Houston, Long Beach, California; Los Angeles; New Jersey and New York, Savannah, Georgia; Tacoma, Washington; Virginia; Oakland, and Miami – are located in different states, often with a different sets of cybersecurity requirements and resources.
As part of the executive order, the Biden administration also plans to invest more than $20 billion in port infrastructure and cybersecurity over the next five years, but no additional funding has yet made it into the Coast Guard’s 2024-2025 budget.
“This executive order gives them increased authorities to do even more [about cybersecurity], but at some point, they’re actually going to need the resources,” Montgomery said.
The $20 billion designates money to install new cranes and software manufactured in China, which many experts, including Montgomery, have said are particularly vulnerable to cybersecurity risks.
“You always have to wonder with China, when they’re providing the lowest cost thing into your critical infrastructure, the states supporting the investment, are companies willing to take the risk on our national security for their bottom line?” he said.
Roughly 80% of the giant cranes used to lift and haul cargo off ships onto U.S. docks come from China and can be controlled remotely. Security experts fear that the software embedded in these cranes, if hacked, could provide real-time visibility into port operations, giving bad actors the ability to track the movement of military equipment and commercial cargo, or, even worse, disrupt operations at major U.S. ports.
In February, CISA, the National Security Agency, and the FBI warned that a China-linked hacking group called Volt Typhoon had successfully targeted critical infrastructure sectors around the U.S., including the maritime sector.
Montgomery said that while the U.S. may not have the manufacturing capacity to completely replace Chinese manufactured cranes, the nation can lean on its allies.
“It will reduce the risk if we use American allies or partners, people we can rely on,” he said. “There’s gurneys that move things around, there’s doors, there’s gate systems. There’s lots of ways to disrupt operations and automatic functions remotely.”
Biden’s order also requires the owners and operators of ports and waterways to secure their information and operational technology infrastructure and meet cybersecurity standards set by CISA.
It’s unclear when all the order’s provisions will take effect, but Montgomery said that the U.S. Coast Guard isn’t one to sit on its hands.
“The strength of the Coast Guard is kind of a ‘can-do attitude’ and a ‘do something with nothing’ in terms of resources,” he said. “So they’ve been stepping out and figuring out how to get things done.”
