President Joe Biden is expected to sign an executive order on Wednesday that would give the Homeland Security Department more authority to address maritime cybersecurity threats.
The order, previewed by officials in a call with reporters, would give the U.S. Coast Guard—DHS’s maritime security arm—further authority to respond to cyber threats on the sea. It will also require seafaring vessels and their port facilities to shore up cyber defenses and comply with mandatory cybersecurity incident reporting rules.
The Coast Guard will also announce a new maritime security director and seek public comments through late April on a proposal to establish minimum cybersecurity standards for vessels and ports. This would extend current maritime security regulations into the cybersecurity domain and harden incident reporting rules to include compulsory data breach reporting to authorities, including the FBI and the Cybersecutity and Infrastructure Security Agency.
Maritime shipping centers have become a major target for cyber operatives backed by China’s People’s Liberation Army and other hacking groups. Australian officials in November warned of a major cyber threat to logistics operator DP World, suspending operations at multiple ports across the nation.
The announcement also coincides with recent news that the U.S. jettisoned China-backed Volt Typhoon hackers off a network of compromised routers and other obsolete equipment. But Volt Typhoon was not the core motivator for the executive order, said Anne Neuberger, the White House’s deputy national security advisor for cyber and emerging technologies, explaining that the decision is intended to curtail maritime cyber threats outside the scope of experienced nation-state hackers.
The order has been in the works for about 18 months, Neuberger said. “While [the executive order] certainly ties to particular concerns about Chinese cyber activity, we also have concerns regarding criminal activity,” she added, citing a ransomware gang’s hit on Japan’s Port of Nagoya this past summer.
Defense officials have been working to take U.S. cyber operations into a more offensive dimension, going on the attack against cybercriminals and hacking gangs run or supported by nation states like China, Iran or Russia. The U.S. in recent weeks reportedly carried out a cyberattack on an Iranian military ship believed to have been gathering intelligence on vessels in the Red Sea and Gulf of Aden.
This new executive order appears to focus more on maritime defensive capabilities, as opposed to enhancing the Coast Guard’s capacity to conduct cyberattacks or operate under more clandestine conditions similar to the intelligence community’s cyberwarfare activities.
“We believe [the order] is an exemplar of our commitment to partnership in developing these regs and building off of lessons learned as part of the administration’s approach to instituting mandatory cybersecurity minimum standards,” said Iranga Kahangama, assistant secretary for cyber risk at the Department of Homeland Security, referencing previous incident reporting requirements enacted by agencies like the Securities and Exchange Commission and Transportation Security Administration.
The Biden administration will also dedicate some $20 billion toward port infrastructure over the next five years, as part of funding included in the 2021 Infrastructure Investment and Jobs Act, which would include investing in cranes and other seaport equipment made by trusted providers. That funding would notably not support any efforts to “rip and replace” equipment, Neuberger said in phrasing akin to the Federal Communications Commission’s ongoing efforts to remove Chinese telecommunications equipment from U.S. networks.
But Chinese-made port equipment still concerns officials. Over 200 Chinese-made cranes have been detected across U.S. ports and related maritime facilities, and about half of those have been assessed for cybersecurity threats, said Rear Adm. John Vann, who heads the Coast Guard’s Cyber Command.
Law firm HFW and maritime cyber firm CyberOwl reported that 14% of maritime professionals last year paid a ransom to unlock compromised IT or other equipment. The NHL Stenden University of Applied Sciences in the Netherlands has also logged some 160 cyber incidents in the maritime sector over the past decade.
The U.S. does not formally categorize maritime systems as its own critical infrastructure sector, though that might change under ongoing rewrites being conducted by the White House. As of now, maritime operations are lodged under transportation networks, an official critical infrastructure designation that also includes railway and aviation systems.
The Biden administration has taken sweeping steps to direct federal agencies to harden their cyberdefenses, including the institution of strict directives that require offices to report cyber incidents in a timely manner and develop methods to defend critical infrastructure and take down hackers.