Last week, we reported on the Jones Walker survey on maritime cyber risks that made this point: “The U.S. maritime industry is not prepared for future cyber-attacks.” In the blue-water sphere, last year’s massive breach into global shipper Maersk’s systems cost it about $300 million to address.
In the past, when cyberattacks were conducted by lone hackers or criminal groups hunched at keyboards overseas or in basements, the biggest thing protecting the barge industry was probably its relatively low profile.
But, whatever degree of protection that may have once afforded is gone. Today’s hackers don’t sit at keyboards themselves; they rely on automated software that sweeps the internet looking for vulnerable points to penetrate. That means anywhere that outdated software creates an entry point, including towing company systems or other places it might not have occurred to human hackers to attack.
The Jones Walker survey’s main thrust for inland towing companies was that they can’t and shouldn’t wait for a Maersk-type disaster to happen in the brown-water sector to address their cybersecurity issues. We hope the Jones Walker report will help alert mid-level software providers that there is a big underserved market on the inland waterways for their security systems and products.
Beyond individual companies stepping up their protective efforts, the U.S. Coast Guard is the primary agency in charge of cybersecurity on the inland waterways. It operates as part of the Department of Homeland Security.
In October, the Coast Guard released its “Maritime Commerce Strategy Outlook.” Along with familiar (and always-needed) discussion of the importance of the maritime transportation system (MTS) and of recapitalizing water infrastructure, the document contains recommendations for strengthening it.
Under the first objective, “Mitigate Risk to Critical Infrastructure,” the first goal or task is this: “Fortify information technology security in the maritime domain. As the DHS [Department of Homeland Security] Sector Specific Agency for maritime critical infrastructure, the Coast Guard will align with national and DHS policies to develop effective prevention and response frameworks for the protection of maritime critical infrastructure.” The Coast Guard said it will “expand a prevention regime that relies on existing authorities for risk governance for port facilities and vessels, tying safety and security compliance to recognized industry cyber security standards.”
The problem is that most “existing authorities”—port districts, localities, states and federal agencies, including the Coast Guard itself—are underfunded and underprepared for such a challenge. Everyone recognizes that cybersecurity is an important issue, but few are ahead of the curve.
Some recommendations in other sections of the Coast Guard document offer clues as to how this policy might work for cybersecurity issues. In Section VII, “Transforming Workforce Capacity and Partnerships,” the document notes that “Congressional, DHS, Coast Guard regulatory and International Maritime Organization requirements have pushed the Coast Guard to increase the use and oversight of third-party organizations for regulatory functions and standards accrediting bodies.”
Third-party organizations and private companies will undoubtedly be necessary to help the Coast Guard upgrade and harden cyber systems. In February, Nextgov.com quoted Rear Adm. Kevin Lunday, head of the Coast Guard’s Cyber Command, as noting the difficulty the Coast Guard shares with other federal agencies in attracting qualified personnel. That’s no surprise since the private sector is so much more lucrative. The Coast Guard can draw on the expertise of Defense and Homeland Security departments to get training personnel. But Lunday “also stressed the need to build relationships with cyber experts in the private sector and get government employees to rethink how they interact with technology.”
Earlier this month, the Senate passed a cybersecurity bill that strengthens the Department of Homeland Security’s role as the main federal agency overseeing civilian cybersecurity. The bipartisan Cybersecurity and Infrastructure Security Agency Act would establish a cybersecurity agency that is the same stature as other units within DHS.
The bill would rebrand DHS’s main cybersecurity unit, now known as National Protection and Programs Directorate (NPPD), as the Cybersecurity and Infrastructure Protection Agency, spinning the headquarters office out into a full-fledged operational component of DHS on the same level as Secret Service or FEMA.
If signed into law, this consolidation could help streamline the Coast Guard’s access to the kinds of expertise it needs to address cyber risks.
In the meantime, all towing companies should read the Jones Walker report and do whatever they can to minimize their own cyber risks.