Marine Cyber Threats Discussed At Inland Marine Expo
For the first time, according to former Department of Homeland Security Secretary Kirstjen Nielsen, cyber threats exceed physical threats to our nation’s security.
That sobering thought, offered by Coast Guard Lt. Cmdr. Daniel Mochen, opened a panel on Cyber Risk Management at the recent Inland Marine Expo in St.Louis. The panel was hosted by Matt Hahne, vice president of USI Insurance Services, substituting for attorney Marc Hebert of Jones Walker.
Mochen said Coast Guard strategy for managing cyber risks is based on a presidential executive order, signed in May 2017, that requires all federal agencies to use the Cybersecurity Framework (CSF) created by the National Institute for Standards and Technology (NIST) to improve cybersecurity for critical infrastructure throughout the United States. It’s a voluntary, non-regulatory standard whose full text is available on the Coast Guard’s Maritime Commons blog. A draft Navigation and Vessel Inspection Circular (NVIC) that lays out how the Coast Guard will implement this framework is under review and should be available within a couple of months, he said.
The goals of the Coast Guard’s plan to manage cyber risks, said Mochen, are to:
• defend cyberspace;
• enable operations; and
• protect infrastructure.
Mochen referred to CG-5P Policy Letter 08-16, which spells out which cyber incidents must be reported. A single spear-phishing attack need not be reported, he said, but hundreds of coordinated attacks would have to be.
Dean Schoulz, a veteran in the tech sphere and chief technology officer of Marine CFO, OpsGen and UA Business Cloud, said he was set to participate in a live “security exercise” in New Orleans the following Thursday in which a cyber-attack would be simulated. Regarding cyber-attacks in critical information, he said the best advice is still “If it’s so critical, don’t put it on the internet.”
Schoulz, who has been writing software since the early 1990s, said any defense against cyber risk has three pillars. Technology is obviously one, but all companies’ products are now cloud-based. Training is the easiest; training employees not to click on suspect links “is still the single most important thing you can do” to protect your company, he said.
But most important is to prepare for attacks before they happen, by securely storing, “containerizing” and duplicating information through “mirror-imaging.”
It’s also important, said Schoulz, to talk with your insurance broker and see what your policy includes and excludes. You might need a separate plan for cyber risks. Make sure, he said, that your policy covers your clients’ sensitive data as well as your own.
He said 39 percent of insurance claims for damage from cyber attacks come from malware; 19 percent come from ransomware (in which hackers shut down access to a system unless a ransom is paid, often in untraceable crypto-currency); and 19 percent from ”social engineering,” i.e., people being lured on social media.