Written by Shannon Vavra
The National Security Council is planning to issue a cybersecurity update to the U.S. government’s national maritime security strategy Tuesday, multiple senior administration officials tell CyberScoop.
The update, which administration officials first teased last September, will prompt federal agencies to develop more streamlined cybersecurity standards for organizations in the maritime transportation system (MTS), which includes seaports, vessel owners and operators and terminal operators, according to administration strategy documents obtained by CyberScoop.
The update from the White House also is aimed at promoting more information-sharing on maritime cyberthreats with the private sector, streamlining the information-sharing process and prompting the U.S. government to establish maritime cybersecurity-focused workforce programs.
The NSC is releasing the National Maritime Cybersecurity Plan as part of a recognition that there are gaps in U.S. maritime security, officials said. A chief concern is that disruptions to ports and shipping could send shockwaves through the U.S. economy. More directly for national security, officials say the NSC wants to limit the ability of adversaries to exploit vulnerabilities to hinder the Department of Defense’s ability to project force abroad — a scenario that has inspired several training exercises for the U.S. military in recent years.
“We’re really focused on making sure that the people operating in that maritime system in the U.S. have good cybersecurity practices,” one senior administration official familiar with the plan told CyberScoop.
The rollout of the plan comes at a chaotic moment for cybersecurity professionals — the NSC is currently working on responding to the massive SolarWinds supply chain breach that includes several federal agencies as well as private sector entities. It also comes a mere 15 days before President Donald Trump’s time in office comes to a close, raising questions about its long-term viability.
When asked about why the rollout is coming now, a senior administration official indicated the NSC staff is still working on improving U.S. cybersecurity writ large even in the waning days of the administration.
The cybersecurity document is one of eight plans developed as a part of the National Strategy for Maritime Security.
Although the SolarWinds incident is drawing much of the NSC’s attention, White House officials said they haven’t forgotten previous major cybersecurity incidents that affected the shipping industry and supply chain. In the now infamous 2017 NotPetya attack, hackers suspected to be tied with Russia hit multiple entities in the maritime industry by exploiting a software flaw in tax software. For shipping giant Maersk alone, that incident cost hundreds of millions of dollars.
The incident was a wake-up call to the maritime industry, which contributes approximately $5.4 trillion to U.S. GDP.
“When you look to other sectors that have that type of surface area, like the finance industry, what you see is they’re spending tens if not hundreds of millions of dollars a year to buy down cyber risk. And we did not find that in the maritime sector,” the senior administration official said.
An ocean of risk
One of the U.S. government’s priorities moving forward should be to develop a risk framework for port operational technology (OT) systems, so that insurers, vessel owners and shippers have common risk language, the NSC plan states.
For this to work, the U.S. government ought to include input from the private sector and congressional action, says Brian Satira, the co-founder of DEFCON’s Hack The Sea Village.
“For it to be meaningful, this should be accompanied by regulatory requirements that generate transparency in the supply chain of maritime OT, otherwise it is impossible to accurately evaluate risk in that technology,” said Satira, adding that organizations need better visibility into their supply chain to better assess their risk, so “Congress needs to mandate a ‘list of ingredients’ for OT.”
The White House‘s plan acknowledges that part of jumpstarting the country’s maritime cybersecurity should also involve government grants, workforce programs and improving maritime cybersecurity incident investigations and cybersecurity standards for ports.
In recent months the U.S. government has worked to drill down on maritime cybersecurity guidance — the U.S. Coast Guard, for instance, issued new voluntary guidelines for facility owners and operators on addressing computer system or network vulnerabilities last year in Navigation and Vessel Inspection Circular (NVIC) 01-20.
This kind of guidance is progress, but the cybersecurity of the maritime sector has a long way to go yet, Satira says.
“There’s forward progress but it’s progress in inches when we have lightyears to go. It’s glacial pace,” says Satira. “We’ve already had our wakeup calls and things should be moving faster than they are.”
The rollout comes a day after Acting Secretary of Homeland Security Chad Wolf participated in a groundbreaking event for the Cyprus Center for Land, Open-seas, and Port Security (CYCLOPS), which will boast a mobile cybercrime training lab and host training on cybercrime and maritime security, according to a DHS announcement. The Republic of Cypress will provide trainers for the center, set to open later this year.
Update, 1/5/2021: After publication of this story, the White House released the plan Tuesday.