Cyber at Sea: House-Passed Legislation Signals Focus on Maritime Cybersecurity

 

On December 16, 2015, H.R. 3878, “Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2015,” passed the House of Representatives. The Bill’s language echoes and expands upon recommendations made by the General Accountability Audit’s June 5, 2014 study Maritime Port Cybersecurity. 

 

It also reflects congressional focus on enabling cybersecurity information sharing as seen in the recent passage of the Cybersecurity Information Sharing Act (CISA). (Indeed, but for the lack of a Senate companion bill, H.R. 3878 might otherwise have been included in the budget package in which CISA was enacted.)

 

The importance of a secure maritime sector is well understood. Ninety percent of global commerce moves by sea; approximately three quarters of U.S. commerce moves through ports and waterways, amounting to over $1.3 trillion in cargo annually. Cyber-based risk is now a significant concern. 

 

Many ports are highly automated, creating potential vulnerabilities to cyber attack. And, many modern vessels and their critical systems, such as propulsion systems, can send and receive data from shore-based facilities thousands of miles away. Disruption of trade, damage to physical property or persons, and even silent intelligence gathering to support smuggling operations or other objectives, are among the cyber risks facing the maritime sector.

 

In the United States, government agencies and Congress continue to emphasize the importance of protecting this sector from cyber risks. If enacted, the Act would:

 

Require the Department of Homeland Security (DHS) to involve at least one information sharing and analysis organization to represent the maritime community in the government’s primary hub for cyber threat monitoring, planning and response coordination, the National Cybersecurity Communications and Integration Center;

 

Require the development of guidelines for voluntary reporting of maritime-related cybersecurity risks and incidents;

 

Mandate DHS to issue and maintain a maritime cybersecurity risk assessment model; and

 

Require the U.S. Coast Guard to engage with relevant advisory committees to facilitate the sharing of cybersecurity risks and incidents to address port-specific cybersecurity risks.

 

Arguably, much of what is proposed in H.R. 3878 can be accomplished under DHS’ and the Coast Guard’s existing authorities. DHS’ maritime security authority derives from the Maritime Transportation Security Act of 2002 (MTSA) and the Security and Accountability for Every Port Act of 2006 (SAFE Port Act), which are implemented through regulation by the Coast Guard.  

 

This includes the authority to set requirements for shipping firms and port facilities. DHS also has robust authorities in cybersecurity across critical infrastructure sectors, including maritime, as outlined in the Homeland Security Act of 2002, Presidential Policy Directive 21, and various executive orders. 

 

These critical infrastructure-focused authorities were expanded to cybersecurity more generally via the National Cybersecurity Protection Act and FISMA Modernization Act, both enacted in December 2014, and again in December 2015, with the passage of CISA.

 

Other vital industries such as energy, aviation, and financial services have continued to invest in public-private partnerships, industry-level collaborations, and company-specific cybersecurity programs. The maritime sector is likely to come under increasing scrutiny of its actions and posture in this respect as well. The passage of H.R. 3878 is only the latest indication of the continued focus of key U.S. government authorities on the sector’s progress in this area.

 

The start of 2016 may thus be an opportune time to take stock and plan new efforts in maritime-sector cybersecurity in light of these recent developments.