The Coast Guard is looking to ramp up its cybersecurity work with companies and other organizations in the maritime transportation sector, and the service is studying its authorities for regulating the network defenses of ports and other infrastructure, according to its top cyber official.
The Coast Guard’s new “Cyber Strategic Outlook” released this week provides an update on its 2015 cyber strategy. The document describes how cyber threats have only increased in the past five years, with the Maritime Transportation System serving as “a prime target for malicious cyber actors who seek to disrupt our supply chain.”
The Maritime Transportation System includes waterways, shorelines, ports, shipyards, facilities, bridges and other infrastructure throughout the United States. According to the Coast Guard, it facilitates $5.4 trillion of economic activity every year, representing about a quarter of U.S. gross domestic product.
Defending the system is a major line of effort under the new strategic outlook. Rear Adm. Mike Ryan, head of U.S. Coast Guard Cyber Command, says the threats to the maritime sector “are real.” He said the flurry of high-profile hacks into U.S. networks over the past year have included attacks on maritime infrastructure. Last November, for instance, ransomware crippled IT systems at the Port of Kennewick in Washington state.
“We want the maritime industry to be better prepared,” Ryan said in an interview with Federal News Network. “We want to partner and engage with them, to ensure that they understand the threats, that they have awareness and access to resources that can support their efforts to combat those threats, and then really ensure from a Coast Guard perspective that we sustain safe and secure ports and waterways on behalf of our nation.”
The Coast Guard is the Sector Risk Management Agency responsible for protecting the Maritime Transportation System under the Department of Homeland Security’s designated critical infrastructure sectors. The new strategy comes at a time when the Biden administration is taking a hard look at critical infrastructure cybersecurity, including by setting new cyber standards for operators.
According to the strategic outlook, the Coast Guard’s Captains of Port — a role typically filled by the commanders who oversee the Coast Guard’s regional sectors — “lead governance by promoting cyber risk management, accountability, and the development and implementation of unified response plans.”
The document also describes how the Coast Guard will “refine cybersecurity incident reporting requirements and promote information sharing to improve the ability of owners and operators to prepare for, mitigate, and respond to threats to maritime critical infrastructure.”
Ryan said the Coast Guard partners with the maritime sector to share information about cyber risks and better understand the challenges those organizations face in cyberspace. He said the service has “the authorities we need” as the Sector Risk Management Agency, but will continue to study the issue in conjunction with evolving cyber threats.
“We’re taking a look at the wealth of authorities we have,” Ryan said. “We’ll be working with Congress if we identify any gaps in that regulatory regime.”
He also advocated for the International Maritime Organization, a U.N. agency that regulates shipping, to set global expectations for cybersecurity in the maritime arena.
“We want to ensure that we have solid approaches, and we want to ensure we have the right thresholds in place, and we don’t want to disadvantage those U.S.-flagged operators beyond the level playing field that we want all of the maritime community to have,” Ryan said.
In addition to overseeing the maritime sector, the new cyber outlook also calls for the Coast Guard to make advances with its own digital infrastructure and capabilities, as well as its cyber forces. It calls for investments in “sensors, automation, artificial intelligence, cloud architecture and mobility” to provide a “persistently monitored, secure, and resilient environment for U.S. Coast Guard operations.”
It also outlines the need for both Cyber Mission Teams and Cyber Support Teams interoperable with both the Defense Department’s Cyber Mission Force and the Department of Homeland Security. The service has already established two Cyber Protection Teams and is in the process of establishing a Cyber Mission Team. It is also seeking funding for a third Cyber Protection Team as part of its fiscal year 2022 budget request.
“That gives us a great foundation,” Ryan said. “I think we’ll have to do some more analytics to figure out whether that’s the right size force, or maybe grow it into the future.”