Biden executive order seeks to bolster port cybersecurity
The White House issued an executive order on Wednesday that is designed to improve maritime port security by creating new requirements for stronger cyberdefenses in the sector while expanding the authorities of the U.S. Coast Guard to respond to cybersecurity incidents.
The Biden administration said the executive order will force the sector to bolster its cybersecurity policies and allow the Coast Guard to crack down on ports that fail to improve.
More than $20 billion also will be invested in improving port infrastructure over the next five years, administration officials said. As part of that, Persico Corporation, a U.S.-based subsidiary of Japanese company Mitsui E&S, will produce ship-to-shore cranes intended to phase out Chinese-built infrastructure, said Anne Neuberger, national security adviser for cybersecurity and emerging technology.
The goal isn’t a full “rip and replace,” Neuberger said, but instead the emphasis will be on “buying trusted cranes.”
The action follows last month’s stark warning about the China-linked hacking group known as Volt Typhoon, which FBI Director Christopher Wray said had been disrupted after successfully infiltrating American critical infrastructure, including the maritime transportation system. Wray warned that the group had been “pre-positioning to cause real-world harm to American citizens and communities in the event of conflict.”
Chinese companies own nearly 80 percent of the cranes that are vital to the operation of U.S. ports because they move supplies in and out of large container ships. The cranes are particularly threatening because they can be operated remotely.
Rear Adm. Jay Vann, the U.S. Coast Guard Cyber Command’s top official, made the stakes clear, telling reporters that activity at American ports accounts for more than $5.4 trillion of the country’s economic activity, serving as a “gateway” for more than 90% of the country’s overseas trade. Officials also noted that 31 million Americans work in the maritime transportation sector.
Any disruption of America’s maritime transportation system, “whether manmade or natural, physical or in cyberspace has the potential to cause cascading impacts to our domestic or global supply chains,” Vann said.
“This interconnected system within our transportation critical infrastructure is vital to national security and economic prosperity,” Vann added.
Despite the port security executive order following so closely on the heels of the Volt Typhoon news, the plan for strengthening the cybersecurity of maritime systems has been underway for a year and a half, Neuberger said. Officials said they are not publicizing the details of an additional directive that will add security requirements to the large number of China-made cranes in operation.
A “notice of proposed rulemaking” to set more-stringent cybersecurity requirements for the sector will primarily be drawn from Cybersecurity and Infrastructure Security Agency’s cybersecurity performance goals, Vann said.
The continual operation of ports has a “clear and direct impact on the success of our country, our economy and our national security,” said Neuberger, who added that the sector’s crucial role in the economy is driving the administration’s plans “to not just shore up our cyberdefenses, but fortify our supply chains.”
Department of Homeland Security cyber officials collaborated with the Transportation Security Administration, which has experience working with industry, to “ensure that the cybersecurity requirements are in line with expectations,” said Iranga Kahangama, DHS assistant secretary for cyber, infrastructure, risk and resilience. The Coast Guard is housed within DHS.
Kahangama emphasized that the effort is part of a larger DHS initiative to protect the U.S. supply chain, citing the department’s Supply Chain Resilience Center, which was announced in November.
National security officials have long expressed concerns about the cybersecurity of ports. A Wall Street Journal story focused on port security last March quoted Bill Evanina, a former top U.S. counterintelligence official, saying that Chinese cranes at ports could be “the new Huawei,” referring to a Chinese telecom company driven out of the U.S. market due to officials’ concerns that its equipment could be used for espionage.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.