Biden asks Coast Guard to create an infosec port in a stormy sea of cyber threats
Oh hear us when we cry to thee for those in peril on the sea
President Biden has empowered the US Coast Guard (USCG) to get a tighter grip on cybersecurity at American ports – including authorizing yet another incident reporting rule.
The White House on Wednesday announced Biden's intention to sign an executive order giving the Coast Guard "express authority" to deal with any malicious computer activity across the US marine transportation system (MTS).
"American ports employ 31 million Americans, contribute $5.4 trillion to our economy, and are the main domestic point of entry for cargo entering the United States," deputy national security advisor Anne Neuberger said during a press briefing yesterday. "Continuity of operations has a clear impact on the success of our country, our economy and our national security."
"Cyberattacks can cause just as much if not more damage than a storm or another physical threat," she added, explaining the new rules are akin to expanding safety regulations into the cyber sphere.
The USCG is being given considerable new powers in the executive order (EO). It sounds as though these powers will fit alongside the Coast Guard's MARSEC system of security levels and powers.
Port Captains, USCG officers responsible for laying down the law in US ports, can now declare "security zones," inside of which they'll have broad authority to prevent "access of persons, articles, or things, including any data, information, network, program, system, or other digital infrastructure, to vessels, or waterfront facilities."
In other words, prepare to be boarded.
Ships and facilities within security zones will be searchable at any time, and guards can be placed at the discretion of the USCG as well. Ships suspected of being a threat can be prevented from docking or unloading cargo, seized, or turned away altogether.
Cranes used to unload commercial ships at US ports are getting some attention in the EO as well due to potential cyberthreats they may pose.
"The security of the US is endangered by reason of disturbances in the international relations of the US that exist as a result of persistent and increasingly sophisticated malicious cyber campaigns against the United States," Biden said in his EO, seemingly calling attention to recent threats like the targeting of US critical infrastructure by the allegedly Chinese-sponsored Volt Typhoon hacking crew.
While not admitting the USCG executive order was tied to the Volt Typhoon warnings, Coast Guard Cyber Command commander Rear Admiral Jay Vann said the USCG was issuing a maritime security, or MARSEC, directive to address potential threats from the more than 200 Chinese ship-to-shore cranes in US ports.
- Ransomware severs 1,000 ships from on-shore servers
- South Korea accuses North of Phish and Ships attack
- LockBit louts unload ransomware at Japan's most prolific cargo port
- Microsoft, recently busted by Beijing, thinks it's across China's ever-changing cyber-offensive
"[Chinese] manufactured ship to shore cranes make up the largest share of the global market and account for nearly 80 percent of cranes at US ports. By design, these cranes may be controlled, serviced and programmed from remote locations," Vann said yesterday. "These features potentially leave PRC manufactured cranes vulnerable to exploitation."
Biden's EO doesn't specifically mention cranes, but it does include a provision to prevent threats that may pose a risk to docked ships. Along with the USCG's forthcoming directive, the EO allows the USCG to intercede to prevent the mooring of ships to docks with equipment able to cause an "actual or threatened cyber incident."
Ships can be kept out of affected facilities "until the unsatisfactory condition or conditions so found are corrected."
Reporting rules and security standards also included
Along with its new search and seizure authorities, the Coast Guard also said it plans to issue a notice of proposed rule changes to establish new minimum cybersecurity requirements for MTS systems.
The proposed rule, which has yet to be published for comment, will "meet international and industry-recognized standards to best manage cyber threats," the USCG said.
Finally, the EO is also creating yet another cybersecurity reporting standard for a critical infrastructure industry to follow, much like those that have recently been published for federal contractors and by the FTC, FCC, and SEC.
The executive order gives relatively bare-bones incident response rules, only saying that evidence of any cyber incident that endangers a vessel or port "shall be reported immediately" to the FBI, CISA, and the USCG.
It's not immediately clear whether the USCG will further define cybersecurity reporting rules for MTS operators; we've asked the Coast Guard but haven't heard back. ®