On February 21, 2024, President Biden signed an Executive Order and issued several federal rules aimed at improving the cybersecurity of U.S. ports and maritime supply chains. The measures introduce new cybersecurity requirements and standards for stakeholders of the U.S. Marine Transportation System (MTS) and increase the authority of the U.S. Coast Guard in its ability to address cyber threats. These rules are part of a broader effort to improve the nation’s cybersecurity presented in a prior Executive Order issued on May 12, 2021 (for more information, please see this earlier post). Alongside the Executive Order, the Biden administration announced a plan to invest in the domestic manufacturing of port cranes to reduce reliance on foreign-built infrastructure potentially used by nation-state and financially motivated attackers to disrupt U.S. organizations.
The new initiatives presented by the White House to bolster maritime cybersecurity and prevent the interruption of MTS operations are threefold. They include (i) an Executive Order, (ii) a Notice of Proposed Rulemaking on Cybersecurity in the MTS issued by the Coast Guard, and (iii) a Maritime Security Directive on cyber risk management.
I. Increased authority of the Coast Guard
Central to the announcement of the White House is an Executive Order that increases the authority of the Department of Homeland Security (DHS) to respond to maritime cyber threats through the U.S. Coast Guard. At the press conference announcing the Executive Order, Deputy National Security Advisor to the White House, Anne Neuberger, restated the intention of the administration to “ensure that there are similar requirements for cyber” as there are currently for “a storm or another physical threat.” As such, the Executive Order amends multiple sections of Part 6, title 33 of the Code of Federal Regulations (CFR) to integrate “cyber incidents” in the list of threats posed to the MTS. It also incorporates the definition of “incident” from 44 U.S.C. 3552(b)(2):
The term “incident” means an occurrence that —
(A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or
(B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.
One of the most significant actions announced by the White House pertains to the creation of new cybersecurity reporting requirements for ports’ networks and computer systems. Under amended section 33 CFR 6.16-1, actual or threatened cyber incidents endangering “any vessel, harbor, port, or waterfront facility” must be reported to the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Captain of the Port. This new reporting requirement adds to the already existing obligations of “the master, owner, agent, or operator of a vessel or waterfront facility” to prevent sabotage and subversive activity.
The Executive Order also strengthens the ability of the Coast Guard to respond to cyberattacks by requiring vessels and waterfront facilities to mitigate unsatisfactory conditions involving cybersecurity threats putting at risk vessels, harbors, and other maritime facilities. The Executive Order extends the authority of the Coast Guard to take possession and control of vessels presenting a potential cyber risk to U.S. maritime infrastructure.
II. Proposed rules and standards
With cyberattacks targeting U.S. critical infrastructure on the rise, the Coast Guard issued a Notice of Proposed Rulemaking on cybersecurity regulations and minimum standards in the MTS. The proposed rules leverage common frameworks issued by the National Institute of Standards and Technology (NIST) and CISA to strengthen maritime cybersecurity measures regarding “account security, device security, data security, governance and training, risk management, supply chain management, resilience, network segmentation, reporting, and physical security.” These standards would apply to US-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act of 2002 regulations.
The proposed rules also introduce the term “Reportable cyber incident.” This term would create a reporting threshold between cyber incidents that require reporting and those that do not. A “reportable cyber incident” would be defined as:
an incident that leads to, or, if still under investigation, could reasonably lead to, any of the following:
(1) Substantial loss of confidentiality, integrity, or availability of a covered information system, network, or OT system;
(2) Disruption or significant adverse impact on the reporting entity’s ability to engage in business operations or deliver goods or services, including those that have a potential for significant impact on public health or safety or may cause serious injury or death;
(3) Disclosure or unauthorized access directly or indirectly of non-public personal information of a significant number of individuals;
(4) Other potential operational disruption to critical infrastructure systems or assets; or
(5) Incidents that otherwise may lead to a Transport security incident (TSI) as defined in 33 CFR 101.105.
The proposed rules contemplate two cybersecurity regulatory measures for incident reporting. The first alternative would be for a “reportable cyber incident” to be reported without delay to the Coast Guard National Response Center (NRC) via toll-free numbers. If the cyber incident does not involve any physical or pollution effects, it could also be reported directly to CISA. The requirement to report to the Coast Guard would be fulfilled by sharing all such reports between the NRC and CISA. The second alternative would be to report a “reportable cyber incident” to CISA following the directions laid out in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Finally, the proposed rule would consider expressly requiring the reporting of ransom payments related to ransomware attacks.
These proposed rules are open to public comments. Stakeholders of the MTS who intend to participate and provide comments to the Coast Guard on the 230-page proposed rules have until April 22, 2024.
III. Nonpublic Maritime Cybersecurity Directive
The announcement also addresses certain national security concerns posed by the use of port cranes, known as ship-to-shore cranes, manufactured in the People’s Republic of China (PRC). To that end, the Coast Guard issued a Maritime Security Directive on cyber risk management actions for specified foreign-built port cranes located in strategic locations designated as U.S. Commercial Strategic Seaports. This announcement aligns with the recent public release by CISA of a cybersecurity advisory on state-sponsored cyber threat actor “Volt Typhoon” and its ability to persist in critical infrastructure systems. Considering the sensitivity of the information contained in the directive, its content is not available to the public. Covered persons can obtain a copy of the directive through their local Coast Guard Captain of the Port or District Commander.
Our take
This Executive Order and the proposed rules by the U.S. Coast Guard reinforce the measures taken by the administration to create regulations and requirements addressing the rising cybersecurity threats faced by U.S. critical infrastructure, specifically the maritime transport industry. The standards proposed by the Coast Guard are intended as minimum obligations establishing a common baseline in the U.S. maritime supply chains. Companies and other entities relying on the MTS are encouraged by the Biden administration to not only meet but exceed the new cybersecurity requirements. This includes proactively identifying and assessing cyber risks and threats and enhancing cybersecurity procedures.