Cybersecurity at U.S. Ports: Clear Rules Require Rulemaking

[By CDR Michael C. Petta, USCG]

Following the September 11, 2001 attacks, the U.S. Coast Guard led the way on maritime security by shaping new international rules, national laws, and domestic regulations to protect maritime shipping and infrastructure. These changes set the standard in the global fight against threats to port facilities and served as the template for new regimes negotiated at the International Maritime Organization (IMO).

Yet in recent years, U.S. domestic regulations have not kept pace with the ever-expanding risks posed by emerging threats at sea—especially with cyber risks. As a result, American maritime infrastructure has become more vulnerable to disruptive and destructive threats in the cyber domain.

In February 2020, the U.S. Coast Guard published guidelines for port facilities to address these threats. The new guidelines were needed, but they are not enough. The U.S. Coast Guard should, to carry out its legal duty to safeguard the maritime transportation system, energize the domestic rulemaking process to adopt uniform and enforceable cybersecurity rules for maritime facilities.

The Port Facility Cyber Problem

Before turning to the need for U.S. Coast Guard rulemaking, it is important to underscore the problem at hand—cyber threats to port facilities are both significant and real. Unfortunately, the maritime industry remains unprepared. Scholars, industry leaders, and government officials have long sounded the alarm and repeatedly warned of threats, vulnerabilities, and adverse consequences associated with cyberattacks. These long-recognized risks persist, and they are likely to grow in the future as malicious cyber capabilities become more available as a low-cost tool to subvert commercial and governmental systems.

In 2011, the European Union (EU) studied the rising menace of cyber threats and the general lack of cybersecurity awareness in the maritime sector. Pointing to the disastrous consequences a significant cyber disruption would have on international trade, the study recognized an increasing need to secure maritime infrastructure. The EU study was validated in a 2017 IMO resolution, which expressly recognizes an “urgent need to raise awareness on cyber threats and vulnerabilities to support safe and secure shipping.”

For years, leaders in the United States have also warned of the growing cyber threat. Most prominently, former President Barack Obama cautioned in a 2013 Executive Order that “[r]epeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity.” President Obama continued on to say that, “[t]he cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront.” Four years later, Chairman of the U.S. House Committee on Homeland Security, Michael McCaul (R-Texas), explained during a field hearing that port facilities “find themselves in the crosshairs of international hackers and rogue nation-states,” and he declared that the United States “must do more to strengthen cybersecurity and these essential maritime hubs.”

Maritime agency officials have been similarly cautious. For example, the 2015 U.S. Coast Guard Cyber Strategy warns of “real and growing” cyber threats in the maritime community. Like the 2011 EU study, the U.S. Coast Guard Cyber Strategy explains that cyber disruptions in maritime trade could have serious consequences for local, regional, national, and global economies. To protect maritime transportation and reduce cybersecurity vulnerabilities, the Cyber Strategy avows to “incorporate cybersecurity into existing enforcement and compliance programs.”

Despite years of discourse, preeminent maritime officials continue to believe port facilities remain vulnerable to and unprepared for cyber threats. For example, in a March 2020 Federal Register Notice, the Commandant of the U.S. Coast Guard, Admiral Karl L. Schultz, offered warnings similar to those in the agency’s five-year-old Cyber Strategy. Admiral Schultz describes cybersecurity as “one of the most serious economic and national security challenges for the maritime industry.” More recently, during a September 2020 webinar on maritime security, Rear Admiral Mark H. Buzby, U.S. Navy (ret.), the Administrator of the U.S. Maritime Administration, acknowledged the longstanding struggle to resolve cybersecurity risks, explaining, “What has become quite apparent over the last several years is that [maritime cybersecurity] truly needs an operational focus… truly needs a strategic approach to a very vexing and growing problem.” Rear Admiral Buzby further explained that solving the problem of maritime cybersecurity “is absolutely vital not only to our economic security but really to our national security.”

The Physical Security Focus of U.S. Regulations

Even more enduring than the maritime cybersecurity problem is the U.S. Coast Guard’s resolve to protect the maritime transportation system, particularly following the tragic events of 9/11. After the terrorist attacks, the U.S. Coast Guard established new global maritime security requirements. Internationally, the requirements were expressed in the IMO’s International Ship and Port Facility Security (ISPS) Code. Domestically, the requirements were codified in the Maritime Transportation Security Act (MTSA) of 2002, which the U.S Coast Guard implemented through regulations found in Title 33 of the Code of Federal Regulations (CFR). Developing and enacting such a comprehensive governance regime took herculean efforts and affirmed the U.S. Coast Guard’s leading role in safeguarding maritime facilities.

The 9/11 attacks generated the energy needed to establish comprehensive security laws and regulations. However, because of the kinetic nature of the attacks, the focus of these laws and regulations was largely limited to physical security measures designed to control access to facilities and to protect personnel and property from physical damage and harm. As one scholar wrote in 2013, the United States’ requirements could “loosely be summed up as guns, gates, guards, and identification cards.” In other words, when the ISPS Code, the MTSA of 2002, and the U.S. Coast Guard’s domestic regulations were authored, they did not address today’s cybersecurity challenges. Because cyber risks operate in a relatively new, non-physical domain, mitigating cyber risks calls for renewed energy and strategy.

Although the ISPS Code and MTSA regime do not openly contemplate cybersecurity, the U.S. Coast Guard has not been powerless to produce cyber standards. To the contrary, with the MTSA of 2002 and the Maritime Security Improvement Act (MSIA) of 2018, the agency’s power to regulate cybersecurity at port facilities is clear. Such authority could be used to modernize U.S. Coast Guard regulations and incorporate cybersecurity-centric rules into its enforcement and compliance programs. Rather than taking that authoritative step, the agency made a more subtle move in February 2020 by offering a modern cyber-centric interpretation of the agency’s 17-year-old regulations. Perhaps more should be done.

The Dormant Cyber Rule

The United States’ maritime facility security regulations, as implemented under the MTSA of 2002, reside in Part 105 of Title 33 of the CFR. As alluded to earlier, the word “cyber” is absent from these regulations. To some, this absence might indicate that U.S. Coast Guard regulations omitted cybersecurity. In its February 2020 Navigation and Vessel Inspection Circular (NVIC), “Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities, NVIC 01-20,” the U.S. Coast Guard announced a new interpretation of Part 105 in which it ostensibly takes the position that cybersecurity requirements were not omitted from Part 105—they were dormant.

A brief description of Part 105, entitled “Maritime Security: Facilities,” helps bring context to the seemingly latent cyber rules. The U.S. Coast Guard enacted Part 105 in October 2003 to harmonize domestic regulations with security measures adopted by the IMO (i.e., ISPS Code). Combining international requirements and existing domestic policy, Part 105 is extensive. It consists of five separate subparts, 54 individual sections, and just over 100 pages of regulatory text. Put plainly, Part 105 is the U.S. Coast Guard’s rulebook for security at U.S. maritime facilities.

A critical mandate in Part 105 is a requirement that port facilities periodically conduct a Facility Security Assessment (FSA). Generally, the FSA evaluates a facility’s threats, vulnerabilities, and protective measures in order to inform the development of a facility’s Facility Security Plan (FSP). The Facility Security Officer (FSO) is responsible for developing and implementing the FSP. When preparing the FSP, the FSO must analyze certain factors enumerated in Part 105. While Part 105 does not expressly require the FSO to consider cybersecurity vulnerabilities, among the listed factors the FSO is required to consider are “[m]easures to protect radio and telecommunications equipment, to include computer systems and networks.” This provision is the source of Part 105’s seemingly dormant cyber rules. In short, NVIC 01-20 interprets the provision on “radio and telecommunications equipment” to encompass cybersecurity because it uses the phrase “computer systems and networks.” Under this interpretation, Part 105 has required FSOs to assess and address cybersecurity vulnerabilities since it was enacted in 2003.

The Path Forward: Holistic and Affirmative Cyber Requirements

Recognizing this tacit cybersecurity provision is a meaningful step, but the dormant cyber provision recognized by NVIC 01-20 is too ambiguous and inoperative to embody the degree of governance sufficient to mitigate known cyber risks. The U.S. Coast Guard should explore whether it could do more to integrate cybersecurity into its maritime security regime. If the Service aims to better incorporate cybersecurity into existing enforcement and compliance programs, it could leverage domestic rulemaking to implement enforceable and uniform standards.

As the U.S. Coast Guard recognizes in NVIC 01-20, the maritime industry presently uses cyber systems for various critical functions (e.g., administration, operations, engineering, safety, security, and navigation). Despite the variety of integral cybertechnologies, Part 105, on its face, implicates computer systems and networks used for just one purpose—radio and telecommunications. This is all to say, based on a plain reading of Part 105’s text, one may reasonably conclude that the FSO is only required to consider vulnerabilities with cyber systems used for communication, not cyber systems used to perform the variety of other critical IT and OT functions at maritime facilities.

Highlighting this ambiguity in Part 105 is more than an academic, textual critique. Doing so underlines a fundamental regulatory problem—a lack of clear standards—that undermines effective enforcement and compliance. 

The U.S. Coast Guard already has the authority to remedy enforcement and compliance problems brought on by the ambiguity in Part 105’s dormant cyber language. Through the domestic rulemaking process, the agency can amend Part 105 to create a distinct cybersecurity requirement that encompasses a variety of cyber systems. Coincidentally, in the MSIA of 2018, U.S. Congress provides a sample of a modern-day cyber requirement. Specifically, the MSIA, codified at 46 U.S.C. § 70103(c)(3), expressly requires FSPs to “include provisions for detecting, responding to, and recovering from cybersecurity risks…” and violating this rule subjects the facility to a civil penalty. This 2018 mandate in the law is clear and enforceable. Its express use of the common, up-to-date term “cybersecurity” without limiting itself to any one cyber system avoids any confusion caused by innovative interpretations. U.S. Coast Guard regulations could be amended to achieve a degree of clarity equal to that in the law.

Ambiguity aside, the dormant requirement recognized by the NVIC is also largely inoperative. As NVIC 01-20 states, although FSOs must assess and address cybersecurity vulnerabilities, the facility has discretion to decide how it identifies, assesses, and addresses those vulnerabilities. In light of this discretion, there is essentially no regulatory framework on which to base uniform enforcement and compliance decisions. The United States’ current port facility cybersecurity model is akin to a safe speed law that allows drivers discretion to set and clock their own speeds. This approach may be suitable for certain regulatory areas, but it is an insufficient approach for guarding against such a serious threat to the global economy and national security. Contrasting the quantity of effort expended governing physical security at ports with the meager scope of governance now envisioned for cybersecurity illustrates the point.

The kinetic attacks on 9/11 led to comprehensive rules, both domestically and internationally, on maritime physical security. Pioneering those rules took colossal effort by the U.S. Coast Guard. Today the agency has a similar opportunity with cybersecurity. Twenty years ago, Part 105 could have been distilled into a single line—FSOs must assess and address physical security vulnerabilities when developing FSPs. Obviously, the U.S. Coast Guard opted for a more comprehensive approach, choosing a holistic, affirmative governance model. This approach might be applied today to cybersecurity. There are too many contrasting examples of physical security requirements to list here, but a summary of Part 105’s Subpart B is useful.

Subpart B consists of 25 regulatory sections collectively entitled “Facility Security Requirements.” These sections contain, among other things, requirements on staff responsibilities; personnel knowledge and training; recordkeeping; physical searches; drills and exercises; controlling access; hiring employees; screening individuals; arming guards; designating restricted areas; policing grounds; equipment maintenance and testing; handling cargo; delivering stores; and receiving passengers, dangerous cargo, and barges. Importantly, across these requirements, Subpart B includes about 175 provisions unique to physical security.

As for cybersecurity, even with NVIC 01-20 on the books, existing regulations seemingly establish no explicit requirements. There are no unique cyber requirements related to staff responsibilities (e.g., security responsibilities of IT or OT personnel). Likewise, there are no distinct cyber training or knowledge requirements (e.g., requiring the FSO to be familiar with IT and OT terminology or requiring employees to take a basic computer hygiene course). There are no affirmative rules related to cyber drills, cyber exercises, or cyber recordkeeping. Unlike with systems used for physical security, there currently are no maintenance or testing requirements unique to IT or OT systems. Most importantly, in contrast with the unequivocal governance over elements fundamental to physical security (e.g., access controls, restricted areas, personnel screening), Part 105 is silent about any element associated with and tailored for effective cybersecurity programs.

Conclusion

Returning to the metaphor of the safe speed law, some might contend the current cyber model is not only akin to empowering drivers to set and clock their own speeds, it also affords them such discretion, but without requiring them to possess any driving experience, complete driver education classes, maintain or test vehicle systems, consult traffic reports, or obtain drivers licenses.

Effective cybersecurity, in this age of pervasive and expanding cyber threats, benefits from holistic and explicit governance. Just as it did with physical security after the 9/11 attacks, the U.S. Coast Guard could again leverage the domestic rulemaking process to implement a clear, uniform, and more rigorous cybersecurity regime. In so doing, the U.S. Coast Guard would again be the standard-bearer, leading the way in the global fight to protect port facilities. 

Commander Michael C. Petta, USCG, serves as Associate Director for Maritime Operations and professor of international law in the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the views of the U.S. Coast Guard, the Department of Homeland Security, the U.S. Navy, the Naval War College, or the Department of Defense.

This article appears courtesy of CIMSEC and is reproduced here in an abbreviated form. The original may be found here.