In June 2019, the Wall Street Journal reported that “pirates attempted to seize control of a shipping vessel en route to the Port of New York and New Jersey. Rather than hijacking it with assault rifles and rocket launchers, the criminals boarded the ship digitally.”1 Seemingly straight out of a science-fiction thriller, this was a malware attack against a 1,000-foot cargo ship transiting from the Middle East to the Port of New York.
While the facts of the case were less dramatic than the article suggested, this incident marked what is likely the first report of a cyberattack against an underway deep-draft vessel bound for a U.S. port. The multiagency, Coast Guard–led response and investigation into the incident offered rare, critical insight into the poor state of cybersecurity on board a major commercial carrier operating in 2019. It also highlighted a massive blind spot in the Coast Guard’s port security and homeland defense operations.2
The Maritime Transportation Security Act and Cyber Incident Reporting
In 2002 in the wake of the 9/11 attacks, Congress enacted the Maritime Transportation Security Act (MTSA) to protect ports and maritime critical infrastructure from acts of terrorism.3 To facilitate oversight across the vast, complex port infrastructure, an MTSA provision requires that certain vessels and waterfront facilities report security threats or incidents to the Coast Guard. The Coast Guard implemented these reporting requirements in 33 Code of Federal Regulations (C.F.R.) § 101.305, specifically requiring regulated entities to report “breaches of security” or “suspicious activity” without delay, through a centralized reporting center.4 For the past 20 years, reports have included attempts to gain unauthorized access to facilities, suspicious vehicles lingering at entry points, unauthorized photography, and other so-called physical security threats.
In the meantime, maritime cybersecurity has increasingly become a national security priority. In a September 2020 address, retired Navy Rear Admiral Mark H. Buzby, then-administrator of the U.S. Maritime Administration, stated that managing maritime cyber risk “is absolutely vital not only to our economic security but really to our national security.”5 Likewise, the 2018 National Cyber Strategy lists maritime cybersecurity as a top national security priority, recognizing the “criticality of maritime transportation to the United States and global economy and the minimal risk-reduction investments to protect against cyber exploitation made thus far.”6 In 2020, the Federal Emergency Management Agency restructured its Port Security Grant Program, designed to enhance security of maritime critical infrastructure in the wake of 9/11, to prioritize cybersecurity projects above all other maritime security initiatives.7
Recognizing the changing threat landscape, the Coast Guard’s Assistant Commandant for Prevention Policy issued Policy Letter 08-16 to the maritime industry to clarify how existing MTSA-implementing regulations apply to cybersecurity threats.8 While an important statement at the time, the policy—which essentially allows regulated entities to discern the intent and target of a cyber breach before they are required to report the incident—has proven ineffective and unworkable. The policy has likely allowed the maritime industry to withhold potentially dangerous cyber threat information from the Coast Guard.9 The limiting factors listed in the policy, which include exempting “untargeted” cyber incidents as well as incidents that primarily impact “business or administrative systems” from reporting requirements, do not apply to physical security breaches and are not referenced anywhere in the MTSA or its implementing regulation.
Policy Letter 08-16
Released in December 2016, Policy Letter 08-16 supplements regulations in 33 C.F.R. § 101.305 that identify when and how security incidents must be reported to the Coast Guard.10 This has been reiterated in numerous Coast Guard policy documents, including the much-anticipated Navigation and Vessel Inspection Circular 01-20, Guidelines for Addressing Cyber Risks at MTSA Regulated Facilities, released in March 2020.11 However, this policy letter has captured only a negligible number of cyber incident reports. In 2019, for example, less than 1 percent of all security incidents reported to the Coast Guard could be classified as cybersecurity incidents.
Policy Letter 08-16 narrowly defines when cyber incidents fall within the purview of the Coast Guard and the MTSA. Rather than mirror existing regulation, the policy declares that only targeted cyberattacks against operational systems are reportable security incidents under the MTSA. The letter states that “[u]ntargeted cyber incidents are part of the normal information technology landscape. . . . They are not considered [suspicious activity] or [breaches of security] and need not be reported to the Coast Guard.” Further narrowing the reach of the MTSA and 33 C.F.R. in the cyber domain, the policy states that breaches of “computer and networked systems that clearly target business or administrative systems unrelated to safe and secure maritime operations are outside of the U.S. Coast Guard’s jurisdiction and need not be reported.”
While this policy announcement was a major step in clarifying that Coast Guard security regulations under the MTSA include cybersecurity, the policy relies on three problematic assumptions: (1) that entities can distinguish “targeted” from “untargeted” cyber events, (2) that this distinction matters, and (3) that “business” or “administrative systems” do not implicate vessel or facility security or operations.12
The Maritime Security Landscape Since 2016
Cyber disruptions in the maritime sector have increased dramatically in both pace and severity over the past several years.13 The most well-known is the 2017 NotPetya attack, which dealt a major blow to Maersk Line Limited, one of the world’s largest shipping companies.14 The incident caused significant delays to maritime traffic in ports around the world as Maersk lost the ability to track and manage cargo. NotPetya was not targeted at Maersk and is widely believed to have been a Russian attack against Ukraine that spread beyond the control of the malware’s originators.15
In 2018, an Iranian ransomware attack hobbled more than 200 entities across the public and private sectors, including the Port of San Diego.16 While the port never closed, its administrative networks were debilitated for several days, and officials later revealed unidentified “safety risks” associated with the attack.17 And in 2019, a nontargeted ransomware attack migrated from the informational technology network to the operational technology network at a natural gas pipeline facility, causing the facility to lose the ability to monitor operations and necessitating a shutdown for more than 48 hours.18
Increased Security Threats, Stagnant Reporting
Somewhat unsurprisingly, considering the Coast Guard’s narrow reporting guidelines, these high-profile, high-stakes maritime cyber incidents have not generated an increase in reports of cybersecurity incidents. This is true even as the COVID-19 pandemic led to a dramatic increase in malicious cyber activity. One cyber consulting firm reported that cyberattacks against the shipping industry had increased 400 percent from February to June 2020.19 However, the Coast Guard saw no increase in cyber incident reporting during that same time period. Clearly, something is broken.
One incident not reported under the MTSA involved a U.S.-based shipping company that operates several vessels and MTSA-regulated waterfront facilities. In November 2020, it came to light that the company had suffered a ransomware attack that began sometime in October. Attackers allegedly stole more than a terabyte of data from the company, which did not report the incident to the Coast Guard.20 Although the company did not explain its decision not to report, it is likely it deemed a report unnecessary because this attack affected an administrative system and/or was not targeted specifically at the company. If that was the rationale, it was consistent with Coast Guard policy in 2020.
If, on the other hand, a criminal were to have breached the physical security of the facility to steal the same data, that would unquestionably constitute a security breach and require a timely report to the Coast Guard.21 However, because of the means used to gain unauthorized access, and because no operational effects were immediately observed, this incident remained off the Coast Guard’s radar for several weeks.22
Removing Policy Barriers to Regulatory Reporting
Nothing in law or regulation limits the Coast Guard’s authority to respond to a broad range of security threats across the maritime industry, including cyber threats. By removing references to “targeted” and “untargeted” cyber incidents, as well as the distinction between “operational” and “business” systems, the Coast Guard can more effectively use the MTSA to understand the nature of security threats across U.S. ports and throughout the Maritime Transportation System. Armed with this information, the Coast Guard could better leverage its developing cyber resources, including its highly trained cyber protection teams, which are ready to deploy in response to maritime cyber incidents. It could also more effectively engage with both public and private port partners through area maritime security committees, as well as the interagency, to track cross-sector cyber threat information.23
The “targeted/non-targeted” and “business/operational system” distinctions are still important. Assessing the source or target of an attack could certainly assist in response efforts and mitigate future events. However, these distinctions should not determine the decision to report. Rather, consistent with regulations in 33 C.F.R. parts 101 to 107, the Coast Guard should adopt a broad, effects-driven approach to determine whether an incident constitutes a reportable security incident.
The Coast Guard Has the Resources
Scoping the incidents that should be reported to the Coast Guard is a challenge. Certainly, industry need not report low-level, routine incidents, such as generic phishing attempts. However, any breach of network security that could have led to unauthorized access to secure data or any incident that causes adjustments to operations or the use of backup systems should be reported, along with any remedial measures taken. Just as with physical security, the intent or target of the bad actor is irrelevant, particularly when it is not immediately discernable.
While this data is critical to tracking security risks, this does not mean the Coast Guard will—or even should—intervene in every case. In fact, very few reported security incidents require Coast Guard responses. Typically, when an entity reports a low-level security incident (for example, a person attempting to physically access a facility with fraudulent credentials), the incident and remedial measures taken are logged and tracked for further developments and to maintain maritime domain awareness.24 The same should be done in the cyber domain.
By updating Policy Letter 08-16 to remove barriers to oversight by focusing on effects rather than on the nature of the attack, the Coast Guard could more effectively manage cyber risk. The intent-focused language in Policy Letter 08-16 unnecessarily narrows the applicability of broad security regulations that otherwise could be more responsive and applicable to changing security threats.
While incident reporting is only a piece of the puzzle, this foundational information is essential for the Coast Guard to best use its resources. Given the unknown scope of cyber risk in the Maritime Transportation System, the Coast Guard cannot cover all possibilities and must apportion resources to places and operations where they can have the greatest impact.25 To respond to one of the greatest threats to U.S. economic and national security, the Coast Guard must fully understand the nature and extent of the risk it is trying to manage.
Malicious cyber actors are increasingly turning their focus to private infrastructure and assets.26 This has certainly been true in the maritime industry. However, the primary service responsible for securing the Maritime Transportation System and keeping U.S. ports open for business still has little insight into the nature and extent of the threat.27 While new, cyber-specific regulations may help close this gap, simple updates to current policy to remove barriers to reporting would allow the Coast Guard to better understand and combat this national security threat.
1. James Rundle, “U.S. Coast Guard Warns Shipping Industry on Cybersecurity,” Wall Street Journal, 19 July 2019.
2. U.S. Coast Guard, Marine Safety Alert 06-19: “Cyber Incident Exposes Potential Vulnerabilities Onboard Commercial Vessels,” 8 July 2019.
3. Maritime Transportation Security Act, 46 U.S.C. §§ 70101-70117 (2002), amended by Federal Aviation Administration Reauthorization Act, Pub. L. No. 115-124 (2018).
4. U.S. Department of Homeland Security, 33 Code of Federal Regulations, Navigation and Navigable Waters, 101.305(a), 2015.
5. RADM Mark A. Buzby, USN (Ret.), opening remarks at “Security at the Maritime Edge,” Atlantic Council, 24 September 2020.
6. Office of the President, National Cyber Strategy of the United States of America, September 2018.
7. U.S. Department of Homeland Security, Notice of Funding Opportunity, Fiscal Year 2020 Port Security Grant Program, DHS-20-GPD-056-00-01. “Given the evolving threat landscape, it is incumbent upon DHS/FEMA to continuously evaluate the national risk profile and set priorities that help ensure appropriate allocation of scarce security dollars. In assessing the national risk profile for FY 2020, one area attracts the most concern: Enhancing cybersecurity.”
8. U.S. Coast Guard, Policy Letter 08-16: Reporting Suspicious Activity and Breaches of Security, 14 December 2016.
9. In 2019, for example, the Coast Guard received 1,692 security incident reports. Only 16 were related to cybersecurity.
10. U.S. Coast Guard, Policy Letter 08-16: Reporting Suspicious Activity and Breaches of Security.
11. U.S. Coast Guard, Navigation and Vessel Inspection Circular 01-20: Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities, 85 Federal Regulation, 55, 20 March 2020.
12. In 2018, Congress passed the Maritime Security Coordination Improvement Act, which amended the MTSA to explicitly require that regulated vessels and facilities address “cybersecurity” in their security assessments. To date, however, the Coast Guard has not updated implementing regulations to mirror this explicit statutory language.
13. For example, see “Naval Dome: Cyberattacks on OT Systems on the Rise,” The Maritime Executive, 26 July 2020.
14. Andy Greenberg, “The Untold Story of NotPetya, the Most Devastating Cyberattack in History,” Wired, 22 August 2018.
15. U.S. Department of Justice, “Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace,” press release, 19 October 2020.
16. Jennifer Van Grove and Gary Robbins, “Port of San Diego Victim of Cyberattack,” San Diego Union-Tribune, 26 September 2018.
17. Thom Senzee, “What Happened in the Ransomware Attack on Port of San Diego,” San Diego Reader, 10 April 2019.
18. Cyber and Infrastructure Security Agency, “Ransomware Impacting Pipeline Operations,” Alert (AA20-049A), 16 July 2020.
19. “Report: Maritime Cyberattacks Up by 400 Percent,” The Maritime Executive, 4 June 2020.
20. U.S. Coast Guard, Marine Information for Safety and Law Enforcement Database, 2018–2020.
21. Sam Varghese, “Big U.S. Transportation Services Firm Hit by Windows REvil Ransomware,” ITWIRE, 3 November 2020.
22. 33 C.F.R. § 105.255 requires facilities to designate measures to “control access to the facility.”
23. Without Policy-Letter 08-16, this incident likely could have been reportable under 33 C.F.R. § 105.260(b), which requires telecommunications systems be contained in areas designated “restricted.” The same section requires that sensitive security data and cargo data be stored in “restricted areas.” If any such data was compromised in the breach, this incident may have been reportable under existing regulation.
24. Area Maritime Security Committees were established under the MTSA to provide a link for contingency planning, development, review, and update of area maritime security plans and to enhance communication between port stakeholders within federal, state, and local agencies and industry to address maritime security issues.
25. U.S. Coast Guard, Sector Jacksonville, Maritime Security Incident Reporting, Port Security Information Bulletin (PSIB) 01-17, 28 March 2017, noting that “[i]nconsistencies with reporting maritime security incidents have resulted in the misallocation of scarce maritime security resources.”
26. The Lawfare Podcast, “Why Businesses Need to Take Espionage Seriously,” Lawfare Blog, 1 December 2020.
27. U.S. House of Representatives, Subcommittee on the Coast Guard and Maritime Transportation, defines the Maritime Transportation System as waterways, ports, and their intermodal connections, vessels, vehicles, and system users, as well as federal maritime navigation systems that are scattered throughout 3.5 million square miles of ocean area and along more than 95,000 miles of coastline and inland waterways.