Focus on physical threats left maritime sector short on cybersecurity, says DHS chief

Information sharing, resource constraints and achieving high standards under a voluntary public-private partnership model are the most critical cybersecurity issues facing the maritime transportation sector, according to Secretary of Homeland Security Alejandro Mayorkas.

During an April 1 event hosted by the Atlantic Council, Mayorkas said that one of the biggest cybersecurity challenges his department sees in the maritime space is a lack of resources, particularly for smaller entities. Much of the funding that has gone to maritime security over the past two decades has been focused on physical threats like terrorism, leaving entities short on cybersecurity investments and personnel until relatively recently.

“There are owners and operators, for example, that may not have the resources to advance as well or as far as others might be able to, but my counter to that is there are basic things that one can do to enhance one’s cybersecurity so significantly that don’t require a significant amount of resources. Whether it’s multi-factor authentication, whether it’s backing up systems, some of the blocking and tackling.”

While the Cybersecurity and Infrastructure Security Agency has nerve centers like the Joint Cyber Defense Collaborative that are meant to facilitate government and the private sector working hand-in-hand, Mayorkas himself described the JCDC as a venue where the government can work with some of the largest technology companies in the world on emerging cyber threats.

A report from the Atlantic Council last year recommended the U.S. Coast Guard get a 20% increase in its $32 million cybersecurity budget for cyber-enabling operations, cyber operations and training, maritime-sector cybersecurity engagement, and cyber protection and defenses. It also calls for the government to create employment pipelines between the maritime sector and federal agencies and use cybersecurity funding earmarked for the maritime sector to expand its programs assisting the private sector and facilitate a “larger ecosystem shift toward more sustainable cybersecurity practices.”

Digital attacks on the infrastructure or companies used to transport goods across waters can have potentially massive economic and supply chain consequences. In 2017, the NotPetya malware spread to companies like shipping and logistics giant Maersk, where it completely shut down the IT network for days and led to hundreds of millions of dollars in recovery costs. An attack on Shahid Rajaee port terminal in Iran slowed the traffic of goods for days.

Protecting maritime system important for economy

Mayorkas said that one of his biggest challenges he runs into when protecting critical infrastructure in cyberspace is getting owners and operators to appreciate how important it is to get insights into what they are seeing on the front lines and report it to the government. While it’s rarely the subject of daily conversation, protecting the U.S. maritime transportation system — which spans thousands of docks spread across more than 25,000 miles and facilitates an estimated $5.4 trillion in economic growth — from cyber and physical threats is essential to keeping society running.

“I would say that the most important thing is information sharing, that information is empowerment,” said Mayorkas. “There are different levels of understanding of what the threat landscape looks like and if we really raise the bar of knowledge, then we can correspondingly raise the bar of defense in preparation.”

Mayorkas reflected on just how tricky the government’s role is within critical infrastructure and the broader cybersecurity ecosystem. Yes, the Coast Guard has some regulatory authority and agencies like CISA have been given some new authorities — like cyber incident reporting and administrative subpoenas to contact owners and operators of vulnerable IT assets — but much of the government’s influence on the private sector’s cybersecurity is still rooted in the softer powers agencies such as CISA have mastered: persuasion and collaboration.

How to get hard results without the forcing mechanism is something he called “one of the very interesting areas of policy” right now.

“There’s so much more involved than merely reporting cyber incidents given the interconnectivity…of the digital environment in which we all live,” said Mayorkas. “I think how to drive behavior in a collaborative, voluntary framework without compromising a level of autonomy that industry wants to continue to enjoy is I think going to be a fertile ground for policymaking.”