House Homeland Committee focuses on high-risk threats posed to maritime ports by cyber criminals, adversaries

The U.S. House Committee on Homeland Security held a hearing last week on port security vulnerabilities, in which members highlighted high-risk threats posed to U.S. maritime ports by cybercriminals and their adversaries. In the hearing, the Subcommittee heard testimony from the U.S. Coast Guard, the Cybersecurity and Infrastructure Security Agency (CISA), and the Transportation Security Administration (TSA). 

The hearing by the House Homeland Security Subcommittee on Transportation and Maritime Security follows two letters sent by House Committee on Homeland Security Chairman Mark E. Green, a Tennessee Republican, and Subcommittee Chairman Carlos Gimenez, a Florida Republican, demanding answers from DHS Secretary Alejandro Mayorkas on the threats posed by Chinese-manufactured cranes and software at U.S. maritime ports and a visit by Cuban government officials to U.S. port facilities in Wilmington, North Carolina. 

The witnesses included Rear Admiral Wayne R. Arguin Jr., assistant commandant for prevention policy in the U.S. Coast Guard, Eric Goldstein, executive assistant director for cybersecurity at CISA, and Neal Latta, assistant administrator for enrollment services and vetting programs at the TSA. 

“Our nation’s maritime ports play a crucial role in our commercial supply chains and national security operations,” Chairman Gimenez said. “As adversaries like the Chinese Communist Party (CCP) work to undermine and infiltrate our critical infrastructure and conduct surveillance operations on American industries, this Committee is examining any potential port vulnerabilities that may jeopardize our national security, from defending our cyber networks and assessing threats posed to physical infrastructure to ensuring the integrity of America’s maritime workforce.”

In his opening remarks during the hearing on port security vulnerabilities, Gimenez identified that “maritime ports present soft targets to our adversaries, and large-scale operational disruptions at a major port could have a debilitating effect on our country. Therefore, it is critical that we understand and address the security vulnerabilities at our maritime ports. This subcommittee has already begun its work on this topic.”

“Our subcommittee has engaged with DHS, the FBI, and the Department of Transportation to ensure resources are being appropriately allocated based on the evolving port threat landscape,” Gimenez said. “Last month, the subcommittee heard from officials representing four different port authorities who discussed the challenges their organizations are facing and opportunities to mitigate these challenges.”

Gimenez added that among the challenges “we heard about from this panel was the alarming potential capabilities of nation-states – in particular the People’s Republic of China – and non-state actors to collect intelligence, steal sensitive data, and disrupt operations at our ports. I’m especially concerned about the cranes and other equipment and technology in use at ports across the United States that are manufactured by PRC state-owned entities and the opportunity for backdoor access to sensitive port infrastructure.”

“I have long advocated for federal agencies with responsibility for port cybersecurity to do more to address potential cybersecurity threats related to Chinese-made equipment and technology,” according to Gimenez. “Last year, I introduced legislation that limits the operation of foreign cranes and software at U.S. ports. We must remain vigilant in our fight against potential catastrophic events to our port infrastructure.”

Explaining at the hearing the security measures that the Coast Guard has in place to evaluate foreign-manufactured equipment and software in use at U.S. ports, Arguin said that the Coast Guard’s role in ensuring port security from the local level, the regional sector commander, captain of the port, uses its maritime security specialists to engage those entities that have ZPMC cranes. “At that local level, they’ve had conversations about potential vulnerabilities identified with our partnership with CISA. We’ve also engaged our cyber protection team, elements of our Coast Guard Cyber Command to perform voluntary assessments of those networks to better understand the vulnerabilities associated with those systems, as well as systems throughout the ports.”

Arguin added that at the regional level, the Air and Maritime Security Committee, “we’ve had conversations with each of those entities to ensure they understand the potential vulnerabilities and the likelihood of potential disruption. At the national level, I’ve had similar conversations with leadership, with port authorities around the country to make sure that they’re aware of the potential vulnerabilities and that they get a better understanding of the potential impacts that those vulnerabilities may have.”

Rep. Laurel Lee, a Florida Republican, asked CISA’s Goldstein about the crucial role that cooperation between the Department of Homeland Security (DHS) and the private sector plays in cybersecurity. She asked, “how are you utilizing the partnership and the information that you receive from your private sector partners to help build those sector-specific goals and strengthen the infrastructure overall?”

“One of the biggest challenges in cybersecurity today is to understand the unique vulnerabilities that are facing particular sectors and the unique ways that adversaries are targeting each particular sector,” according to Goldstein. “So, information from our partners in industry that is specific to incidents, intrusions, [and] campaigns targeting a different sector will help us make recommendations to these specific controls or risk reduction measures that can help the sector maximize its security, which we can then codify in the performance goals.”

Rep. Nick LaLota, a New York Republican, detailed the cyber threats posed to U.S. maritime ports following attacks on other critical infrastructure sectors. Following the Colonial Pipeline ransomware attack in 2021, TSA issued several cybersecurity regulations requiring pipeline owners and operators to improve their cybersecurity practices. They’ve also extended these cybersecurity regulations to the rail and aviation sectors. He asked Goldstein, looking at the devastating impact of the Colonial ransomware attack, “has CISA or Coast Guard considered additional cybersecurity regulations for our maritime ports?”

“At CISA, our goal is to really establish that baseline of technical measures that are most effective against the threats that we are seeing,” Goldstein responded. “Last Fall, and then refreshed this Spring, we released our cybersecurity performance goals, as directed by a Presidential memorandum. These performance goals are really that succinct set of the most effective security practices, prioritized by complexity, cost, and impact that all entities can use on a voluntary basis to know where to invest next.”

In his written testimony, Goldstein wrote that at CISA, “we share the Subcommittee’s concern regarding threats to ports posed by the government of the People’s Republic of China (PRC), which could manifest in multiple forms. We continue to work urgently with the Coast Guard and the port community to understand and mitigate these threats, whether from critical equipment manufactured by Chinese state-owned enterprises or the prospect of damaging cyber intrusions targeting port infrastructure. These threats catalyze our focus, clarify our intent, and underpin our shared investment.”

CISA also works directly with ports and other critical infrastructure entities to support their cybersecurity efforts, according to Goldstein. “By leveraging our expertise, our ability to generate efficiencies of scale, and our ability to cross-reference information from multiple sources to gain broad visibility into the cyber threat environment, CISA is uniquely positioned to assist critical infrastructure operators with mitigating cybersecurity risk.” 

Goldstein also disclosed that more recently, “we have undertaken an effort intended to make network owners and operators aware of the prevalence of devices produced by PRC-based vendors that are listed on the Federal Communications Commission’s ‘Covered List,’ which, under the Secure and Trusted Communications Networks Act of 2021, pose an ‘unacceptable risk to the national security of the United States or the security and safety of United States persons.’” 

Using commercial tools, CISA has identified such products used on critical infrastructure networks across the country and already notified 88 critical infrastructure organizations using such products about the potential associated risks, according to Goldstein. “In nearly all cases, the notified entities have chosen to take urgent steps to replace these products from their networks and reduce the likelihood of unauthorized access by PRC actors.”

He added that CISA is “particularly focused on proactive efforts to reduce the likelihood that our partner entities will experience serious cybersecurity incidents. We have enrolled a select group of our nation’s most critical infrastructure entities in the CyberSentry program, a voluntary effort that uses commercial off-the-shelf tools and equipment to identify and detect malicious activity targeting critical infrastructure corporate and industrial control systems networks. This program has yielded significant operational benefits among participating entities, and we look forward to expanding into the maritime sub-sector in the next year.” 

CISA also has an essential role in helping critical infrastructure entities prevent the worst outcomes after a cyber intrusion has occurred. “We leverage information from partners and security researchers to notify victims so that they can take action to contain and eradicate the threat.” 

He also highlighted in his testimony CISA’s new Pre-Ransomware Notification Initiative which identifies organizations that ransomware actors have compromised and aims to notify them before their data is encrypted or stolen, with over 160 having been notified so far. “Once we receive information about a compromised organization, our field personnel take urgent action to notify the victim organization and provide specific mitigation guidance. CISA also provides direct support to victims of cyber incidents through incident response services,” Goldstein added. 

Looking to the future, Goldstein said that the CISA is continuously developing new capabilities to help stakeholders drive down cyber risk based on their feedback and needs. “We are looking forward to several 5 impactful new efforts in the coming months, including an effort that will expand one of our cybersecurity shared service offerings beyond the federal sphere to certain critical infrastructure entities, a new attack surface management service, and a modernized cyber threat intelligence service. Through each of these efforts, we will work closely with the maritime community to understand their needs and maximize our ability to deliver services, information, and guidance that helps our partners detect, prevent, and effectively respond to cyber risks,” he added. 

To date, CISA’s planning efforts have addressed topics including the cybersecurity implications of the Russian invasion of Ukraine and the creation of a framework for public-private crisis action planning, Goldstein said. “During 2023, CISA’s planning agenda includes systemic risks posed by cyber intrusions against software and infrastructure that underlie multiple national critical functions, as well as updating the National Cyber Incident Response Plan. CISA will continue to engage transportation and maritime stakeholders in this work to ensure that it provides value for these key facets of our national infrastructure.” 

Goldstein said that recently “we published a set of principles with six international partners that intends to catalyze progress toward further investments and cultural shifts necessary to achieve a safe and secure future. These principles aim for technology providers to take ownership of the security outcomes of their technology products, shifting the burden of security from the customers and ensuring executive-level commitment for software manufacturers to prioritize security as a critical element of product development. This will be a long-term journey but a necessary one that will require all elements of society, from enterprises to technology providers to Congress, to join together in driving change,” he added. 

Last month, members of the Homeland Security Committee wrote to the CISA director requesting details on reported plans to establish a new program office to identify ‘systemically important entities’ (SIE) by the end of September. The initiative seeks to identify the most vulnerable critical infrastructure entities across the country. The members have also sought clarity on whether these goals complement, replace, or are duplicative of existing efforts already underway in the agency to identify and mitigate systemic risk.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.