Norma Krayem is a senior policy advisor in Holland & Knight's Washington, D.C., office

HIGHLIGHTS:

  • As cybersecurity risks to the nation's critical infrastructure – including those parts in the transportation and maritime sectors – continue to grow, the incoming Trump Administration has made it clear that cybersecurity is one of its top priorities.
  • The administration's new Cyber Review Team has been tasked with conducting an immediate review of all U.S. cyber defenses and vulnerabilities, including "vital" infrastructure in the transportation and maritime sectors. President-Elect Donald Trump also has publicly discussed focusing on a more offensive approach to cybersecurity around the world as well as a more proactive deterrence strategy.
  • To date, the maritime sector has not seen mandatory cybersecurity regulations come to the forefront, but it is expected that the international community will move in that direction in the near future.

Cybersecurity risks to the nation's critical infrastructure (CI) – defined as 16 CI sectors, including transportation and maritime – continue to grow exponentially. The incoming Trump Administration has made it clear that cybersecurity is a mainstream national, homeland and economic security priority. At the same time, President-Elect Donald Trump has included cybersecurity in his top 10 priorities as well as an action item in his administration's First 100 Days. He also has called for a "Cyber Review Team," which includes a core role for the U.S. Departments of Defense and Cyber Command as well as for law enforcement and the private sector.

The new Cyber Review Team has been tasked with conducting an immediate review of all U.S. cyber defenses and vulnerabilities, including "vital" infrastructure that includes the transportation and maritime sectors. The Cyber Review team will "provide specific recommendations for safeguarding different entities with best defense technologies tailored to the likely threats, and will [be] followed up regularly at various Federal agencies and departments."

Nation-states, non-state actors, hacktivists and organized crime represent the range of attackers against the maritime sector. Ports, port operators, vessel operators, shipping companies and others are faced with constant attacks that range from 21st century theft, to more critical risks to the sector as a whole. At the same time, the maritime sector is crucial to the movement of trade around the globe. A major cybersecurity attack could represent both the potential for injury and loss of life as well as physical damage to the maritime, shipping and port infrastructure. The devastation could be dramatic, carrying economic impacts potentially in the hundreds of billions of dollars.

The U.S. Department of Homeland Security (DHS) and U.S. Coast Guard (USCG) has been working for several years with the maritime sector to evaluate and work to mitigate risks to the sector. In 2015, the USCG issued a cybersecurity strategy and began working to identify best practices and voluntary measures designed to help the sector and focused on best practices identified in the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

At the same time, DHS continued to raise awareness about the risks, releasing a report in March 2016, "Consequences to Seaport Operations from Malicious Cyber Activity." Among the report's key findings: 1) "Unless cyber vulnerabilities are addressed, they will pose a significant risk to port facilities and aboard vessels within the Maritime Subsector." 2) "A cyber attack on networks at a port or aboard a ship could result in lost cargo, port disruptions, and physical and environmental damage depending on the systems affected. The impact to operations at a port, which could last for days or weeks, depends on the damage done to port networks and facilities." 3) "The impacts to critical infrastructure sectors depend on how a cyber attack affects a port, the level and length of disruption that occurs at the port, and the capability to divert shipments to other ports. " The report goes on to focus on the potential negative impact to key sectors such as "Critical Manufacturing, Commercial Facilities, Food and Agriculture, Energy, Chemical, and Transportation Systems. If more than one port is disrupted concurrently by a cyber attack, a greater impact to other sectors of critical infrastructure is likely to occur."

Potential Measures and Strategies

As cybersecurity attacks against the maritime sector continue to be substantiated, the global community has come together to discuss the threats to the industry. The international community has also been working through the International Maritime Organization (IMO) to discuss possible approaches to dealing with the challenge. In 2016, the IMO approved "Interim Guidelines on Maritime Cyber Risk Management," focusing on voluntary measures despite some calls by some nations to create mandatory measures.

President-Elect Trump has publicly discussed focusing on a more offensive approach to cybersecurity around the world as well as a more proactive deterrence strategy. He also has said he will direct the "Secretary of Defense and the Chairman of the Joint Chiefs of Staff to provide recommendations for enhancing U.S. Cyber Command." Additionally, Congress has become focused on concerns to supply chain systems and recently mandated a U.S. analysis of cybersecurity threats specifically for the maritime sector. Congress has expressed similar concerns for other key CI sectors and supply chain risks for the past four to five years. The 115th Congress has already kicked off a series of hearings looking at nation-state threats to the United States. At the same time, expect Congress to continue an activist oversight role on how the maritime sector is proactively managing its cybersecurity risk and what the appropriate role is for the U.S. DHS, State, Defense and other departments against ever-increasing global threats.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.