Presidential mandate, right ahead!
On Wednesday, the Biden administration announced an executive order aimed at strengthening security at US ports—another piece of critical infrastructure targeted by cyber-adversaries.
“Most critical infrastructure owners and operators have a list of safety regulations they have to comply with, and we want to ensure that there are similar requirements for cyber, when a cyberattack can cause just as much, if not more, damage than a storm or another physical threat,” Anne Neuberger, deputy national security advisor for cyber and emerging technologies, said on a briefing call the day before Wednesday’s announcement.
What’s the order? It allows the Coast Guard to establish cybersecurity requirements for vessels and waterfront facilities. Additionally, the administration announced an investment of more than $20 billion in port infrastructure, along with proposed protective safeguards, primarily based on the Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Performance Goals.
What’s been happening? The announcement comes weeks after CISA’s warning about “Volt Typhoon,” the state-sponsored, People’s Republic of China (PRC)-based cyber-actors who the agency said are “seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against US critical infrastructure in the event of a major crisis or conflict with the United States.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
On the briefing call, Neuberger said China-based cyberactivity is “one key threat that this executive order and notice of proposed rulemaking will help protect ports against,” while citing additional criminal activity, like a July 2023 attack on the Port of Nagoya, the largest port in Japan. (The Japan Times reported the Russia-based group LockBit 3.0 were the hackers.)
Cranes! Following the order, a maritime security, or MARSEC, directive imposed security requirements on owners and operators of PRC-manufactured cranes, which “make up the largest share of the global market and account for nearly 80% of cranes at US ports,” Rear Admiral John Vann noted on the pre-announcement background call. “By design, these cranes may be controlled, serviced, and programmed from remote locations. These features potentially leave PRC-manufactured cranes vulnerable to exploitation,” he said, adding that the specific, sensitive requirements for defenses “cannot be shared publicly.”
Charting the course. The executive order also mandates reporting of cyber incidents endangering ports, vessels, and waterfront facilities.
“The Coast Guard is the regulator for ports, and the executive order takes their existing physical authorities to set security rules for ports and extends that to the cybersecurity domain,” Neuberger said on the pre-announcement call.