The Rising Ransomware Tide, Chinese Spy Cranes, and the Biden Executive Order on Maritime Cyber Security

In July of 2023, Japan’s largest port, Nagoya, fell victim to a lockbit ransomware attack, causing operations to grind to a halt and Toyota to suspend its import-export packaging lines. This was just one of many recent incidents within the larger marine transportation system and showcases how fragile the sector is to these attack profiles.

On Feb. 21, the Biden administration released an executive order designed to meet the long-term challenges needed to improve the cyber security of the nation’s ports, ships, maritime industrial supply chain, and the data systems that operate throughout them. Although it is a positive step for an often-ignored portion of the U.S. critical infrastructure, it is not enough and it isn’t fast enough. Addressing cyber security threats to the maritime sector requires more than standards and long-term industrial base investments. In addition to the current order, other steps the administration should take include giving the U.S. Coast Guard more funds for effective incident response, creating a single reporting resource for maritime cyber attacks, and investing in existing information-sharing organizations.

Cyber Vulnerabilities in Ports and Ships

It is no secret that ports and maritime shipping are among the hottest new targets for cyber attacks. The maritime transportation system is very lucrative for criminal ransomware. According to a report by CyberOwl, attacks are up 350 percent over 2022, and the average ransom pricing out at just over $3.2 million. Worse still are the continuing revelations regarding VoltTyphoon, the Chinese state-sponsored group that has infiltrated U.S. and allied critical infrastructure. Ship operating data systems, navigation systems, and even the technologies that operate the port themselves are shot through with cyber security vulnerabilities. Into these gaps, malicious actors, including both criminal and state adversaries, continue to operate with very little resistance.

Amidst the public and congressional anxiety the Biden administration’s new executive order provides two fundamental adjustments. First, it fixes an arcane gap in the Coast Guard’s law enforcement authorities. Second, it sets out $20 billion to revive the nation’s industrial production of container cranes — the physical machines that lift containers onto and off of ships. Ship-to-shore cranes are not, as they might appear, just dumb pieces of metal and cable — they’re computerized. And as with all computers and sensors, the opportunity to spy and disrupt from the comfort of offices in Beijing is the stuff of National Security Council nightmares. The investment in the industrial base is an attempt to ensure that the United States won’t be reliant purely upon Chinese cranes built by Shanghai Zhenhua Heavy Industries Company.

Coast Guard Authorities

Biden’s executive order is a good first step — it’s just not enough, and not fast enough, a fact that we suspect is already known to its authors. The executive order does, however, manage to fix a gap in Coast Guard authorities. The U.S. Coast Guard is a unique organization with very “unique capabilities.” When analysts say “unique” authorities, what they are actually referring to is the scope and enhancement of two longstanding sets of maritime security authorities.

The Espionage Act of 1917 gives the Coast Guard authority over ships in U.S. waters to protect against acts of sedition as cargo such as munitions were loaded and unloaded under the watchful eye of the Captain of the Port. The Magnuson Act of 1950, thereafter, expanded the authority to include the authority to board and control ships in U.S. territorial waters. Both of those acts were written long before the existence of the internet or concern for cyber security. With the expansion and adoption of the internet, the Coast Guard — like all other law enforcement entities — has seen its cyber security responsibilities grow considerably. In adjusting Coast Guard authorities to include cyber incidents, the executive order is a small change with big impact.

The Coast Guard now has authority to deal directly with cyber incidents or potential cyber threats lurking in the maritime transportation system. It is the agency best positioned to do so in an industry in which commercial companies are only expected to protect their own systems. Other federal agencies and federally funded research and development centers that have studied cyber security risk in the maritime transportation system, including other components of the Department of Homeland Security, have concluded that the Coast Guard has the best congressionally defined sandbox for cyber security support to maritime transportation system stakeholders. This executive order solidifies that but, more importantly, it gives the Coast Guard the platform to own the arena. If well resourced, they will be well positioned to be accountable for — and not just responsible for — elevating the cyber security posture of U.S. maritime interests.

But here’s the problem: authority without capacity is not authority. While the executive order gives the Coast Guard the authority to control vessels that are deemed to be a cyber threat, it is fundamentally unclear how that is supposed to happen with an already overworked force, and steep competition for competent workers who will stay and grow with the organization.

This is particularly true for Coast Guard’s cyber forces. Simply granting authority doesn’t magically make companies open the door to enforcement. The Coast Guard’s Cyber Protection Teams, unlike their Department of Defense counterparts, rely cooperatively on industry to invite them to collaborate on industry-owned infrastructure. The Coast Guard has neither the capacity nor the desire to try to bully its way in. Moreover, in instituting mandatory reporting by industry, the executive order assumes that small and medium-sized stakeholders and vessel operators understand how to report a cyber incident and have the means to recognize they are facing an incident. This is a risky assumption since industry compliance varies widely. This will be a complex hurdle for the Coast Guard.

The Coast Guard has made significant progress in equipping and bolstering its limited force of qualified cyber operators and has made phenomenal strides under the current leadership to identify capabilities that can be repurposed, created, or retrained to adapt to new cyber security requirements. Thus far, however, sufficient funding appears not to be forthcoming. The Coast Guard has not received supplemental funding for these or any other additional responsibilitiesdespite its requests. Instead, the Coast Guard has had to begin a realignment designed to deal with its 10 percent manpower shortages by putting several of its ships into layup. Not enough bodies means fewer ships for enforcement.

Without a clear path to increased funding and some innovative adjustments to recruitment and retention, the executive order requirement simply adds to the Coast Guard’s burden. The result is that the women and men responsible for continuing to attempt to duct tape together the security of the maritime transportation system are desperate for a rebalance of priorities. The estimated $5.4 trillion worth of goods that travel through the maritime transportation system and feed the U.S. economy are expected to be secured by a law enforcement workforce that is funded at less than one quarter of 1 percent of that amount. Enforcement, let alone cyber security, cannot be done — or at least not well and not for long.

Industrial Base Investments: From Legacy to Autonomy

It is also useful that the executive order calls for long-term investments to secure port infrastructure. However, narrowly scoped industrial base investments to solve the “crane” problem will not solve the cyber security issues endemic to the maritime transportation system. Consider the enormity of the cyber security problem. Currently, the maritime transportation system is reliant on legacy systems, protocols, hardware, and processes that have been layered on top of each other over the course of decades. For a shipping container to get from its origin to a warehouse in the central United States, and to its final destination, it will be reliant on multiple and often incompatible computer systems. Creating an electronic manifest and a stow plan at the port of origin, clearing customs and inspection prior to arriving in the United States, and the booking and stowing of a container prior to loading all involve separate systems that are barely compatible. Even the cargo management system and navigation systems aboard ocean-going vessels are managed differently. Each activity relies on a separate data system run by an independent company within the global supply chain to move it along to the next step. These networks and processes are often a blending of traditional business information technology systems with operational technology machinery.

Those systems aside, the global ship Automatic Identification System — a key aid to navigation — has been proven to be vulnerable to spoofing and disruption by security researchers and adversaries alike. And finally, nearly every part of the maritime transportation system is moving toward integration with autonomous and automated operations reliant on complex control systems developed (and fielded) through a diverse and global ecosystem of manufacturers and facilities including Europe, the United States, Australia, and China. The complexity of this global quilt of companies and supply chains is reflected in nearly every port complex in the United States, intertwined throughout the American domestic maritime transportation system. Even seemingly U.S.-operated companies are multinational. A handful of the largest U.S.-flagged shipping companies are actually U.S. subsidiaries of larger foreign-owned shipping giants.

This means that the focus on Chinese manufactured cranes such as those built by Shanghai Zhenhua Heavy Industries Company represents just one piece of the globalized — and vulnerable — U.S. critical infrastructure. Maritime cyber security analysts also note that it is only a matter of time before automated container and rail terminal operations, and eventually uncrewed or partially crewed autonomous vessels, become a target for both private and state-sponsored hacking. And the NotPetya attack on Ukrainian systems, and more recently the Viasat hack, demonstrated amply that the maritime transportation system is interdependent with many of the other critical infrastructures — rail, energy, water, etc. Because these information systems are interdependent, cyber-initiated events can cause operational impacts in other critical infrastructure sectors.

Right of Boom Investments

If the threat is now, then that is when Washington should invest in address it. One first focus area should be elevating the capacity to respond immediately after an attack has occurred — right of boom rather than left of it. Additional short-term investments that can boost response capability can at least put a band-aid on critical vulnerabilities while we wait for long-term solutions to come online.

Ultimately, it is a gamble whether growing domestic production capacity for infrastructure like cranes will fundamentally reduce America’s cyber security vulnerability. Not only do industrial base solutions take years to become effective, but simply onshoring a supply chain does not make it immune to cyber attacks. Consider that the operational technology cyber security industry emphasizes both threat and vulnerability — part of this is by inherent design of the system’s priorities. They are designed with reliability in mind, first and foremost, above all else — and as a result, they are likely flawed right out of the box from a system security perspective.

Furthermore, critical infrastructures like the maritime domain are “low cyber security maturity” environments. In a low maturity environment, the fastest and most efficient results come from improving the mean time to recovery — after an attack has occurred. Thus, the right first step is to address the lowest-hanging fruit and invest in incident response and associated recovery activities.

We accept and applaud that the Coast Guard’s supplemental “Notice of Proposed Rule Making” is focused on cataloging risks and implementing base standards. It is certainly part of the equation. But the cyber security maturity of the maritime transportation system is deeply uneven already, and as a result it will be a long time until prevention capabilities are possible uniformly across it.

We recommend the U.S. government place an immediate emphasis on the low-hanging fruit for the majority of port stakeholders by adding additional funding to efforts under way. The Coast Guard’s Cyber Protection Teams have a unique opportunity, if resourced appropriately, to work in cooperation with industry to test incident response plans in jointly developed tabletop exercises, or even to perform their own operational cyber activities to identify weaknesses.

Second, simply building out the capacity to help maritime transportation system stakeholders report attacks is also likely to yield fast returns. This may sound strangely simple but ports have historically not had a very clear identification or “single pane of glass” through which to learn about and relay cyber security incidents. The Coast Guard has the mechanisms to provide operational incident response support, but it is unclear how the various federal players in the space will integrate with them. The passing of the Department of Homeland Security Cybersecurity and Infrastructure Security Agency’s Cyber Incident Reporting for Critical Infrastructure Act may remediate some of these pain-points, but the ambiguity remains unresolved. Just exactly who industry stakeholders will dial on their worst day can be a luck of the draw. Some may call their InfraGard hotline, some may call a technology provider like Dragos, and some might call their respective federal safety administration (like the Pipeline and Hazardous Materials Safety Administration). Reporting does very little to generate an effective coordinated response if it cannot be triaged effectively. This executive order has the potential to galvanize the efforts of many agencies into a single operational arm. But again, the Coast Guard would need to be resourced accordingly to make that happen.

Certainly, over time, industry will inevitably take the lead — but the path will be painful. The challenge with an industry-led approach for port facilities and assets afloat is the industries themselves. There is no one-size risk reduction effort that would fit the diversity of needs of everyone represented. Freight forwarders, ports, cruise lines, cargo shipping — all of these stakeholders require a patchwork of different solutions.

Finally, it is a truism that information sharing is a foundational requirement in cyber security. And yet the growth and development of such a community for the maritime transportation system remains nascent compared to other information sharing and analysis centers and organizations.

For the last several years a stalwart crew of volunteers (to include the authors of this piece) calling themselves “MarSec@ICSVillage” have come together at DefCon (one of the largest and oldest hacking conferences in the world) to bang the drum and grow this community of interest. We unabashedly will continue to do so to keep growing the talent and providing solutions to those who will listen. We do so at no profit to ourselves — we are a committed community who loves the challenge.

Thus, if federal grant funding or private sector support should go anywhere, it should be to incentivize the kinds of grassroots sharing and networking that these communities create. The Maritime Transportation System Information Sharing and Analysis Center and countless volunteer communities of interest punch well above their weight in finding solutions and setting best practices. This is because by their very nature they have blended representation of both federal and industry stakeholders. Information sharing associations are a low cost and yet underfunded way to share best practices, discuss risk reduction strategies, and ultimately develop a collaborative muscle designed to flex when incidents occur.

The maritime transportation system, like all critical infrastructure, is vulnerable. Long-term fixes are important, but Washington should do more right now.

Nina Kollars is the executive director of MarSec at ICS Village, a community of maritime cyber security thinkers. Additionally, she is an associate professor at the Cyber and Innovation Policy Institute at the U.S. Naval War College.

Blake Benson leads the industrial control systems-focused cyber security practice at ABS Consulting.

Austin Reid is a senior consultant at ABS Consulting specializing in securing maritime operational technology. He is also a hacker, security researcher, and the director of the hands-on experiments and competitions with maritime equipment for Defcon’s MarSec at ICS Village.

Image: U.S. Coast Guard Headquarters