WASHINGTON — A US congressional call for a comprehensive review and re-coordination of cybersecurity protocol at ports may be heeded this time after a cyberattack on Tuesday crippled Maersk Line, but marine terminals are reluctant to jump aboard until they get guarantees on data safety.
Congressmen on both sides of the aisle spent the days after the attack this week calling for briefings from the nation’s top cybersecurity experts and preparing legislation that would make similar reports routine.
How successful this bipartisan push will be is still far from certain. It is, after all, the second time in less than two years legislation calling for routine cybersecurity reports has been issued, both by California Democrat Rep. Norma Torres. Torres’ previous attempt to pass the exact same legislation soared through the House in late 2015 only to die in the Senate — and those parts that did survive in other legislation have had a questionable impact.
The congresswoman will likely face some pushback from the private sector. Those private interests recognize the still new, but quickly growing threat that cyberattacks pose to the maritime industry, said John Crowley, executive director of the National Association of Waterfront Employers.
However, private interests like Crowley’s group — which represents 16 terminal operators, including Maersk’s APM Terminals, as well as other big players such as Ports Americana and SSA — need guarantees that proprietary information like cybersecurity vulnerabilities will not be treated irresponsibly and that they will actually will be put to some use.
“The answer is not just to require reports from the private sector into the federal government and everything is fixed,” Crowley told JOC.com on Friday. “The information actually has to go somewhere. It has to be handled with protection. And something has to be be done with it. I think there’s a lot of skepticism whether any of that is true.”
Torres on Wednesday promised to introduce legislation that would direct the Department of Homeland Security (DHS) to study and report cyberthreats at the nation’s top ports and create voluntary guidelines for ports that would increase the reporting of those threats and the overall exchange of information. The agency would also be tasked with developing and implementing a maritime cybersecurity risk model and creating a sort of chain of command or communication channel for threats and vulnerabilities to be reported to the federal government and to the private sector.
That same day, Democratic Rep. Alan Lowenthal of California and Republican Rep. Ted Poe of Texas delivered a letter to the DHS requesting a classified briefing on the nation’s ports’ cybersecurity protections.
“Over a quarter of the US economy depends on goods moving through our seaports,” the men said in a statement. “A shutdown of just one terminal for even single day can have significant economic impact, amounting to tens or even hundreds of millions of dollars.”
The attack on Maersk this past week underscored just how necessary action is, Torres said in a statement. “This most recent attack should serve as a call to action to address the clear vulnerabilities in our maritime security before those who wish to do us harm are able to engineer a truly debilitating attack.”
According to Torres, the breadth and scope of this recent attack should be enough to galvanize public and private power players despite skepticism.
The June 27 ransomware attack on Maersk shuttered the shipping giant’s terminals and temporarily brought cargo bookings to a standstill. Three days later, Maersk says it is now bringing operations back online, but its terminals in Los Angeles and New Jersey, the largest in the country, remain closed.
In response to the attack, Rep. Torres on Wednesday announced her intention to reintroduce the Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act, a bill she originally introduced in 2015.
Back then, Torres said, “hearings before Congress revealed how little coordination currently occurs between port landlords and tenants in addressing cyber threats as well as how little consideration has been given by federal agencies to the impact that a cyberattack could pose to our maritime infrastructure.”
The bill won unanimous support in the lower chamber in December 2015, but died in the Senate. Only one item in the bill, the report on port cyberthreats made it into later legislation. How far the DHS has come on that report remains unclear. Sources on the Hill and within the industry told JOC.com on Friday they had heard nothing and could not say where the report stands.
Crowley said that his group doesn’t necessarily oppose the concept of voluntary guidelines. “Mandatory and very concrete requirements across the industry whether it be the port industry or the maritime industry more broadly are not helpful. It’s such a diverse set of sectors with diverse needs,” he said.
Neither do they oppose a channel of communication with the US government that is specific, narrow, and secure. In fact, he said, it is something they’ve been requesting.
“There needs to be a single point of contact that we can all reach in the federal government. There’s a couple today,” said Crowley. “It would be helpful to have one voice at the federal level that speaks to first of all what information is available out of the federal government that can advise and inform the private sector, what is largely a private sector endeavor.”
As has always been the case with the collection of private and proprietary data, Crowley said, any reporting on terminal or port cybersecurity needs to be handled with kid gloves. When data is shared, Crowley said, it would be preferred if it were the government sharing data with the private sector on known threats, not the private sector sharing data with the government on vulnerabilities that could be exploited.
“It would be our position that the federal government and Washington, DC should be sharing what it has and providing insight and views to what are the trends that may not be available to the industry,” Crowley said.
Torres has not said yet when she plans to reintroduce her legislation. The House has left Washington for its July 4 vacation and won’t return until July 11. Then it will only be in session for three weeks before both chambers of Congress will be on recess through the entire month of August.