Trump Plan for Maritime Cybersecurity Would Introduce Procurement Requirements

Evan El-Amin/Shutterstock

The outgoing administration added items to federal agencies’ to-do lists, noting rising threats to the sector.

The White House’s priorities for improving maritime cybersecurity include having federal agencies work with the General Services Administration to revise their contracting language.

“Port services such as, but not limited to, loading, unloading, stacking, ferrying, or warehousing Federal cargo requires cybersecurity contracting clauses to safeguard the flow of maritime commerce, Maritime Transportation System users, and our economic prosperity,” the plan reads. The plan stipulates agencies will work with GSA “to develop and implement mandatory contractual cybersecurity language for maritime critical infrastructure owned, leased, or regulated by the United States government to decrease cybersecurity risk to the nation.”

The plan comes just a fortnight before the Trump administration leaves office, but highlights shortcomings specific to the maritime sector, which it said is increasingly under attack. The United States Committee on the Maritime Transportation System estimates a quarter of all U.S. gross domestic product comes from the sector. Attacks like NotPetya in 2017—which affected global shipping for days—emphasize the risk of lax cybersecurity, the White House said. 

The White House noted military and commercial vessels are also frequent targets of jamming and spoofing attacks on the Global Positioning System, the subject of Executive Order 13905.     

In addition to revisiting existing standards and listing cybersecurity requirements in government contracts, the plan prioritizes greater collection and dissemination of related intelligence and boosting the workforce. 

The Homeland Security and Defense departments would also conduct assessments of port facilities, vessels and other infrastructure to protect against attacks, under the plan. 

For the most part, cybersecurity standards already exist, but private sector entities don’t always have the resources to implement them, according to the document, so the plan includes issuing grants, including through a program at the Federal Emergency Management Agency to promote appropriate protections.

But the White House notes standards for operational technology, as opposed to information technology, are lacking. And here it hopes to lead the world. 

“A framework for examining port OT systems does not exist. The United States will create an international port OT risk framework based on the input from domestic and international partners and promote the framework internationally,” the plan says, putting the National Institute of Standards and Technology in charge of that particular effort.

On the workforce front, DHS would be in charge of the biggest task, working through the U.S. Coast Guard and coordinating with appropriate departments and agencies to “develop cybersecurity career paths, incentives, continuing education requirements, and retention incentives.”

When it comes to information sharing, the plan mostly focuses on improving the government part of the equation, requiring the FBI, and the intelligence community to develop “tear-line” reports to share with the maritime industry. It notes: “The United States will establish procedures and policies that govern the receipt and processing of maritime reports of industry cybersecurity incidents to build a coalition of maritime cybersecurity advocates,” but the plan doesn’t get into how it will incentivize industry to share such reports. 

Even within the private sector, the plan notes that where other industries have benefited from Information Sharing and Analysis Centers, those organizations are not effective in the maritime space.

“These ‘for industry, by industry’ information sharing centers serve as trusted, well-established, efficient threat information brokers within most other critical infrastructure sectors. Their partnerships with industry stakeholders and with government resources insure [sic] timely threat information sharing, anonymized reporting, and critical industry expertise in discussions and responses to cyber and other threats,” reads an annex to the plan. “While ISAC-like organizations do exist within the maritime sector, they do not currently cooperate with each other and have not attained broad industry or government acceptance.”