A few weeks ago, I blogged about a congressional hearing at which port leaders said there were significant cybersecurity vulnerabilities at U.S. ports, and they worried that many cyber attacks were going unreported.
Now there’s a bill in Congress that would address some of these shortcomings and improve coordination and information sharing about cyber threats in the nation’s ports. Such threats could include hacking, jamming, spoofing or imposing malicious programs on a port’s information technology system.
Rep. Norma Torres, D-Ca., introduced the “Strengthening Cybersecurity Information Sharing and Coordination of Our Ports Act,” which was approved by the House Homeland Security Committee on Nov. 4 and sent to the House floor for a vote. The bill must also be considered by the Senate before becoming law, so it still has a ways to go.
Torres said that the House hearing on Oct. 8 motivated her to write the bill. Randy D. Parsons, security expert at the Port of Long Beach, was a key witness and sounded an alarm about the lack of information sharing. Parsons also said that his port’s information management staff thwarts one million hacking attempts a day.
Vulnerabilities at ports, Torres noted, are “due to port landlords not always coordinating with port tenants and also to federal agencies only beginning to consider the impact of a cyber-attack on our maritime infrastructure in its security assessments and strategies.”
Her proposal would require the federal government to do an assessment of cybersecurity risks in ports, direct each Coast Guard captain of the port to create a working group to facilitate sharing of information, and develop plans to address port vulnerabilities, and require that any new area maritime security plan and facility plan developed after the bill’s enactment address cybersecurity.
The legislation is a good first stab at filling the gaps identified at ports, but I agree with Patrick Coyle, blogging at Chemical Facility Security News, that the bill’s language could be strengthened before it is passed by the House and considered by the Senate.
The proposal, for example, doesn’t mandate the reporting of cyber incidents, and only requires that new maritime security plans and facility security plans address cyber threats. Unless the language is clear that existing security plans address cyber threats when they are revised — normally at five year intervals under the 2002 Maritime Transportation Security Act — there could continue to be vulnerabilities at the nation’s ports.