The nation’s ports are unprepared for a cyberattack, which could bring the country’s commerce to a halt, depleting goods across the nation within days, everything from groceries to oil, according to a new report by a Coast Guard judge advocate.
Cmdr. Joseph Kramek, in a policy paper released this month by the Brookings Institution, writes that his service needs congressional authority to enforce cybersecurity at U.S. ports. Kramek is a former special assistant to the commandant and served as a Brookings fellow for a year.
He studied the culture of cybersecurity at six of the nation’s ports, including in Los Angeles and Long Beach, Calif., the first and second busiest ports in the nation, respectively. What he found was that ports have failed to take basic cybersecurity precautions.
“The level of cybersecurity awareness and culture in U.S. port facilities is relatively low,” Kramek writes, and some municipalities have “almost no awareness” of what cybersecurity measures private companies are — or aren’t — using to protect their port spaces.
Kramek, who now serves in the Coast Guard Office of Congressional Affairs, lays out two major concerns in his report: that there are no set cybersecurity standards in U.S. ports, and that the Coast Guard does not have the cybersecurity authority to regulate ports.
The head of Coast Guard Cyber Command, Rear Adm. Robert Day, disagrees that legislation is needed. At least not yet.
“I think that we have all the authorities that we need,” Day said. “I think it’s more, ‘Let’s get the information exchange going back and forth between government and those private entities and public entities.’”
Day said the Coast Guard has good relationships with port authorities and industry, and the service can leverage those relationships before turning to legislation.
An American Association of Port Authorities spokesman agreed that there are no set regulations for cybersecurity, but said the Coast Guard might not be the agency to enforce it at ports.
“No industry that we know of has developed, or has been mandated to abide by, a uniform set of cybersecurity regulations, and who’s to say at this point what agency should enforce a uniform federal cybersecurity protocol if one is developed?” said Aaron Ellis, public affairs director for the AAPA, in an email. He said AAPA is working to educate and provide its members with information on cybersecurity.
However, Kramek said he thinks the Coast Guard is the right agency for that role, since it already enforces physical security at the ports.
“We are well positioned,” Kramek said. “It’s just an extension of what we are already doing.”
Kramek also calls for established cybersecurity standards for ports, better ways to disseminate threat intelligence and mandatory threat assessments.