Crossroads Blog | CYBER SECURITY LAW AND POLICY

critical infrastructure, Cyber, Cybersecurity, DHS, FEMA

DHS Has Done Little To Protect Port Facilities

Gregory C. Wilshusen, Director of Information Security Issues for the Government Accountability Office (“GAO”) testified before the Committee on Homeland Security Issues and the Subcommittee on Border and Maritime Security, House of Representatives, on the state of cybersecurity at the nation’s maritime critical infrastructure.  The testimony was based on an audit conducted by the GAO assessing the extent of the steps taken by the Department of Homeland Security’s (“DHS”) to address the cybersecurity in the maritime port environment.

DHS Port Sec

According to Director Wilshusen’s testimony, the GAO has considered federal information security as a “government-wide high risk area” since 1997, and expanded that designation to include the protection of systems supporting the nation’s critical infrastructure in 2003.  Adequate cybersecurity at ports is highly critical because:

  • Ports are an essential part of the nation’s critical infrastructure and over $1.3 trillion of cargo are handled at the nation’s ports each year;
  • Disruptions at one of these ports can result in significant impacts on global shipping, international shipping, and the global economy; and
  • Ports are often located in densely populated metropolitan areas, so a disruption can pose a risk to public safety.

Director Wilshusen testified that DHS and other stakeholders had taken only limited steps to address the cybersecurity of the nation’s maritime environment.  Specifically, the 2014 report highlighted the following inadequacies:

  • The Coast Guard did not include a comprehensive assessment of cyber-related risks, vulnerabilities of cyber-related assets, and potential impacts in the 2012 National Maritime Strategic Risk assessment, and it failed to include it in the 2014 revision even after officials stated that the issue would be addressed;
  • The Coast Guard did not address cyber-related risks in its guidance for developing port security plans;
  • The Coast Guard helped established information-sharing mechanisms, including a sector coordinating council made up of private-sector stakeholders, but the council was disbanded; and
  • The Federal Emergency Management Agency (“FEMA”) identified enhancing cybersecurity capabilities as a priority for its port security program, which is designed to defray costs of implementing security measures, but its grant review process was not informed by Coast Guard expertise on the matter.  As such, the risk of allocating the grants to projects that would not effectively enhance security was higher.

As a result, the GAO made recommendations to enhance the Coast Guard and FEMA’s efforts to address port cybersecurity, including:

  • Include cyber-risks in its updated risk assessment for the maritime environment;
  • Address cyber-risks in its guidance for port security plans;
  • Consider reestablishing the sector coordinating council to give maritime stakeholders a national-level forum for information sharing; and
  • Ensure that funding decisions for its port security grant program are informed by subject matter expertise and a comprehensive risk assessment.

As of the date of October 8, the date of the testimony, DHS had only partially addressed two of the recommendations.

The full report can be found here.

Leave a Reply