The Naval Postgraduate School & The U.S. Department of Homeland Security

U.S. Port Security Not Watertight, Says GAO Audit

This month, the Government Accountability Office (GAO) released a report stating that the UContainer ship, Coast Guard patrol craft.S. Coast Guard and Department of Homeland Security have not yet done enough to address cybersecurity concerns in the maritime port environment. The report, addressed to the Chairman of the Senate Committee on Commerce, Science, and Transportation (Jay Rockefeller), serves as an audit to highlight where Congress should focus its legislative energy.

Because many commercial ports rely on information technology and electronic communications systems to conduct daily operations, the safety and integrity of the shipping lanes and port facilities depends on cybersecurity. According to the GAO, the Coast Guard has "initiated a number of activities and coordinating strategies to improve physical security in specific ports, [but] it has not conducted a risk assessment that fully addresses cyber-related threats, vulnerabilities and consequences." This is not to say, however, that the Coast Guard is negligent in their duties, but that the minimum standards required by law generally do not address cyber vulnerabilities. Simply speaking, the standards will have to change if Congress is going to be able to hold DHS or the Coast Guard accountable for developing cybersecurity plans for our nation's maritime environment.

Furthermore in the realm of setting standards, FEMA's involvement in enhancing security infrastructure bears some mixed messages. The GAO report highlights that, "under a program to provide security-related grants to ports, FEMA identified enhancing cybersecurity capabilities as a funding priority for the first time in fiscal year 2013 and has provided guidance for cybersecurity-related proposals." Meanwhile, FEMA has not provided obvious follow-through on the funding grants because, in downsizing its expert panel that reviews grants, "there are no subject matter experts available to oversee cyber-related proposals."

Keep in mind that the physical security of our commercial ports and waterways is very tight. The Coast Guard and local maritime police forces are on constant patrol, working diligently to inhibit any malfeasance. If an unexpected commercial ship shows up at the mouth of the harbor, you can be sure that it will be quarantined and given a thorough inspection by authorities. But what if the vessel's arrival schedule and clearance information was wiped from the system by a hacker looking to delay the arrival of certain goods and personnel? These types of security questions have broad-reaching threat profiles, and will be the focus of future cybersecurity enhancements to commercial maritime infrastructure.