President Joe Biden is expected to sign an executive order and create a federal rule Wednesday aimed at better securing the nation's ports from potential cyberattacks.
More than $20 billion, tapped from 2021's $1 trillion infrastructure bill, will be invested in port security, including switching cargo crane production from China to the U.S., in the next five years, The Wall Street Journal reports.
The administration is outlining a set of cybersecurity regulations that port operators must comply with across the country, not unlike standardized safety regulations that seek to prevent injury or damage to people and infrastructure.
“We want to ensure there are similar requirements for cyber, when a cyberattack can cause just as much if not more damage than a storm or another physical threat,” said Anne Neuberger, deputy national security adviser at the White House.
Nationwide, ports employ roughly 31 million people and contribute $5.4 trillion to the economy, and could be left vulnerable to a ransomware or other brand of cyber attack, Neuberger said. The standardized set of requirements is designed to help protect against that.
The new requirements, to be published Wednesday, are part of the federal government's focus on modernizing how critical infrastructure like power grids, ports and pipelines are protected as they are increasingly managed and controlled online, often remotely. There is no set of nationwide standards that govern how operators should protect against potential attacks online.
The threat continues to grow. Hostile activity in cyberspace — from spying to the planting of malware to infect and disrupt a country's infrastructure — has become a hallmark of modern geopolitical rivalry.
For example, in 2021, the operator of the nation’s largest fuel pipeline had to temporarily halt operations after it fell victim to a ransomware attack in which hackers hold a victim's data or device hostage in exchange for money. The company, Colonial Pipeline, paid $4.4 million to a Russia-based hacker group, though Justice Department officials later recovered much of the money.
Currently, China's ZPMC manufactures nearly 80% of the giant ship-to-shore cranes at U.S. ports. The new investment would direct money to a U.S. subsidiary of Japan's Mitsui to produce the cranes, marking the first time in 50 years that will be built domestically.
“We felt there was real strategic risk here,” Anne Neuberger, U.S. deputy national security adviser for cyber and emerging technology, told the WSJ. “These cranes, because they are essentially moving the large-scale containers in and out of port, if they were encrypted in a criminal attack, or rented or operated by an adversary, that could have real impact on our economy’s movement of goods and our military’s movement of goods through ports.”
“By design these cranes may be controlled, serviced and programmed from remote locations,” said Rear Adm. John Vann, who leads the Coast Guard cyber command, at a press briefing. “These features potentially leave PRC-manufactured cranes vulnerable to exploitation,” he said, referring to the People’s Republic of China.
Ports, too, are vulnerable. In Australia last year, a cyber incident forced one of the country's largest port operators to suspend operations for three days.
Late last month, U.S. officials said they had disrupted a state-backed Chinese effort to plant malware that could be used to damage civilian infrastructure. Vann said this type of potential attack was a concern as officials pushed for new standards, but they are also worried about the possibility for criminal activity.
The new standards, which will be subject to a public comment period, will be required for any port operator and there will be enforcement actions for failing to comply with the standards, though the officials did not outline them. They require port operators to notify authorities when they have been victimized by a cyberattack. The actions also give the Coast Guard, which regulates the nation's ports, the ability to respond to cyber attacks.
Copyright 2024 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.