On 24 October 2017 the United States House of Representatives passed H.R. 3101 Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2017 . The bill was introduced in response to the June 2017 global cyberattack that shut down the Port of Los Angeles’ largest terminal  via infection of shipping company Maersk (who leases the terminal) by the NotPetya worm . The attack stalled 76 of Maersk’s global port terminals in total . Parent corporation A.P. Moeller-Maersk estimated that the cyberattack would cost the company $200m – $300m .
The United States Coast Guard (USCG) is charged to protect the maritime transportation system (MTS) from both physical and cyber- attacks. The MTS handles over $1.3 trillion in cargo through approximately 360 ports annually and links the United States to global supply chains. Figure 1 shows the top 25 water ports by cargo container volume. Digitalization of the maritime sector (from ship navigation to port operations) has increased efficiency but introduced the crippling threat of cyberattacks . As shown just by the impact of the cyberattack on Maersk, failure of the MTS due to cyberattack could be catastrophic for the United States.
The U.S government is aware of these risks. In 2015 the USCG released a 10-year cyber strategy that includes a strategic priority to protect infrastructure (e.g., the MTS) through two goals: 1) “risk assessment – promote cyber risk awareness and management” and 2) “prevention – reduce cybersecurity vulnerabilities in the MTS.” Goal 1 revolves around improving risk assessment tools and information sharing with the maritime industry and government stakeholders. Goal 2 is based on establishing vessel/facility cybersecurity standards and personnel training requirements . Essentially, the USCG strategy to protect the MTS is about raising awareness and understanding of the cyber threat for both participants and stakeholders. USCG seeks to build a culture of cyber risk management that is analogous to safety culture .
Although the 2015 cyber strategy does not provide details on execution timing, recent USCG actions and communications appear to be in line with achieving the stated goals. For example, in line with goal 1, the USCG published a cybersecurity series in the Coast Guard Maritime Commons (their blog for maritime professionals) for national cybersecurity awareness month (October) that discusses cyber incidents, poses questions, and provides links to important guidelines, standards, and frameworks . In line with goal 2, the USCG collaborated with the International Maritime Organization (IMO) to write Guidelines on Maritime Cyber Risk Management  and released a draft of NVIC 05-17 Guidelines for Addressing Cyber Risks at Maritime Transportation Security Act (MTSA) Regulated Facilities for comments .
Is the USCG culture-based approach to cybersecurity (and hence MTS protection) valid? I think so. First, given that an organization can be exposed to malware by one person clicking one link in an email, it seems clear that enforcing safe cyber behavior at all levels is paramount. Experience in the oil and gas sector taught me the importance of strong safety cultures for enforcing safe behaviors. Hence, if cybersecurity is analogous to safety, which it seems to be, then this approach will be effective. Second, frequent communication via the Coast Guard Maritime Commons should help industry users digest the vast array of guidelines, standards, and cyber security practices scattered across various groups and agencies. Third, development of guidelines, especially through international organizations like IMO should help ensure compliance by international shipping companies (e.g., Maersk is Danish) in utilizing the MTS securely.
Still, the USCG approach to protect the MTS from new digital threats could be improved by two additional actions. First, USCG should consolidate critical information in one location and simplify the message. Searching for maritime cybersecurity guidance was a journey through lengthy manuals and regulatory documents across various agency sites. Clear and more easily accessible information should help to improve awareness and education. Prominent display of cyberattack statistics would also help to enforce the message. Second, USCG should require mandatory rapid reporting of cyber incidents to enhance information sharing and damage mitigation. Even new legislation such as H.R. 3101 only requires voluntary reporting of maritime cybersecurity incidents . Unreported attacks are missed learning opportunities.
In conclusion, digitalization of maritime supply chains (and the MTS) has created new cyber threats for the USCG, the nation, and the shipping industry to battle. Discussion of how the USCG can best protect the MTS (and the nation’s maritime supply chains) from cyberattacks raises many questions. Should the USCG go on the cyber offensive? Would mandatory cyberattack reporting requirements sacrifice the right to privacy?
 Summary of H.R. 3101 “Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2017,” Congressional Research Service, 24 October 2017
 “House Passes Torres Bill to Address Port Cybersecurity Threats”, 24 October 2017
 J. Leovy and A. D’Angelo, “Maersk’s L.A. port terminal remains closed after global cyberattack,” LA Times, 29 June 2017
 R. Milne, “Maersk CEO Soren Skou on surviving cyber attack,” Financial Times, 13 August 2017
 R. Milne, “Moler-Maersk puts cost of cyber attack at up to $300m,” Financial Times, 16 August 2017
 United States Coast Guard Cyber Strategy, United States Coast Guard, June 2015, accessed November 2017. http://www.overview.uscg.mil/Portals/6/Documents/PDF/CG_Cyber_Strategy.pdf?ver=2016-10-13-122915-863
 K. Kuhn, “Nat’l Cybersecurity Awareness Month – Shipboard cyber risk management,” Coast Guard Maritime Commons, 9 October 2017
 B. Link, “Nat’l Cybersecurity Awareness Month – Five key cyber questions and challenges facing the maritime industry,” Coast Guard Maritime Commons, 30 October 2017
 Y. Barril, “Nat’l Cybersecurity Awareness Month – October is National Cyber Security Awareness Month,” Coast Guard Maritime Commons, 2 October 2017