[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
PROTECTING MARITIME FACILITIES IN THE 21ST CENTURY: ARE OUR NATION'S
PORTS AT RISK FOR A CYBER ATTACK?
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
BORDER AND
MARITIME SECURITY
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
OCTOBER 8, 2015
__________
Serial No. 114-35
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PUBLISHING OFFICE
99-577 PDF WASHINGTON : 2016
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800;
DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Candice S. Miller, Michigan, Vice James R. Langevin, Rhode Island
Chair Brian Higgins, New York
Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey
Scott Perry, Pennsylvania Filemon Vela, Texas
Curt Clawson, Florida Bonnie Watson Coleman, New Jersey
John Katko, New York Kathleen M. Rice, New York
Will Hurd, Texas Norma J. Torres, California
Earl L. ``Buddy'' Carter, Georgia
Mark Walker, North Carolina
Barry Loudermilk, Georgia
Martha McSally, Arizona
John Ratcliffe, Texas
Daniel M. Donovan, Jr., New York
Brendan P. Shields, Staff Director
Joan V. O'Hara, General Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON BORDER AND MARITIME SECURITY
Candice S. Miller, Michigan, Chairman
Lamar Smith, Texas Filemon Vela, Texas
Mike Rogers, Alabama Loretta Sanchez, California
Jeff Duncan, South Carolina Sheila Jackson Lee, Texas
Lou Barletta, Pennsylvania Brian Higgins, New York
Will Hurd, Texas Norma J. Torres, California
Martha McSally, Arizona Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Paul L. Anstine, Subcommittee Staff Director
Deborah Jordan, Subcommittee Clerk
Alison Northrop, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable Candice S. Miller, a Representative in Congress
From the State of Michigan, and Chairman, Subcommittee on
Border and Maritime Security:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Filemon Vela, a Representative in Congress From the
State of Texas, and Ranking Member, Subcommittee on Border and
Maritime Security.............................................. 4
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 6
Witnesses
Rear Admiral Paul F. Thomas, Assistant Commandant, Prevention
Policy, U.S. Coast Guard, U.S. Department of Homeland Security:
Oral Statement................................................. 7
Prepared Statement............................................. 8
Mr. Gregory C. Wilshusen, Director, Information Security Issues,
U.S. Government Accountability Office:
Oral Statement................................................. 11
Prepared Statement............................................. 13
Mr. Randy D. Parsons, Director, Security Services, Port of Long
Beach, California:
Oral Statement................................................. 19
Prepared Statement............................................. 20
Mr. Jonathan Sawicki, Security Improvement Program Manager, Ports
of Brownsville and Harlingen, Texas:
Oral Statement................................................. 25
Prepared Statement............................................. 26
PROTECTING MARITIME FACILITIES IN THE 21ST CENTURY: ARE OUR NATION'S
PORTS AT RISK FOR A CYBER ATTACK?
----------
Thursday, October 8, 2015
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Border and Maritime Security,
Washington, DC.
The subcommittee met, pursuant to call, at 10:02 a.m., in
Room 311, Cannon House Office Building, Hon. Candice S. Miller
[Chairman of the subcommittee] presiding.
Present: Representatives Miller, Hurd, Vela, Sanchez, and
Jackson Lee.
Also present: Representatives Donovan, Ratcliffe, and
Langevin.
Mrs. Miller. In the interest of time, we are expecting a
number of other Members, but we are going to start since we
have a hard stop today at noon.
The Committee on Homeland Security's Subcommittee on Border
and Maritime Security will come to order. The subcommittee is
meeting today to examine the cybersecurity efforts at our
Nation's ports. We are pleased today to be joined by Admiral
Paul Thomas, who is the assistant commandant for prevention
policy for the United States Coast Guard; and Mr. Gregory
Wilshusen, director of information security issues for the
Government Accountability Office; Mr. Randy Parsons, who is
director of security services for the Port of Long Beach,
California; and Mr. Jonathan Sawicki, who is the security
improvement program manager for the Ports of Harlingen and
Brownsville, Texas.
We appreciate all of our witnesses coming this morning. I
would also at this time ask unanimous consent that the
gentleman from New York, Mr. Donovan, a Member of the full
committee, be allowed to sit on the dais and participate in
today's hearing as well.
Without objection, so ordered.
We appreciate his interest in this subject.
Before we start, I think all of us certainly offer our
thoughts and prayers to the family of the 33 crew members of El
Faro, which was just a very terrible, tragic event that
certainly reminds us all of the force of Mother Nature. But the
Coast Guard men and women that went out and performed all the
services, the rescues. As it goes forward, we certainly thank
all of them for their service all the time, but there it was on
vivid display certainly.
The purpose of today's hearing is to examine the
vulnerability of seaports to cyber attacks and how well-
prepared we are to prevent and respond to such an attack.
Today, this is going to be the first Congressional hearing
really convened to examine cybersecurity at our Nation's ports,
which I think is fitting since October actually is also
National Cybersecurity Awareness Month.
The Coast Guard is the Government agency responsible for
the physical security of our Nation's port infrastructures. In
working through the Area Maritime Security Committees, the
Coast Guard partners with the port authorities and operators to
update access controls, fence off sensitive areas of the ports,
and increase surveillance, when appropriate, certainly.
Since 9/11, Congress has appropriated $2.4 billion in port
security grant funds to harden port facilities against the
potential of a terror attack. As a Nation, I think we have done
a fairly good job of updating the physical security at the
ports, but we certainly have concerns that remain about whether
or not the cybersecurity at our ports is adequate. Under the
Maritime Transportation Security Act of 2002, the Coast Guard
was granted responsibility for the protection of communication
systems, including information that flows through the maritime
transportation system. Port facilities and ship operators, like
many industries in America, are relying certainly increasingly
on automation to streamline operations.
While those kinds of innovations certainly reduce time and
lower the cost of doing business, they also carry a risk.
Terror groups, nation states, criminal organizations, hackers,
and even disgruntled employees could breach these systems with
potentially catastrophic results to the Nation's economy. More
than $1 trillion of goods, from cars to oil to corn and
everything in between move through the Nation's seaports each
and every year. Increasingly, cargo is moving through our ports
using automated industrial control systems. These systems are
controlling machinery on ports that move containers or fill
tanks and load and offload ships. I understand that the Port of
Long Beach and port partners are working toward building,
perhaps, the most automated and efficient container terminal in
the United States. So we will be looking forward to that
testimony from Mr. Parsons about that.
While this automation certainly has a lot of benefits, it
doesn't come without risks. In 2014, a major U.S. port facility
suffered a system disruption that shut down a significant
number of ship-to-shore cranes for several hours. In Europe,
drug smugglers attempted to hack into cargo tacking systems to
rearrange containers and to hide their drugs. Foreign military
is suspected of compromising several systems aboard a
commercial ship contracted by the U.S. Transportation Control.
These breaches in the maritime domain are certainly concerning
not only from an economic standpoint but because of the
dangerous cargo, such as liquified natural gas and other
certain dangerous cargo that pass through the Nation's
seaports. If a cyber breach were to occur that tampered with
the industrial control systems that monitor these cargos, it
could potentially allow the release of very, very dangerous
chemicals.
The private sector, of course, owns the ports and must
clearly protect its own interests. However, the Department of
Homeland Security has to be involved to ensure communication
between ports Nation-wide. Information sharing will undoubtedly
be part of any solution that we look to to protect our
seaports. We have to have a strategy that looks beyond
individual ports. Just as we have hardened physical security,
we need to do the same in the virtual space for systems
critical to the maritime transportation system to protect
against malicious actors.
The first step in reducing this risk is to conduct risk
assessments. The Coast Guard has not yet conducted cyber risk
assessments, though some individual ports have taken the
initiative themselves. Port security grants can certainly be a
way to help port operators make wise choices based on an
individual assessment of risk. In providing that grant funding,
however, we certainly need to understand which ports are at
risk of a cyber incident. Retooling the maritime security risk
analysis model to incorporate cyber risks is a concept worth
exploring further and incorporating it into the Port Security
Grant Program as well.
Then, finally, I think we need to better understand how the
Department of Homeland Security, through the National
Protection and Programs Directorate and the National
Cybersecurity and Communications Integration Center, interfaces
with the U.S. Coast Guard's cyber efforts. This is a very
technical field, which may or may not be outside of the
expertise of the Coast Guard inspector. So despite the exposure
for proprietary information, we are wondering whether or not
third-party validators, authorized by the Coast Guard, who
would have oversight of such a thing, could they review and
certify cybersecurity standards. So perhaps there is some merit
in looking at that model for cybersecurity. We would be
interested in pursuing that as well.
I certainly want to thank the witnesses for appearing
before us. I am going to give you a more formal introduction in
just a moment.
But the Chair now recognizes our Ranking Member of the
subcommittee, the gentleman from Texas, Mr. Vela, for any
statement that he may have.
[The statement of Chairman Miller follows:]
Statement of Chairman Candice S. Miller
Before we start, I would just like to offer my thoughts and prayers
to the family of the 33 crewmembers of the El Faro, the cargo container
ship that went missing last week near the Bahamas. I thank the men and
women of the Coast Guard for their valiant efforts to find the ship and
the missing crew.
The purpose of today's hearing is to examine the vulnerability of
seaports to cyber attacks and how well we are prepared to prevent and
respond to such an attack.
Our meeting today marks the first Congressional hearing convened to
examine cybersecurity at our Nation's ports, which is fitting since
October is also National Cybersecurity Awareness Month.
The United States Coast Guard is the Government agency responsible
for the physical security of our Nation's port infrastructure. Working
through the Area Maritime Security Committees, the Coast Guard partners
with port authorities and operators to update access controls, fence-
off sensitive areas of the ports, and increase surveillance when
appropriate.
Since the terrorist attacks of September 11, 2001, the United
States Congress has appropriated $2.4 billion dollars in port security
grant funds to harden port facilities against the potential for a
terror attack. As a Nation, we have done a fairly good job updating the
physical security at ports, but I am concerned that the U.S. Government
has fallen behind when it comes to the cybersecurity of the port.
Under the Maritime Transportation Security Act of 2002, the U.S.
Coast Guard was granted responsibility for the protection of
communication systems, including information that flows through the
Marine Transportation System. Port facilities and ship operators, like
many industries in America, increasingly rely on automation to
streamline operations. While those innovations reduce the time it takes
to stock our shelves, and lower the cost of doing business, they also
carry risk.
Terror groups, nation-states, criminal organizations, hackers and
even disgruntled employees could breach these systems--with potentially
catastrophic results to the Nation's economy.
More than $1 trillion dollars of goods, from cars to oil to corn
and everything in between move through the Nation's seaports every
year.
Increasingly, cargo is moving through our ports using automated
industrial control systems. These computer systems are controlling
machinery on ports to move containers, fill tanks and on-load and off-
load ships.
I understand that the Port of Long Beach and port partners are
working towards building perhaps the most automated and efficient
container terminal in the United States. Once completed it will reduce
wait times at the ports and increase throughput.
While this automation has substantial benefits, it does not come
without risks. In 2014, a major U.S. port facility suffered a system
disruption that shut down a significant number of ship-to-shore cranes
for several hours. In Europe, drug smugglers attempted to hack into
cargo tracking systems to rearrange containers and hide their drugs.
Similarly, a foreign military is suspected of compromising several
systems aboard a commercial ship contracted by the U.S. Transportation
Command.
These breaches in the maritime domain are particularly concerning,
not only from an economic standpoint, but because of the dangerous
cargo such as Liquefied Natural Gas, and other Certain Dangerous Cargos
that also pass through the Nation's seaports. If a cyber breach were to
occur that tampered with the industrial control systems that monitor
these cargos, it could potentially allow the release of harmful and
dangerous chemicals.
Despite the fact the GAO has placed cyber security of our Nation's
critical infrastructure on the ``High Risk'' list since 2003, the Coast
Guard, and DHS as a whole, have been slow to fully engage on
cybersecurity efforts at the Nation's 360 seaports.
The threat of cyber attack is worrisome to be sure. But when it
comes to the maritime domain and the protection of maritime critical
infrastructure, who is really in charge?
The private sector owns the ports, and must clearly protect its own
interests. However, the Department of Homeland Security must be
involved to ensure communication between ports Nation-wide. Information
sharing will undoubtedly be part of any solution as we look to protect
our seaports and we must have a strategy that looks beyond individual
ports.
Just as we have hardened physical security, we need to do the same
in the virtual space for systems critical to the marine transportation
system to protect against malicious actors. The first step in reducing
this risk is to conduct risk assessments. The Coast Guard has not yet
conducted cyber risk assessments, though some individual ports have
taken the initiative themselves.
Port security grants can be a way to help port operators make wise
choices based on an individual assessment of risk. In providing grant
funding, however, we must understand which ports are at risk of a cyber
incident. Retooling the Maritime Security Risk Analysis Model to
incorporate cyber risks is a concept worth exploring further and
incorporating into the port security grant program.
Finally, I want to better understand how DHS, through the National
Protection and Programs Directorate (NPPD) and the National
Cybersecurity and Communication Integration Center, interfaces with the
U.S. Coast Guard's cyber efforts.
We are all aware that the Government moves slowly and this can
cause us to quickly fall behind, especially in an area like cyber that
moves rapidly.
With that in mind, should the Coast Guard's role in cyber be
limited to oversight and prevention rather than the creation of
standards?
This is a very technical field which may be outside the expertise
of a Coast Guard Inspector. Therefore, despite the exposure to
proprietary information, could third-party validators, authorized by
the Coast Guard, review and certify cybersecurity standards? I think
there is merit in looking at that model for cybersecurity and would be
interested in hearing from the witnesses on that topic.
I thank the witnesses for appearing before us today and look
forward to their testimony.
Mr. Vela. Chairman Miller, thank you for holding today's
hearing to discuss the threat of cyber attack at ports and what
the U.S. Coast Guard and the Department of Homeland Security
are doing with private and public partners to protect maritime
critical infrastructure against such attacks. I thank all our
witnesses for being with us here today.
Since the Coast Guard is responsible for the security of
our Nation's ports, entities both in the private sector and in
local and State government rely on the service's leadership
when doing their part to mitigate risks at our ports. As
Ranking Member of the subcommittee and as a Member representing
a district along the Gulf of Mexico, I have an interest in port
security issues and recognize the unique challenges each port
faces.
Texas' District 34 includes four maritime ports--the Port
of Brownsville, the Port of Harlingen, Port Isabel, and Port
Mansfield--and is adjacent to the Port of Corpus Christi, which
is represented by Congressman Farenthold. Each of these ports
has its own set of characteristics, managing various volumes
and types of cargo and other commercial traffic. One of the
differences is, for example, the Port of Brownsville and the
Port of Harlingen are about 17 miles inland whereas the port of
Corpus Christi is right adjacent to a city of 300,000 people. I
have met with the chief of police at the Port of Corpus
Christi. I know he has some concerns about some of the
vulnerabilities there. I look forward to hearing about that. As
with other ports, facilitating the flow of commerce must be
judiciously balanced with measures required to keep our ports
secure. As in my district, many of our Nation's ports are
closely linked to other vital transportation networks and
critical infrastructure which often lead to major metropolitan
areas.
Traditionally, our focus has been on the physical security
of these ports. Today, we will discuss an important element
that is growing and rapidly evolving, the use of technology at
ports and the security risks posed by our increased reliance on
these automated and networked systems. There is no question
that technology can enhance the operations and security of
seaports which, in turn, helps boost economies through the
import and export of goods. This technology also adds an
additional level of risk that we must better understand and
mitigate.
Though this subcommittee does not typically discuss
cybersecurity, it is important that we understand the Federal
Government's role in this important port security issue. Last
June, the Government Accountability Office issued a report on
cybersecurity at ports. Its findings highlighted several
actions the Coast Guard and DHS as a whole should take in order
to better prepare for and ideally prevent cyber attacks on
systems used at seaports. In June, the Coast Guard published
their cyber strategy, which discussed the need to include
cybersecurity as an element of security regimes for maritime
critical infrastructure. Today, I hope to better understand how
the GAO's findings influenced Coast Guard cyber strategy and
how it will help inform implementation of the strategy.
I would like to learn more about how the Coast Guard is
developing guidance and standards that will address safety and
security concerns while being sufficiently flexible for ports
around the country. There are no one-size-fits-all solutions.
What works in Long Beach may well not work best for
Brownsville, for example. I also hope to hear directly from our
port witnesses today about how ports of different types and
sizes are addressing cybersecurity and what more the Coast
Guard, DHS, and Congress can do to support your efforts.
I am hopeful that today's hearing will broaden the
subcommittee's understanding of the emerging risks related to
technology at our ports.
With that, Madam Chairman, I yield back the balance of my
time.
Mrs. Miller. I thank the gentleman very much. Members are
reminded that additional statements may be submitted for the
record.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
October 8, 2015
The Committee on Homeland Security has long been engaged on the
issues of cybersecurity, port security, and critical infrastructure
protection. This hearing brings those critical issues together by
focusing on cybersecurity at America's ports.
A 2014 Government Accountability Office (GAO) report found that
actions taken by the Department of Homeland Security (DHS) and other
Federal agencies to address cybersecurity in the maritime port
environment have been limited. So much of the focus has been on
improving the physical security at ports that cybersecurity at ports,
an emerging threat, has been secondary.
In recent years, cyber technology has helped promote efficient port
operations and enhanced security. But these benefits come with risks to
the Maritime Transportation System. For example, in 2013, officials at
Europol disclosed that a group of drug traffickers recruited hackers to
breach information technology systems at the Port of Antwerp to smuggle
container loads of cocaine.
Our cargo security programs are predicated on electronic
transmission of manifest data, underscoring the potential risk of such
cyber breaches not just from drug smugglers, but also other criminals
and even terrorists. Requiring the Coast Guard to complete a cyber risk
assessment and ensure that cyber risks are addressed in maritime
security plans, as recommended by GAO, is a good first step toward
reducing cyber vulnerabilities at ports.
Similarly, allowing Port Security Grant Program funds to be used
for cybersecurity, and ensuring the funds are used effectively, is a
step in the right direction. The Coast Guard's June 2015 Cyber Strategy
presents cyber space as another operational domain for the Service, and
sets forth three strategic priorities: Defending cyber space, enabling
operations, and protecting infrastructure.
I look forward to hearing from the Coast Guard today about how they
intend to implement this Strategy, with the help of other Government
and private-sector stakeholders. I also want to hear from GAO about
what more can be done by DHS and the Coast Guard in this domain, as
Coast Guard implements its strategy.
Finally, I want to discuss with the ports how we can support their
cybersecurity efforts, recognizing that each port is different and no
single solution is likely to be appropriate for all. Certainly,
providing ports and other stakeholders, like terminal operators and
transportation companies, with the appropriate guidance and expertise
will be essential. Adequate resources are also going to be necessary to
address cybersecurity risks at ports, and Congress must provide those
resources and help ensure they are used wisely.
Mrs. Miller. Again, we are pleased to be joined by four
very distinguished witnesses today to discuss this very
important topic. In way of a more formal introduction, Rear
Admiral Paul Thomas serves as the assistant commandant for
prevention policy in the United States Coast Guard. In this
role, Admiral Thomas oversees three Coast Guard directorates:
Inspections and Compliance; Marine Transportation Systems; and
Commercial Regulations and Standards. In addition to his
assignment at the Coast Guard headquarters here in Washington,
Admiral Thomas has also served in San Francisco, Port
Canaveral, Florida, and Galveston, Texas.
Mr. Gregory Wilshusen is the director of information
security issues at GAO, where he leads cybersecurity and
privacy-related studies and audits of the Federal Government
and critical infrastructure. He has over 30 years of auditing,
financial management, and information systems experience,
having served at the Department of Education before joining the
GAO in 1997.
Mr. Randy Parsons is the director of security services for
the Port of Long Beach, California, the Nation's second-busiest
seaport, a position that he has held since the fall of 2012.
Mr. Parsons oversees more than 80 security personnel, including
harbor patrol officers. He directs the homeland security
program for the 3,000-acre port complex, including 24-hour
patrol, antiterrorism programs, and security coverage. He has a
long history of public service, which includes time with the
FBI and at TSA. Mr. Jonathan Sawicki is the security
improvement program manager for the Ports of Brownsville and
Harlingen, Texas, where since 2008, he has assisted in the
development of port-wide security strategic risk management
plans, including a TWIC card reader deployment program at the
Port of Brownsville.
So their full written statements will appear in the record.
The Chair now recognizes Admiral Thomas for his testimony.
Thank you, sir.
STATEMENT OF REAR ADMIRAL PAUL F. THOMAS, ASSISTANT COMMANDANT,
PREVENTION POLICY, U.S. COAST GUARD, U.S. DEPARTMENT OF
HOMELAND SECURITY
Admiral Thomas. Thank you, Madam Chairman. Good morning.
Good morning to the distinguished Members of the committee.
Thank you for your continued strong support of the Coast Guard
and for this opportunity to talk about the very important,
relevant, and timely topic of cyber in the maritime sector.
Madam Chairman, if I may, before we begin this morning,
join you in offering, on behalf of all the men and women of the
Coast Guard, our deepest condolences to the families of the 33
souls that were lost aboard El Faro last week. As mariners and
maritime professionals, we know only too well the perils that
all those who serve our Nation at sea face. We felt the loss of
El Faro very deeply.
Madam Chairman, as has already been mentioned, the Coast
Guard recently released our cyber strategy. That strategy
recognizes that cyber does not represent a new mission for the
Coast Guard but is, in fact, a domain in which we must be able
to operate effectively in order to conduct all of our missions,
including our response and our prevention missions. In that
sense, the Coast Guard authorities, responsibilities, roles,
and missions naturally extend into cyber space. The cyber
strategy identifies three priorities for our service: Defending
our own cyber space, enabling Coast Guard operations, and
protecting critical maritime infrastructure.
It is this third priority that falls within my purview and
the Coast Guard and which I understand is of most interest to
this committee today. The Coast Guard is really well-suited to
take a leadership role in addressing cyber risks to maritime
critical infrastructure as part of the larger interagency
effort led by the Department of Homeland Security and in
conjunction with maritime stakeholders. The Coast Guard, as has
already been mentioned, has a long history of working with port
partners across the interagency to mitigate safety, security,
and environmental risks to U.S. ports. We will take the same
approach in the cyber domain. The Coast Guard is the sector-
specific agency for maritime transportation under the National
Infrastructure Protection Plan. Whether the initiating event
occurs in cyber space or in a physical domain, the Coast Guard
already has broad authority and responsibility under the
Maritime Transportation Security Act to prevent transportation
security incidents. We have similar authority and
responsibility under a number of statutes to prevent accidents
and incidents that may damage people, property, or the
environment. We have an existing regulatory structure that
requires regulated industry to assess safety, security, and
environmental risks, and to address those risks.
The Coast Guard has already undertaken significant effort
within the interagency, industry, academia, and with our
international partners to assess and understand cyber risk in a
maritime transportation system. In the course of this work, we
have leveraged the expertise that exists at the Department of
Homeland Security, the Department of Energy, the Department of
Defense, the National Institute for Standards and Technology to
many others. Our ultimate goal is to incorporate cyber risk
management into the existing safety and security regimes that
have served the maritime industry and the American public so
well for so long. Of course, in doing so, we will remain
focused, as we always have, on risk-based performance standards
that provide flexible, layered protection against cyber risks
while allowing the benefits of cyber-enabled operations in the
MTS.
There is no doubt, it has been mentioned, cyber
capabilities that make our transportation systems more
effective, efficient, productive, and environmentally friendly
also introduce operational risks that now have to be managed
effectively. We have already seen incidents in the maritime
transportation system that have resulted in physical
consequences or significant near misses. In some cases, it
would appear that these were intentional actions, perhaps by
actors with malicious intent. But in other cases, they were
clearly accidents caused by improper use or maintenance of
cyber systems. That is why cyber is both a safety and a
security issue. That is why the Coast Guard is holistically
addressing cyber risk management as just that, a risk
management challenge. Thank you for your time and attention. I
look forward to hearing from the rest of the panelists and to
further discussion.
[The prepared statement of Admiral Thomas follows:]
Prepared Statement of Paul F. Thomas
October 8, 2015
introduction
Good morning Madam Chairman and distinguished Members of the
committee. I am honored to be here to discuss cybersecurity in U.S.
ports. I will focus my comments in three areas. The first is to
recognize the importance of cybersecurity and then explain cyber safety
concerns, which emphasize the need to view this issue as a ``cyber risk
management'' challenge. The second is to explain the need for an
approach that emphasizes the essential role and responsibilities of
maritime industry partners. The third is to outline what we have
achieved and propose a way forward.
The Coast Guard has a long history of working with port partners to
mitigate safety, security, and environmental risks to U.S. ports and
maritime critical infrastructure. Since our founding in 1790, we have
patrolled in the Nation's ports and waterways to prevent and respond to
major threats and hazards. Since Congress established the Steamboat
Inspection Service in 1852, Coast Guard prevention authorities have
evolved alongside emerging threats and changing port infrastructure.
The Coast Guard established Captains of the Port to execute these
authorities and work with our partners to prepare our ports for natural
disasters, accidents, and deliberate acts.
Over time, the Coast Guard and the maritime industry have
cooperated to address the risks associated with new threats and
technologies. Security threats have evolved from coastal piracy to
complex smuggling operations, transnational organized crime, and
terrorism. Safety risks have likewise evolved as merchant shipping
progressed from sailing ships to ships driven by coal-fired steam
boilers, to diesel engines and most recently to liquefied natural gas.
Waterfront operations evolved from break bulk cargos to
containerization, with sophisticated systems now controlling the
movement and tracking of containerized and liquid cargos.
The Coast Guard's recently-developed Cyber Strategy proposes three
strategic priorities for the service--defending our own cyber space,
enabling Coast Guard operations, and protecting maritime critical
infrastructure. Cybersecurity in U.S. ports is a key goal of this
strategy.
cyber risks and the marine transportation system
Similar to other sectors, emerging cyber threats in the port
environment are diverse and complex. Cyber risks manifest themselves as
both safety and security concerns. As such, the Coast Guard is
emphasizing the term ``cyber risk management,'' which also addresses
how much the maritime transportation system (MTS) relies on information
technology systems to connect to the global supply chain. Vessel and
facility operators use computers and cyber-dependent systems for
navigation, communications, engineering, cargo, ballast, safety,
environmental control, and emergency systems such as security
monitoring, fire detection, and alarm systems. Collectively these
systems enable the MTS to operate with an impressive record of
efficiency and reliability.
While these information technology systems create benefits, they
also introduce potential risks. Exploitation, misuse, or simple failure
of information technology systems can cause injury or death, harm the
marine environment, or disrupt vital trade activity.
Outside the United States, cyber-related incidents among technology
systems have been reported ranging from container terminal operations
ashore to offshore platform stability and dynamic positioning for
offshore supply vessels. While in some cases criminals may have been
the source of these events, others have been the result of non-targeted
malware or relatively unsophisticated insider threats. Even legitimate
functions, such as remotely-driven software updates, can disable vital
systems if done at the wrong time or under the wrong conditions.
In one well-publicized event, organized crime exploited a European
container terminal's cargo tracking system to facilitate drug
smuggling. Cargo control is also one of the requirements of the Coast
Guard's Maritime Transportation Security Act (MTSA) regulations, and we
are well aware that such an incident, or one even more serious, might
occur in the United States.
``Cyber risk management'' also has safety implications. We are
aware of incidents in which software problems led to the failure of
dynamic positioning or navigation systems. These were not due to
targeted attacks, but malware that migrated to vital systems through
poor information technology practices.
As port facilities and vessels continue to incorporate information
technology systems into their operations, the Coast Guard must adapt
its regulatory regime accordingly. Regardless of whether an incident is
a cyber attack, or a cyber accident, we must recognize the potential
consequences to mariners, port workers, the public, and the marine
environment. With approximately 360 sea and river ports that handle
more than $1.3 trillion in annual cargo, our Nation is critically
dependent on a safe, secure, and efficient MTS.
unity of effort--partnerships, learning, and coordination
The Coast Guard is working closely with the Department of Homeland
Security (DHS) and other Government agencies to help the maritime
industry identify their cyber risks.
This past March, the Coast Guard sponsored a seminar at the DHS
Center of Excellence at Rutgers University on maritime cyber risks. We
held a similar event at the Coast Guard Academy, and a follow-up at the
California Maritime Academy to address specific cyber research
questions. Each of these events included a broad range of cyber
practitioners from industry, Government, and academia.
In another effort, the Coast Guard Research and Development Center
(supported by DHS S&T/Cyber Security Division) recently evaluated cyber
vulnerabilities associated with wireless access to maritime critical
infrastructure at certain U.S. ports. The preliminary results indicate
significant vulnerabilities. While this study is relatively narrow in
scope, the Coast Guard is continuing to evaluate the broad range of
cyber risks in the maritime domain.
The Coast Guard has also partnered with various groups to evaluate
and address cyber risks more systematically. Working with the American
Association of Port Authorities and the National Institute of Standards
and Technology (NIST), we are developing a cyber risk profile for bulk
liquid terminals--such as those that transfer oil, gasoline, and liquid
hazardous materials.
Another area with potentially significant consequences is the
offshore oil and natural gas industry. This industry relies on
information technology systems for a wide variety of functions--from
the dynamic positioning systems that allow for precise navigation
control, even in heavy wind and sea conditions, to real-time monitoring
of drilling and production activity. Along with senior representatives
from industry, the Department of Energy, and DHS, I recently attended a
meeting of the Energy Sector Coordinating Committee in Houston. The
exclusive purpose of this meeting was to discuss cyber risks. While the
potential threats to this industry could be serious, I was very pleased
with the cooperation and realistic approach that the participants
expressed. As part of a related effort, the Coast Guard is working with
the National Offshore Safety Advisory Committee to address cyber risks
in the offshore industry.
Our work with other agencies, advisory bodies, and institutions has
helped us identify the standards and best practices that can reduce
risk. The Coast Guard is a strong advocate for using effective
cybersecurity tools, guidelines, and sources of information. These
include the Cybersecurity Framework developed by the NIST, the Cyber
Capability Maturity Model developed by the Department of Energy, and
the services provided by DHS's Computer Emergency Response Team (CERT),
among others.
international considerations
Cyber risks are an inherently global issue, and cooperation with
international partners is an important part of our strategy. Covert
electronic surveillance by foreign ships visiting our ports is a long-
standing security concern, and cyber technology certainly provides new
avenues for such activity. Sound cyber practices by marine terminals
can help minimize the likelihood that they might become victims of such
activity, or of less nefarious activity that might still impact their
business or operations.
Failure to follow sound cyber practices may create as much risk as
not conducting proper equipment maintenance or adequate crew training
for conventional shipboard emergencies. Accordingly, the Coast Guard is
working within the International Maritime Organization to incorporate
cyber risks into Safety Management System requirements, as well as the
International Ship and Port Facility Security (ISPS) Code. While this
is a deliberate and lengthy process, we have strong support from
several nations, including Canada, South Korea, and Japan.
coast guard activities to address cyber risks in the marine
transportation system
The Coast Guard is and has been working to address cyber risks in
the Marine Transportation System. In 2012, we directed all of our Area
Maritime Security Committees (AMSC) to consider cyber issues alongside
more conventional risks as they evaluated potential security risks to
their ports. Required by the MTSA, AMSCs are public-private
partnerships that are chaired by the local Captain of the Port. All
port stakeholders are represented at their local AMSC, including
representatives from the Federal, State, and local government, as well
as private industry and labor.
Across the country, AMSCs have established cyber subcommittees,
evaluated cybersecurity risks, held cyber-related exercises, and
assisted in the evaluation of port security grant funding, including
grants directed specifically at cybersecurity vulnerabilities. AMSCs
also serve as a forum to share best practices across Government and
industry, such as the FBI's InfraGard program.
Because no amount of effort can guarantee that a cyber incident
will not occur, the management of cyber risk demands a significant
resilience and recovery aspect. AMSCs include a recovery annex to their
Area Maritime Security Plans and these annexes are well-suited to
include cyber events as an element in port contingency planning. If or
when there is a cyber incident in any given port area, our collective
goal must be to continue safe and secure operations with minimal
disruptions.
current challenges and future plans
The Coast Guard has made considerable progress in improving our own
understanding of cyber risks, as well as improving cyber preparedness
in ports and across the maritime industry. Despite these
accomplishments, we know that significant work remains.
Our ultimate goal is to incorporate cyber risk management into the
existing safety and security regimes that have served the industry, the
Coast Guard, and the public so well, for so long. This past January, we
held a public meeting to solicit suggestions on how to best accomplish
this goal. We will continue to engage with industry and the public as
we proceed.
The complexity of cyber technology, and the fast pace of change,
suggest that any requirements will need to be risk- and performance-
based. That is, rather than mandate a specific technical solution, the
Coast Guard believes that facility and vessel operators should identify
and evaluate the vulnerabilities and consequences associated with their
cyber systems, and put in place an appropriate suite of mitigating
measures sufficient to achieve an acceptable level of security. This
approach has served the industry and public well in conventional safety
and security risks. Our challenge is to devise a methodology suited to
the nuances of cyber risk. Of course it must produce meaningful results
in a way that the vessel or facility operators can demonstrate an
acceptable level of security to the Coast Guard and other interested
parties.
In addition to policy development, we recognize the need to develop
our own workforce and take other measures to ensure we have the
capacity and skills necessary to carry out those policies. The Coast
Guard Cyber Strategy identifies several factors to this end, including
training, education, organizational structure, and partnerships.
In addressing cyber risks to ports and other aspects of the
maritime industry, our commitment is to address those risks with the
same level of professionalism, efficiency, and effectiveness that the
public has come to expect. The Coast Guard will continue to adapt, as
it has done over the last two centuries, to the challenges and
opportunities that accompany technological advancements in our
operating environment.
Thank you for the opportunity to testify today, and thank you for
your continued support of the United States Coast Guard. I am pleased
to answer your questions.
Mrs. Miller. Thank you very much.
The Chair now recognizes Mr. Wilshusen for his testimony.
STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION
SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Wilshusen. Chairman Miller, Ranking Member Vela, and
Members of the subcommittee, thank you for inviting me to
testify today at today's hearing on cybersecurity risks facing
our Nation's maritime facilities.
As you know, maritime ports are an essential part of the
United States transportation critical infrastructure and handle
more than $1.3 trillion of cargo each year. A major disruption
in the maritime transportation system could have a significant
impact on global shipping, international trade, and our
National economy.
Today I will summarize GAO's report on maritime port
cybersecurity that we issued back in June 2014. The report
addresses cyber-related threats facing our Nation's ports and
the steps the U.S. Coast Guard and other stakeholders had taken
to address cyber risks. But before I began, Madam Chairman, if
I may, I would like to recognize several teammates who were
instrumental in developing my statement and conducting the work
underpinning it. Mike Gilmore, who is with me today, is an
assistant director and led this engagement; along with Brad
Becker; and Kush Malhotra. Lee McCracken, Jennifer Bryant, and
Scott Pettis also made significant contributions to this
effort.
Madam Chairman, our Nation and its ports face an evolving
array of cyber-based threats. The increasing dependence of port
activities on computerized information and communication
systems to manage the movement of cargo makes them vulnerable
to many of the same threats facing other cyber-reliant critical
infrastructure. These threats include both targeted and
untargeted exploits from a variety of sources, including
criminal groups, nation-states, and state-sponsored entities,
and disgruntled insiders. By exploiting vulnerabilities in
information and communication technology supporting port
operations, cyber adversaries can potentially disrupt the flow
of commerce, endanger public safety, and facilitate the theft
of valuable cargo.
In June 2014, we reported that the Coast Guard and other
stakeholders had taken limited steps to address cybersecurity
at selected ports. Specifically, the Coast Guard had not
included cyber-related risks in its 2012 biannual assessment of
risk to the maritime environment. Maritime security plans
required by law and regulation generally contained very limited
information on cyber threats and vulnerabilities because the
guidance issued by the Coast Guard did not require cyber
elements to be addressed.
In addition, the Coast Guard helped to establish
information-sharing mechanisms. But one of them, a maritime
sector coordinating council comprised of private-sector
stakeholders, disbanded in 2011, eliminating a National-level
forum for sharing and coordinating information on port
security. We also reported that the Federal Emergency
Management Agency, or FEMA, identified enhancing cybersecurity
capabilities as a priority for its Port Security Grant program.
However, its grant review process was not informed by Coast
Guard cybersecurity expertise, thereby increasing the risks
that the grants were not allocated to projects that would
effectively enhance port security.
In our 2014 report, we recommended that the Coast Guard
include cyber risks in its updated risk assessment for the
maritime environment, address cyber risks in its guidance for
maritime security plans, and consider reestablishing the sector
coordinating council. We also recommended that FEMA ensure
funding decisions for its Port Security Grant Program are
informed by cybersecurity expertise and a comprehensive risk
assessment.
DHS concurred with our recommendations. Since our report
was issued in 2014, the Coast Guard and FEMA have taken actions
to partially implement two of our recommendations. In summary,
protecting our maritime ports from cyber-based threats is of
increasing importance. While the Coast Guard and FEMA have
taken steps, more needs to be done to ensure that the Federal
and non-Federal stakeholders are working together effectively
to mitigate these threats. Fully implementing our
recommendations will help the Coast Guard and FEMA achieve
this.
Chairman Miller, Ranking Member Vela, and Members of this
committee, this concludes my opening statement. I would be
happy to answer your questions.
[The prepared statement of Mr. Wilshusen follows:]
Prepared Statement of Gregory C. Wilshusen
October 8, 2015
gao highlights
Highlights of GAO-16-116T, a testimony before the Subcommittee on
Border and Maritime Security, Committee on Homeland Security, House of
Representatives.
Why GAO Did This Study
The Nation's maritime ports handle more than $1.3 trillion in cargo
each year: A disruption at one of these ports could have a significant
economic impact. Increasingly, port operations rely on computerized
information and communications technologies, which can be vulnerable to
cyber-based attacks. Federal entities, including DHS's Coast Guard and
FEMA, have responsibilities for protecting ports against cyber-related
threats. GAO has designated the protection of Federal information
systems as a Government-wide high-risk area since 1997, and in 2003
expanded this to include systems supporting the Nation's critical
infrastructure.
This statement addresses: (1) Cyber-related threats facing the
maritime port environment and (2) steps DHS has taken to address
cybersecurity in that environment. In preparing this statement, GAO
relied on work supporting its June 2014 report on cybersecurity at
ports. (GAO-14-459)
What GAO Recommends
In its June 2014 report on port cybersecurity, GAO recommended that
the Coast Guard include cyber risks in its updated risk assessment for
the maritime environment, address cyber risks in its guidance for port
security plans, and consider reestablishing the sector coordinating
council. GAO also recommended that FEMA ensure funding decisions for
its port security grant program are informed by subject-matter
expertise and a comprehensive risk assessment. DHS has partially
addressed two of these recommendations since GAO's report was issued.
maritime critical infrastructure protection.--dhs needs to enhance
efforts to address port cybersecurity
What GAO Found
Similar to other critical infrastructures, the Nation's ports face
an evolving array of cyber-based threats. These can come from insiders,
criminals, terrorists, or other hostile sources and may employ a
variety of techniques or exploits, such as denial-of-service attacks
and malicious software. By exploiting vulnerabilities in information
and communications technologies supporting port operations, cyber
attacks can potentially disrupt the flow of commerce, endanger public
safety, and facilitate the theft of valuable cargo.
In its June 2014 report, GAO determined that the Department of
Homeland Security (DHS) and other stakeholders had taken limited steps
to address cybersecurity in the maritime environment. Specifically:
DHS's Coast Guard had not included cyber-related risks in
its biennial assessment of risks to the maritime environment,
as called for by Federal policy. Specifically, the inputs into
the 2012 risk assessment did not include cyber-related threats
and vulnerabilities. Officials stated that they planned to
address this gap in the 2014 revision of the assessment.
However, when GAO recently reviewed the updated risk
assessment, it noted that the assessments did not identify
vulnerabilities of cyber-related assets, although it identified
some cyber threats and their potential impacts.
The Coast Guard also did not address cyber-related risks in
its guidance for developing port area and port facility
security plans. As a result, port and facility security plans
that GAO reviewed generally did not include cyber threats or
vulnerabilities. While Coast Guard officials noted that they
planned to update the security plan guidance to include cyber-
related elements, without a comprehensive risk assessment for
the maritime environment, the plans may not address all
relevant cyber threats and vulnerabilities.
The Coast Guard had helped to establish information-sharing
mechanisms called for by Federal policy, including a sector
coordinating council, made up of private-sector stakeholders,
and a Government coordinating council, with representation from
relevant Federal agencies. However, these bodies shared
cybersecurity-related information to a limited extent, and the
sector coordinating council was disbanded in 2011. Thus,
maritime stakeholders lacked a National-level forum for
information sharing and coordination.
DHS's Federal Emergency Management Agency (FEMA) identified
enhancing cybersecurity capabilities as a priority for its port
security grant program, which is to defray the costs of
implementing security measures. However, FEMA's grant review
process was not informed by Coast Guard cybersecurity subject-
matter expertise or a comprehensive assessment of cyber-related
risks for the port environment. Consequently, there was an
increased risk that grants were not allocated to projects that
would most effectively enhance security at the Nation's ports.
GAO concluded that until DHS and other stakeholders take additional
steps to address cybersecurity in the maritime environment--
particularly by conducting a comprehensive risk assessment that
includes cyber threats, vulnerabilities, and potential impacts--their
efforts to help secure the maritime environment may be hindered. This
in turn could increase the risk of a cyber-based disruption with
potentially serious consequences.
Chairman Miller, Ranking Member Vela, and Members of the
Subcommittee: Thank you for inviting me to testify at today's hearing
on the risks of cyber attacks facing our Nation's maritime facilities.
As you know, maritime ports are an essential part of the United States'
transportation critical infrastructure. They are an economic engine
that handles more than $1.3 trillion in cargo each year. A major
disruption in the maritime transportation system could have a
significant impact on global shipping, international trade, and the
global economy, as well as posing risks to public safety. This risk is
heightened by ports' dependence on computer-reliant information and
communication systems that may be vulnerable to cyber threats from
various actors with malicious intent. Because of the increasing
prevalence of cyber threats, since 1997 we have designated Federal
information security as a Government-wide high-risk area, and in 2003
we expanded this to include the protection of systems supporting our
Nation's critical infrastructure.\1\
---------------------------------------------------------------------------
\1\ GAO's biennial high-risk list identifies Government programs
that have greater vulnerability to fraud, waste, abuse, and
mismanagement or need to address challenges to economy, efficiency, or
effectiveness. See most recently, GAO, High-Risk Series: An Update,
GAO-15-290 (Washington, DC: Feb. 11, 2015).
---------------------------------------------------------------------------
In my statement today, I will summarize the results of a report we
issued in June 2014 on the extent to which the Department of Homeland
Security (DHS) and other stakeholders have addressed cybersecurity in
the maritime port environment.\2\ Specifically, I will discuss: (1)
Cyber-related threats facing the maritime port environment and (2)
steps DHS and other stakeholders have taken to address cyber risks in
the maritime environment, as well as provide updates on actions DHS has
taken to implement recommendations we made in our report. More detailed
information on our objective, scope, and methodology for that work can
be found in the issued report.
---------------------------------------------------------------------------
\2\ GAO, Maritime Critical Infrastructure Protection: DHS Needs to
Better Address Port Cybersecurity, GAO-14-459 (Washington, DC: June 5,
2014).
---------------------------------------------------------------------------
The work on which this testimony is based was conducted in
accordance with generally-accepted Government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe that
the evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
background
The United States has approximately 360 commercial sea and river
ports that handle more than $1.3 trillion in cargo annually. A wide
variety of goods travels through these ports each day--including
automobiles, grain, and millions of cargo containers. While no two
ports are exactly alike, many share certain characteristics such as
their size, proximity to a metropolitan area, the volume of cargo they
process, and connections to complex transportation networks. These
characteristics can make them vulnerable to physical security threats.
Moreover, entities within the maritime port environment are
vulnerable to cyber-based threats because they rely on various types of
information and communications technologies to manage the movement of
cargo throughout the ports. These technologies include:
terminal operating systems, which are information systems
used to, among other things, control container movements and
storage;
industrial control systems, which facilitate the movement of
goods using conveyor belts or pipelines to structures such as
refineries, processing plants, and storage tanks;
business operations systems, such as e-mail and file
servers, enterprise resources planning systems, networking
equipment, phones, and fax machines, which support the business
operations of the terminal; and
access control and monitoring systems, such as camera
surveillance systems and electronically-enabled physical access
control devices, which support a port's physical security and
protect sensitive areas.
All of these systems are potentially vulnerable to cyber-based
attacks and other threats, which could disrupt operations at a port.
Federal Policies and Laws Establish Requirements and Responsibilities
for Protecting Maritime Critical Infrastructure
While port owners and operators are responsible for the
cybersecurity of their operations, Federal agencies have specific roles
and responsibilities for supporting these efforts. The National
Infrastructure Protection Plan (NIPP) establishes a risk management
framework to address the risks posed by cyber, human, and physical
elements of critical infrastructure. It details the roles and
responsibilities of DHS in protecting the Nation's critical
infrastructures; identifies agencies that have lead responsibility for
coordinating with Federally-designated critical infrastructure sectors
(maritime is a component of one of these sectors--the transportation
sector); and specifies how other Federal, State, regional, local,
Tribal, territorial, and private-sector stakeholders should use risk-
management principles to prioritize protection activities within and
across sectors.
The NIPP establishes a framework for operating and sharing
information across and between Federal and non-Federal stakeholders
within each sector. These coordination activities are carried out
through sector-coordinating councils and Government-coordinating
councils. Further, under the NIPP, each critical infrastructure sector
is to develop a sector-specific plan that details the application of
the NIPP risk management framework to the sector. As the sector-
specific agency for the maritime mode of the transportation sector, the
Coast Guard is to coordinate protective programs and resilience
strategies for the maritime environment.
Further, Executive Order 13636, issued in February 2013, calls for
various actions to improve the cybersecurity of critical
infrastructure.\3\ These include developing a cybersecurity framework;
increasing the volume, timeliness, and quality of cyber threat
information shared with the U.S. private sector; considering
prioritized actions within each sector to promote cybersecurity; and
identifying critical infrastructure for which a cyber incident could
have a catastrophic impact.
---------------------------------------------------------------------------
\3\ Exec. Order No. 13,636, 78 Fed. Reg. 11,739 (Feb. 19, 2013).
---------------------------------------------------------------------------
More recently, the Cybersecurity Enhancement Act of 2014 \4\
further refined public-private collaboration on critical infrastructure
cybersecurity by authorizing the National Institute of Standards and
Technology to facilitate and support the development of a voluntary set
of standards, guidelines, methodologies, and procedures to cost-
effectively reduce cyber risks to critical infrastructure.
---------------------------------------------------------------------------
\4\ Pub. L. No. 113-274 (Dec. 18, 2014).
---------------------------------------------------------------------------
In addition to these cyber-related policies and law, there are laws
and regulations governing maritime security. One of the primary laws is
the Maritime Transportation Security Act of 2002 (MTSA) \5\ which,
along with its implementing regulations developed by the Coast Guard,
requires a wide range of security improvements for the Nation's ports,
waterways, and coastal areas. DHS is the lead agency for implementing
the act's provisions, and DHS component agencies, including the Coast
Guard and the Federal Emergency Management Agency (FEMA), have specific
responsibilities for implementing the act.
---------------------------------------------------------------------------
\5\ Pub. L. No. 107-295 (Nov. 25, 2002).
---------------------------------------------------------------------------
To carry out its responsibilities for the security of geographic
areas around ports, the Coast Guard has designated a captain of the
port within each of 43 geographically-defined port areas. The captain
of the port is responsible for overseeing the development of the
security plans within each of these port areas. In addition, maritime
security committees, made up of key stakeholders, are to identify
critical port infrastructure and risks to the port areas, develop
mitigation strategies for these risks, and communicate appropriate
security information to port stakeholders. As part of their duties,
these committees are to assist the Coast Guard in developing port area
maritime security plans. The Coast Guard is to develop a risk-based
security assessment during the development of the port area maritime
security plans that considers, among other things, radio and
telecommunications systems, including computer systems and networks
that may, if damaged, pose a risk to people, infrastructure, or
operations within the port.
In addition, under MTSA, owners and operators of individual port
facilities are required to develop facility security plans to prepare
certain maritime facilities, such as container terminals and chemical
processing plants, for deterring a transportation security incident.
The implementing regulations for these facility security plans require
written security assessment reports to be included with the plans that,
among other things, contain an analysis that considers measures to
protect radio and telecommunications equipment, including computer
systems and networks.
MTSA also codified the Port Security Grant Program, which is to
help defray the costs of implementing security measures at domestic
ports. Port areas use funding from this program to improve port-wide
risk management, enhance maritime domain awareness, and improve port
recovery and resilience efforts through developing security plans,
purchasing security equipment, and providing security training to
employees. FEMA is responsible for administering this program with
input from Coast Guard subject-matter experts.
the nation and its ports face an evolving array of cyber-based threats
Like threats affecting other critical infrastructures, threats to
the maritime IT infrastructure are evolving and growing and can come
from a wide array of sources. Risks to cyber-based assets can originate
from unintentional or intentional threats. Unintentional threats can be
caused by, among other things, natural disasters, defective computer or
network equipment, software coding errors, and careless or poorly-
trained employees. Intentional threats include both targeted and
untargeted attacks from a variety of sources, including criminal
groups, hackers, disgruntled insiders, foreign nations engaged in
espionage and information warfare, and terrorists.
These adversaries vary in terms of their capabilities, willingness
to act, and motives, which can include seeking monetary gain or
pursuing a political, economic, or military advantage. For example,
adversaries possessing sophisticated levels of expertise and
significant resources to pursue their objectives--sometimes referred to
as ``advanced persistent threats''--pose increasing risks. They make
use of various techniques--or exploits--that may adversely affect
Federal information, computers, software, networks, and operations,
such as a denial of service, which prevents or impairs the authorized
use of networks, systems, or applications.
Reported incidents highlight the impact that cyber attacks could
have on the maritime environment, and researchers have identified
security vulnerabilities in systems aboard cargo vessels, such as
global positioning systems and systems for viewing digital nautical
charts, as well as on servers running on systems at various ports.
In some cases, these vulnerabilities have reportedly allowed
hackers to target ships and terminal systems. Such attacks can send
ships off course or redirect shipping containers from their intended
destinations. For example, according to Europol's European Cybercrime
Center, a cyber incident was reported in 2013 (and corroborated by the
FBI) in which malicious software was installed on a computer at a
foreign port. The reported goal of the attack was to track the movement
of shipping containers for smuggling purposes. A criminal group used
hackers to break into the terminal operating system to gain access to
security and location information that was leveraged to remove the
containers from the port.
dhs and other stakeholders have taken limited actions to address
maritime port cybersecurity
In June 2014 we reported that DHS and the other stakeholders had
taken limited steps with respect to maritime cybersecurity.\6\ In
particular, risk assessments for the maritime mode did not address
cyber-related risks; maritime-related security plans contained limited
consideration of cybersecurity; information-sharing mechanisms shared
cybersecurity information to varying degrees; and the guidance for the
Port Security Grant Program did not take certain steps to ensure that
cyber risks were addressed.
---------------------------------------------------------------------------
\6\ GAO-14-459.
---------------------------------------------------------------------------
Maritime Risk Assessment Did Not Address Cybersecurity
In its 2012 National Maritime Strategic Risk assessment, which was
the most recent available at the time of our 2014 review, the Coast
Guard did not address cyber-related risks to the maritime mode. As
called for by the NIPP, the Coast Guard completes this assessment on a
biennial basis, and it is to provide a description of the types of
threats the Coast Guard expects to encounter within its areas of
responsibility, such as ensuring the security of port facilities, over
the next 5 to 8 years. The assessment is to be informed by numerous
inputs, such as historical incident and performance data, the views of
subject-matter experts, and risk models, including the Maritime
Security Risk Analysis Model, which is a tool that assesses risk in
terms of threat, vulnerability, and consequences.
However, we found that while the 2012 assessment contained
information regarding threats, vulnerabilities, and the mitigation of
potential risks in the maritime environment, none of the information
addressed cyber-related risks or provided a thorough assessment of
cyber-related threats, vulnerabilities, and potential consequences.
Coast Guard officials attributed this gap to limited efforts to develop
inputs related to cyber threats to inform the risk assessment. For
example, the Maritime Security Risk Analysis Model did not contain
information related to cyber threats. The officials noted that they
planned to address this deficiency in the next iteration of the
assessment, which was to be completed by September 2014, but did not
provide details on how cybersecurity would be specifically addressed.
We therefore recommended that DHS direct the Coast Guard to ensure
that the next iteration of the maritime risk assessment include cyber-
related threats, vulnerabilities, and potential consequences. DHS
concurred with our recommendation, and the September 2014 version of
the National Maritime Strategic Risk Assessment identifies cyber
attacks as a threat vector for the maritime environment and assigns
some impact values to these threats. However, the assessment does not
identify vulnerabilities of cyber-related assets. Without fully
addressing threats, vulnerabilities, and consequences of cyber
incidents in its assessment, the Coast Guard and its sector partners
will continue to be hindered in their ability to appropriately plan and
allocate resources for protecting maritime-related critical
infrastructure.
Maritime Security Plans' Consideration of Cybersecurity Was Limited
As we reported in June 2014, maritime security plans required by
MTSA did not fully address cyber-related threats, vulnerabilities, and
other considerations. Specifically, three area maritime security plans
we reviewed from three high-risk port areas contained very limited, if
any, information about cyber-threats and mitigation activities. For
example, the three plans included information about the types of
information and communications technology systems that would be used to
communicate security information to prevent, manage, and respond to a
transportation security incident; the types of information considered
to be sensitive security information; and how to securely handle such
information. They did not, however, identify or address any other
potential cyber-related threats directed at or vulnerabilities in these
systems or include cybersecurity measures that port-area stakeholders
should take to prevent, manage, and respond to cyber-related threats
and vulnerabilities.
Similarly, nine facility security plans from the non-Federal
organizations we met with during our 2014 review generally had very
limited cybersecurity information. For example, two of the plans had
generic references to potential cyber threats, but did not have any
specific information on assets that were potentially vulnerable or
associated mitigation strategies. Officials representing the Coast
Guard and non-Federal entities acknowledged that their facility
security plans at the time generally did not contain cybersecurity
information.
Coast Guard officials and other stakeholders stated that the area
and facility-level security plans did not adequately address
cybersecurity because the guidance for developing the plans did not
require a cyber component. Officials further stated that guidance for
the next iterations of the plans, which were to be developed in 2014,
addressed cybersecurity. However, in the absence of a maritime risk
environment that addressed cyber risk, we questioned whether the
revised plans would appropriately address the cyber-related threats and
vulnerabilities affecting the maritime environment.
Accordingly, we recommended that DHS direct the Coast Guard to use
the results of the next maritime risk assessment to inform guidance for
incorporating cybersecurity considerations for port area and facility
security plans. While DHS concurred with this recommendation, as noted
above, the revised maritime risk assessment does not address
vulnerabilities of systems supporting maritime port operations, and
thus is limited as a tool for informing maritime cybersecurity
planning. Further, it is unclear to what extent the updated port area
and facility plans include cyber risks because the Coast Guard has not
yet provided us with updated plans.
Information-Sharing Mechanisms Varied in Sharing Cybersecurity
Information
Consistent with the private-public partnership model outlined in
the NIPP, the Coast Guard helped establish various collaborative bodies
for sharing security-related information in the maritime environment.
For example, the Maritime Modal Government Coordinating Council was
established to enable interagency coordination on maritime security
issues, and members included representatives from DHS, as well as the
Departments of Commerce, Defense, Justice, and Transportation. Meetings
of this council discussed implications for the maritime mode of the
President's Executive order on improving critical infrastructure
cybersecurity, among other topics.
In addition, the Maritime Modal Sector Coordinating Council,
consisting of owners, operators, and associations from within the
sector, was established in 2007 to enable coordination and information
sharing. However, this council disbanded in March 2011 and was no
longer active, when we conducted our 2014 review. Coast Guard officials
stated that maritime stakeholders had viewed the sector coordinating
council as duplicative of other bodies, such as area maritime security
committees, and thus there was little interest in reconstituting the
council.
In our June 2014 report, we noted that in the absence of a sector
coordinating council, the maritime mode lacked a body to facilitate
National-level information sharing and coordination of security-related
information. By contrast, maritime security committees are focused on
specific geographic areas.
We therefore recommended that DHS direct the Coast Guard to work
with maritime stakeholders to determine if the sector-coordinating
council should be reestablished. DHS concurred with this
recommendation, but has yet to take action on this. The absence of a
National-level sector coordinating council increases that risk that
critical infrastructure owners and operators will be unable to
effectively share information concerning cyber threats and strategies
to mitigate risks arising from them.
Port Security Grant Program Did Not Take Key Steps to Effectively
Address Cyber Risks
In 2013 and 2014 FEMA identified enhancing cybersecurity
capabilities as a funding priority for its Port Security Grant Program
and provided guidance to grant applicants regarding the types of
cybersecurity-related proposals eligible for funding. However, in our
June 2014 report we noted that the agency's National review panel had
not consulted with cybersecurity-related subject-matter experts to
inform its review of cyber-related grant proposals. This was partly
because FEMA had downsized the expert panel that reviewed grants. In
addition, because the Coast Guard's maritime risk assessment did not
include cyber-related threats, grant applicants and reviewers were not
able to use the results of such an assessment to inform grant
proposals, project review, and risk-based funding decisions.
Accordingly, we recommended that DHS direct FEMA to: (1) Develop
procedures for grant proposal reviewers, at both the National and field
level, to consult with cybersecurity subject-matter experts from the
Coast Guard when making funding decisions, and (2) use information on
cyber-related threats, vulnerabilities, and consequences identified in
the revised maritime risk assessment to inform funding guidance for
grant applicants and reviewers.
Regarding the first recommendation, FEMA officials told us that
since our 2014 review, they have consulted with the Coast Guard's Cyber
Command on high-dollar value cyber projects and that Cyber Command
officials sat on the review panel for 1 day to review several other
cyber projects. FEMA officials also provided examples of recent field
review guidance sent to the captains of the port, including
instructions to contact Coast Guard officials if they have any
questions about the review process. However, FEMA did not provide
written procedures at either the National level or the port area level
for ensuring that grant reviews are informed by the appropriate level
of cybersecurity expertise. FEMA officials stated the fiscal year 2016
Port Security Grant Program guidance will include specific instructions
for both the field review and National review as part of the cyber
project review.
With respect to the second recommendation, since the Coast Guard's
2014 maritime risk assessment does not include information about cyber
vulnerabilities, as discussed above, the risk assessment would be of
limited value to FEMA in informing its guidance for grant applicants
and reviewers. As a result, we continue to be concerned that port
security grants may not be allocated to projects that will best
contribute to the cybersecurity of the maritime environment.
In summary, protecting the Nation's ports from cyber-based threats
is of increasing importance, not only because of the prevalence of such
threats, but because of the ports' role as conduits of over a trillion
dollars in cargo each year. Ports provide a tempting target for
criminals seeking monetary gain, and successful attacks could
potentially wreak havoc on the National economy. The increasing
dependence of port activities on computerized information and
communications systems makes them vulnerable to many of the same
threats facing other cyber-reliant critical infrastructures, and
Federal agencies play a key role by working with port facility owners
and operators to secure the maritime environment. While DHS, through
the Coast Guard and FEMA, has taken steps to address cyber threats in
this environment, they have been limited and more remains to be done to
ensure that Federal and non-Federal stakeholders are working together
effectively to mitigate cyber-based threats to the ports. Until DHS
fully implements our recommendations, the Nation's maritime ports will
remain susceptible to cyber risks.
Chairman Miller, Ranking Member Vela, and Members of the
subcommittee, this concludes my prepared statement. I would be pleased
to answer any questions you may have at this time.
Mrs. Miller. Thank you very much.
The Chair now recognizes Mr. Parsons. Again, sir, we
appreciate you traveling from California to join us today.
STATEMENT OF RANDY D. PARSONS, DIRECTOR, SECURITY SERVICES,
PORT OF LONG BEACH, CALIFORNIA
Mr. Parsons. Thank you, Madam Chair.
I appreciate the opportunity to provide some information
this morning from an operations perspective. As you mentioned,
the Port of Long Beach is the second-busiest seaport in the
United States. Combined with our neighbor adjacent, the Port of
Los Angeles, we handled over 15 million cargo containers in
2014. That represents over 40 percent of the imported cargo to
the United States. Partly in effort to protect the diverse and
large environment that we have, we operate the Joint Command
and Control Center, which is a 24/7 operation. It provides
domain awareness to all of our partners, Government and private
sector, and is the hub for critical incident management. The
coordination center houses over $100 million in technical
security assets.
But we know the port authorities aren't the only target and
possibly not the primary target for cybersecurity threats.
Private-sector business entities, such as the terminal
operators, control a substantial portion of the economic
movement through our ports. The potential perpetrators and the
threats, as you mentioned and as the admiral alluded to, aren't
very unique to the maritime environment. We have threats to the
port that are a danger to humans as well as catastrophic
economic damage. We have workers. We have visitors. Both ports
are housed in a densely-populated metropolitan area. Taking
into account the dangerous nature of the persons--and the Port
of Long Beach supports 30,000 jobs in the immediate area and
1.4 million jobs Nation-wide--an impact to a complex the size
of Long Beach and Los Angeles could impact our National well-
being. There are a number of challenges that we face in the
maritime environment for cybersecurity.
There is not a one-size-fits-all solution for all ports.
The business models for ports vary based on the size of the
ports, the nature of the business that goes through the ports
and, frankly, how they are governed. Long Beach is a landlord
port. We have very little input into the security posture of
our tenants. Other ports are operators of ports and are better
postured to make recommendations and requirements.
A challenge is a lack of awareness about our own systems.
Sometimes systems are a patchwork of legacy systems. They are
often operated or administered by folks with different purposes
and a myopic focus on their required specific functions. This
creates a lack of enterprise perspective or awareness for the
cybersecurity problem. There is a notable reluctance to share
information about cybersecurity issues. To acknowledge a
cybersecurity event could potentially mean a loss of business
reputation and public trust. Much of the information for
maritime stakeholders is deemed as proprietary to the degree
that dissemination could create business disadvantage.
There is a need to clearly identify roles and
responsibilities of the various Government agencies involved in
cybersecurity. The Ports of Long Beach and Los Angeles have
been contacted and have worked with the United States Coast
Guard, the FBI, Secret Service, and multiple entities of the
Department of Homeland Security. We have tried to use
incentives at our port to generate buy-in. We have done that
successfully with our Green Port Program and our Clean Trucks
Policy.
Now, FEMA has incentivized, to a degree, cybersecurity
matters by emphasizing cybersecurity mitigation and
vulnerability assessments in the recent grant year. We agree
that subject-matter experts need to have continued input into
those grant awards. The spending has increased as a result of
that, but it is imperative that FEMA maintain a focus on
strategic thought and the current and developing regulations.
We support the efforts of the Coast Guard in their expanded
mission to enhance security. But we realize that has created a
specialized mission requirement that requires additional
funding. We believe that protecting U.S. ports must be a core
capability of our Nation. We realize, as everyone does, we
cannot stop all attacks. But focusing on the development of
strategic policies and guidelines is sorely needed. A roadmap
that provides guidance but flexibility for industry decisions
makes sense and will strengthen our National security
cybersecurity posture. Thank you for the opportunity.
[The prepared statement of Mr. Parsons follows:]
Prepared Statement of Randy D. Parsons
October 8, 2015
Chairman and Members of the committee. My name is Randy Parsons and
I am the director of security services for the Port of Long Beach, in
California. Thank you for the opportunity to speak before the House
Homeland Security Committee to discuss cybersecurity in the maritime
environment from a field operations perspective, especially during
October, National Cybersecurity Awareness Month.
background
As the second-busiest seaport in the United States, the Port of
Long Beach is a major gateway for U.S.-Asia trade and a recognized
leader in security. The Port is an innovative provider of state-of-the-
art seaport facilities and services that enhance economic vitality,
support jobs, and improve the quality of life and the environment. A
major economic force, the Port supports more than 30,000 jobs in Long
Beach, 316,000 jobs throughout Southern California and 1.4 million jobs
throughout the United States. In 2014, the Port of Long Beach moved
over 6.8 million 20-foot equivalent units (TEUs) of cargo, also known
as containers. In August of this year, we experienced the highest
volume of cargo in the Port's 104-year history.
Combined with our neighbor, the Port of Los Angeles, both ports
comprise the San Pedro Bay Complex, the largest port complex in the
Nation and the ninth-largest port complex in the world. Both ports
moved over 15 million TEUs in 2014, which accounts for over 40 percent
of the Nation's imported cargo. A 2010 report commissioned by the two
ports and the Alameda Corridor Transportation Authority found that
cargo moving through the San Pedro Bay Port Complex made its way to
every Congressional district in the continental United States. As a
result of the sheer volume of cargo moved throughout the port complex
and transportation-related activities, protecting the San Pedro Bay
Ports is vital to our National economic and security interests.
security
Safety and security are top priorities at the Port of Long Beach.
Since September 11, 2001, the Port along with the other Government
agencies responsible for security, have greatly expanded their efforts
to protect the Port complex and surrounding communities. The Port takes
a leadership role in the development of strategies to mitigate security
risks in the San Pedro Bay, working closely with multiple partners,
both public and private, to plan and coordinate security measures. My
professional experience has been in recognizing threat situations and
trying to formulate the best mitigation strategies. I have made
observations, learned lessons from our own port operations and through
contact with other local port partners, other ports, and transportation
agencies.
The Port's Joint Command and Control Center, a 24-hour-a-day
maritime domain awareness (monitoring) center, is a critical hub for
coordinated security efforts that include partnerships with local,
State, and Federal law enforcement agencies as well as maritime and
private-sector stakeholders. The Port of Long Beach has formalized
agreements with these partners to share security information,
coordinate threat information, develop plans, and coordinate
operations.
The Control Center houses over $100 million in technical security
assets. Through innovative efforts, the Port has a monitoring network
of over 400 cameras, a comprehensive fiber-optic network, a port-wide
wireless system, an integrated security management system for
synchronized monitoring and quick threat detection, access control and
alarm monitoring, boat patrols, radar systems, a vessel tracking
system, and sonar equipment. Law enforcement operations within the Port
have been fully integrated between the Port of Long Beach Harbor Patrol
and the Long Beach Police Department.
cybersecurity
In 21st Century America, the Port of Long Beach, like many if not
all organizations, relies heavily on information technology. The Port
relies on information technology to operate the business of the port,
as well as to secure the port complex and its assets. The maritime
sector, like other industries are at risk for cyber attack, in part
because ports are National economic drivers, and therefore are National
critical infrastructures. That is why, in addition to the above water,
on water, and underwater security monitoring and threat detection,
cybersecurity has become a critical endeavor for the Port.
Port business operations and port authorities are not the only
targets. Private-sector business entities, such as terminal operators,
control a substantial portion of the economic movement through a wide
variety of facilities. In the San Pedro Bay Ports complex, major cyber
threat areas include port facilities, shippers, vessels, terminal
operating systems, equipment, storage facilities, rail, and truck
operations. Potential perpetrators who could carry out cyber attacks
include State-sponsored, criminal groups, and individuals, either
inadvertent or intentional. Threats to the maritime environment include
hacking, jamming, phishing, spoofing, malicious programs, taking
control, and denial of service. On average, the Port of Long Beach's
Information Management staff reports' thwarting 1 million hacking
attempts a day. Some of the motivating factors for cyber criminal
activities may involve smuggling, cyber extortion, gaining business
advantage, intellectual property theft, and disrupting or destroying a
National critical infrastructure. In addition to man-made cyber
threats, the maritime sector is also susceptible to natural hazards
such as earthquakes, hurricanes, and tsunamis.
Cyber threats do not necessarily target people to cause injuries
and/or death, as with more traditional forms of terrorism. However,
threats to ports are dangerous to the large number of workers,
travelers, and visitors in and around the port community. Coupled with
the potential catastrophic economic impacts, maritime cyber events
could impact our National well-being as much, if not more, than other
types of attacks. Large-scale, multi-pronged attacks in the cyber world
will require a certain level of technical knowledge. However the
logistics involved in cyber attacks may not rise to the level that was
required for the September 11 attacks. Cyber attacks on such a large
scale would create fear, instability, disrupt the normal way of life
and business, and generate a lack of confidence in our Government's
ability to protect us. These are some of the same goals of more
``traditional'' terrorist acts. As a result, the maritime sector must
adapt to a new threat environment as we have done constantly since the
September 11 attacks.
It may seem overdramatic to make a comparison to the September 11
attacks, but one similarity may be in the number of cyber attacks that
have taken place internationally and within the United States, as well
as our responses, or lack of, to those warnings. As a result, business
resiliency has become a critical part of our on-going cybersecurity
plan. Reducing the potential for single-point failure, building
redundancy into systems, and developing back-up processes are vital to
ensuring ports remain viable and resume operations as swiftly as
possible in the event of an incident. Response and recovery are
critical to successful mitigation and business resumption. Protocols
must be clear on how to best contain an incident to prevent further
interruption. Response teams must have specialized training and be
prepared to engage 24/7. Protocols should include who receives notice
of the event and what additional assets are available to assist. In a
port environment, resiliency involves the ability of the logistics
chain (public or private) to absorb the impact of business interruption
caused by stress to the system (natural or man-made) and continue to
provide an acceptable level of goods movement. In order to develop a
comprehensive resiliency plan to address cybersecurity, factors that
should be addressed include infrastructure needs and protection,
transportation systems, and development of business continuity plans.
challenges
There are a number of challenges that must be addressed to enhance
cybersecurity in maritime environments. There is not a one-size-fits-
all solution because ports are diverse in how their business is
modeled. A lack of awareness about an organization's own systems
creates opportunities for exploitation at a basic level. Systems
themselves can be a patchwork of legacy systems, some integrated with
newer technologies. Cyber systems can be administered by operators with
different purposes and a myopic focus on only their required function
(i.e. engineers, information technology, trade, human resources, and
security). This creates a lack of an enterprise view of operations,
which can lead to the ``siloing'' effect. The ``siloing'' effect is not
an information technology problem, it is a ``culture think'' issue that
takes effort to divest and generate a unified and collaborative
perspective. At the Port of Long Beach, there is a continuing effort to
align the enterprise Information Management function with the special
needs of the Security Division.
In the maritime industry, there is a notable reluctance to share
information about cybersecurity issues. To acknowledge that a cyber
event has taken place could potentially diminish business reputation
and public trust. Maritime stakeholders have deemed much of their
information as proprietary to the degree that dissemination could
create business disadvantages. Although this is a valid concern, it
must be measured against the National security impact to a port complex
like the San Pedro Bay. Not sharing cybersecurity information makes it
difficult to identify the nature of threats or establish lessons
learned and best practices to mitigate them.
There is not a clear or defined role and scope of responsibilities
for the various Government agencies on the cybersecurity team. It is
generally understood that, in substantial criminal cyber activity and
terrorism matters, the Federal Bureau of Investigation (FBI) is the
lead agency. However, the Ports of Long Beach and Los Angeles along
with some of the tenants have been contacted by, and have also worked
with the U.S. Coast Guard, the Secret Service, and multiple entities of
Department of Homeland Security on cyber matters. Port authorities are
willing partners in the fight against cyber attacks, however, there are
requests for access to data from more than one agency. It is
challenging to understand what type of cyber information is reported to
which agency and duplicate requests for reporting often occur. This can
be especially disconcerting for the private-sector entities whose
proprietary concerns are heightened when multiple releases create more
opportunity for compromise.
incentives
There seems to be clear recognition that serious cybersecurity
concerns exist in the business world. However, left to our own devices,
the business world seems not to be motivated to take the substantial
action necessary to address those concerns in a strategic and
collaborative manner. Thought should be given to the Federal Government
creating incentives for businesses to enhance their cybersecurity
efforts in a collaborative way. It is recommended that incentives be
explored based on compliance standards. Uniformed guidelines,
recommendations, and requirements are needed throughout the maritime
sector. In order to gain ``buy-in'' from key stakeholders, the Port of
Long Beach has found that industry incentives have been critical to the
success of programs like our Green Port Policy and Clean Air Action
Plan. In general, businesses are reluctant to spend money on efforts
that are not revenue-generating, even if there is a risk assessment
indicating mitigation efforts could be revenue-saving.
The Federal Emergency Management Agency (FEMA) has incentivized
cybersecurity activities by placing emphasis within the Port Security
Grant Program (PSGP) on grant applications that focus on cybersecurity
mitigation. It is important that cybersecurity subject-matter experts
continue to be involved in the review process for these grant awards.
It would be ideal to have that expertise engaged with FEMA
practitioners who ensure decisions on cyber projects, as with all
projects, continues to be driven by risk-based factors.
As a result of this grant prioritization, spending on cybersecurity
has increased. FEMA should ensure that spending is in line with
strategic thought and prevailing guidelines as they are developed. An
example of focusing on priority projects has been the PSGP emphasis on
cyber vulnerability assessments. The Port of Long Beach, Security
Division is currently undergoing a comprehensive cybersecurity
vulnerability assessment to enhance our posture. As we look to the
future and contemplate industry regulations for cybersecurity measures,
consideration must be given for continuing grant support to assist
maritime security partners addressing the regulations, particularly if
the regulations should be mandatory.
Collaboration between Government and the insurance industry could
create incentives to protect valuable data identified by risk
assessment modeling. When certain guidelines or industry standards are
met, this could be reflected in premium costs. If incentives, and
potential human and economic losses, are not motivation enough, a
system of enforceable regulations or requirements may be necessary.
Determining who would be covered by the rules and regulations is a
fundamental question that will need to be answered. Specifically, the
industry is interested in knowing whether the rules will apply only to
facilities and vessels as with other regulations, or expand to other
port enterprises.
The Port of Long Beach, concurs with the American Association of
Port Authorities recommendation that there be flexibility in how
policies are implemented to reflect the varying and evolving threat
environment of similarly-situated ports. For example, U.S. ports can be
either operators of a port or landlords with minimal input into
operations. There are varying models of governance for ports that
directly affect how port authorities interact with port partners like
terminal operators, railroads, trucking companies, and shipping lines.
national cybersecurity policy
The Port of Long Beach supports efforts for the U.S. Coast Guard to
realize their new mission to lead the effort in enhancing cybersecurity
in the maritime environment. The U.S. Coast Guard and the Captains of
the Port are in the best position to facilitate and coordinate the
drafting of regulations, cybersecurity awareness programs,
vulnerability assessments, training, clarification of roles and
responsibilities, exercises, and information sharing. In this role, the
U.S. Coast Guard can provide a strategic view for cybersecurity in a
maritime environment, identify lessons learned and best practices, and
coordinate efforts among port industry stakeholders.
The U.S. Coast Guard focus on cybersecurity in the maritime sector
has created a need for specialized mission requirements. Those
requirements must be supported through adequate funding for the U.S.
Coast Guard to develop and acquire subject-matter experts and equipment
to deliver meaningful guidance to ports around the country. Valuable
guidance has been provided by the National Institute of Standards and
Technology's (NIST) Framework for Improving Critical Infrastructure
Cybersecurity. Coordination between NIST and the Coast Guard will
continue to lead the way in formulating the strategies required for a
more comprehensive National cybersecurity posture. There should not be
one-size-fits-all approach to managing cybersecurity risk because each
port or logistics partner will experience different threats and
vulnerabilities, as well as have different capabilities to address
them.
solutions
Solutions to these cybersecurity challenges exist. All entities
must take inventory and identify their own systems and capabilities.
This includes identifying employee and contractor access and duties to
port facilities and information systems. In assessing impacts, it has
been identified that people cause the most damage. Once cyber
operations are understood on an enterprise scale, systems and protocols
can be organized to promote cybersecurity throughout the organization.
Legacy systems can be evaluated for updating to meet today's, and more
importantly, tomorrow's cybersecurity needs.
The next step in achieving awareness is to have a comprehensive
vulnerability assessment conducted by subject-matter experts. It is
critical to identify and prioritize gaps that could lead to
interruptions effecting key operations. The Port of Long Beach,
Security Division is undergoing a comprehensive assessment; it will be
the third such assessment in 3 years.
Cybersecurity training and educational programs must be robust and
continual. Training should include prevention, detection, response, and
recovery efforts and procedures. Presentations are more meaningful if
they contain real-world incidents and reporting. Case studies and
examples are particularly valuable when they focus on lessons learned
and best practices. System operators need to know what a potential
cyber incident looks like and how it behaves. This type of training
provides awareness for port industry leaders and employees to create a
``See Something/Say Something,'' environment in the cyber arena. The
benefits received from a collaborative environment promote information
sharing.
Another layer to cyber preparedness is conducting tests, drills,
and exercises, as with other critical or emergency situations. In 2014,
the Port of Los Angeles hosted a large, multi-agency, full-field
cybersecurity exercise. Lessons were learned from integrating cyber
threats with real-world operations. Drills and exercises for
cybersecurity teams should be commonplace and testing of all employees
should happen throughout the year, not just during Cybersecurity Month
in October.
When cyber events occur, decisions must be driven by information.
Collaboration that produces an environment of sharing information will
include balancing the need to protect propriety information with
protecting our National critical infrastructures. The city of Los
Angeles created a Cybersecurity Fusion Center to facilitate the
exchange of cyber information, and the Ports of Long Beach and Los
Angeles both have access. The Port of Long Beach takes pride in being
led by our Information Management Division in being recognized as
National Cyber Security Alliance--Cyber Security Champion since 2010.
The Port also participates in the San Pedro Bay Cyber Working Group and
the Critical Infrastructure Partnership Advisory Council. The U.S.
Coast Guard, Sector Los Angeles/Long Beach, Area Maritime Security
Committee has approved a Cyber Security Subcommittee and we look
forward to its launch and being an active participant.
Information sharing can be facilitated by clarifying roles and
responsibilities for all cybersecurity players including local, State,
Federal governments and private sector. This clarification must be
shared with the entire maritime community. When an event is detected,
proper notifications must be made, mitigation efforts are initiated,
and an investigation may begin. Agency responsibilities may differ for
each of these tasks and that must be understood by all. Likewise, lines
of communication should be clear about who will analyze the information
and identify potential perpetrators, techniques, and patterns or
trends. If these efforts generate information of value, it must also be
determined which agency disseminates the information and how it is
disseminated.
The reporting of cybersecurity-related information has not been a
two-way flow of information sharing, it has mainly been the maritime
sector providing information to Federal Government agencies. There
should be a concerted effort to evaluate and identify information that
can be released to the proper audience to keep them ``in-the-loop.''
This feedback is critical for identifying lessons learned, best
practices, and foster the critical sharing relationship. One bright
spot has been the collaboration between the ports of Long Beach and Los
Angeles and the FBI's Cyberhood Watch Program. This is a program where
cyber information is shared by port partners, including private-sector
partners, with the FBI. The FBI analyzes the data for suspicious
behaviors and the results are shared back with the contributors and all
partners in the program. The FBI will also take further investigative
steps when warranted.
conclusion
It is important to recognize that while we vigorously try, we
cannot stop all attacks. Protecting U.S. ports must be a core
capability of our Nation. There seems to be either high-level
discussion about cybersecurity or fragmented tactical level technical
detail. Focusing on the development of strategic policies and
guidelines is sorely needed. A road map that provides guidance and
flexibility for industry decisions makes sense and will strengthen our
National cybersecurity posture.
Thank you for the opportunity to address you on behalf of the Port
of Long Beach. I would be pleased to take any questions.
Mrs. Miller. Thank you very much.
The Chair now recognizes Mr. Sawicki. Again, we appreciate
you traveling from Texas to join us, sir.
STATEMENT OF JONATHAN SAWICKI, SECURITY IMPROVEMENT PROGRAM
MANAGER, PORTS OF BROWNSVILLE AND HARLINGEN, TEXAS
Mr. Sawicki. Thank you very much.
Madam Chairman, distinguished Members of the committee, and
Members of the audience, my name is John Sawicki. I was asked
to testify today based upon experience gained while serving as
a security improvement program manager for the Ports of
Brownsville and Harlingen, Texas. I am humbled and honored to
be here today to share with you this experience, as well as my
own opinions on the status of cybersecurity in our port
communities. Today, I would like to focus on the importance of
risk-based, strategic planning and how cyber risk is a critical
component within that approach. I would like to share with the
committee information on recent efforts to manage cyber risk in
the maritime domain and will provide brief comments on the
Coast Guard's cybersecurity strategy, as well as provide some
general recommendations for consideration.
My hope today is that once we all leave here, the Members
of the subcommittee, the audience, and my fellow witnesses are
better equipped to make informed risk-based decisions when
implementing cybersecurity and resiliency strategies. The
bombing of the U.S.S. Cole and September 11 attacks on our
country made it clear that we had to increase our level of
homeland security Nation-wide. Just as how we travel by air has
changed, the way we conduct maritime commerce has also changed.
We need to understand, we all know that there are capable
and motivated threats out there for cyber and for physical
security. We must implement risk-based strategies. To mitigate
against some of these physical security threats, in 2002, the
Port of Brownsville established a sworn police department
responsible for not only enforcing laws and providing public
safety but for implementing programs and measures to protect
port infrastructure and maintain compliance with the MTSA. In
2007, the port conducted a comprehensive threat assessment,
which was closely followed by a port-wide strategic risk-
management plan in 2008.
While not required of the Port of Brownsville, this plan
has been a critical component to our success with the Port
Security Grant Program, securing over $14 million in funds for
physical security enhancement projects. Currently, the port is
in the process of updating this initial port-wide strategic
risk management plan with an additional focus on industrial
hazards and cybersecurity. A strategic risk-based approach to
managing the threats and hazards at the Port of Brownsville has
resulted in a safer and more secure environment within which
commerce can be conducted.
Cybersecurity, Port of Brownsville. Using the NIST
Cybersecurity Framework as a guide, the Port of Brownsville
recently conducted a cybersecurity assessment to identify
critical systems, evaluate current cybersecurity posture,
establish a target state for cybersecurity, and identify and
prioritize opportunities for improvements. The timing of this
assessment was optimal, as the port had recently hired its
first IT manager and was in the process of performing
significant upgrades to existing communication systems, port
management systems, and general operating systems.
The result of this cybersecurity assessment indicated
opportunities for improvement in all five cybersecurity
functions: Identify, protect, detect, respond, and recover.
Using the results of this assessment, the port prepared and
submitted a grant application through the fiscal year 2015 Port
Security Grant Program. Unfortunately, the project was not
funded. Even though it was not funded, the port strives to
improve our cybersecurity posture and, even though at a slower
pace, is doing so.
Comments on the U.S. Coast Guard strategy. In general, I
support the U.S. Coast Guard's vision for operating in the
cyber domain and the three primary priorities of defending
cyber space, enabling operations, and protecting infrastructure
critical to the MTS. The risk-based decision-making model
utilized in the overall strategy development and proposed
implementation will be very beneficial. I believe that the
stated goals and objectives are reasonably achievable, given
support and resources on an on-going and consistent manner. I
think that on-going and consistency is very important. The most
important goal stated in the strategy in terms of port-wide
risk management in my mind is to increase operational
resiliency by ensuring mission-focused cyber space operations
and incorporating cybersecurity into U.S. Coast Guard culture.
This focus on resiliency and the concept of establishing a
culture of cybersecurity is key to managing risks posed by a
persistent and capable threat. This operational resiliency will
effectively reduce the consequences associated with a potential
cyber-based transportation security incident and work to gain
buy-in from port area partners and other maritime domain
stakeholders. Ultimately, to adequately address the cyber risk,
we must all work to establish and nourish a culture of enhanced
cybersecurity and vigilance within our own organizations. You
have many of my recommendations in my written testimony, so I
am not going to go through all those today. But, most
importantly, I feel we need to continue to support at the port
level and the National-level risk-based decision making and the
assessments required to do so.
So I will leave you today with thanking you for this
opportunity. General Douglas MacArthur is credited with saying:
There is no security on this Earth, only opportunity. I feel
right now we have that opportunity to help build cybersecurity
throughout the MTS. Thank you very much.
[The prepared statement of Mr. Sawicki follows:]
Prepared Statement of Jonathan Sawicki
October 8, 2015
introduction
Madam Chairman, distinguished Members of the committee and members
of the audience, my name is Jon Sawicki and I was asked to testify
today based upon experience gained while serving as the security
improvement program manager for the Ports of Brownsville and Harlingen,
both located in Cameron County, Texas. I am humbled and honored to be
here today to share with you this experience, as well as my own
opinions on the status of cybersecurity in our port communities.
Today I would like to focus on the importance of risk-based
strategic planning and how cyber risk is a critical component of that
approach. I would like to share with the committee information on
recent efforts to manage cyber risk in the maritime domain and will
provide brief comments on the USCG's Cyber Strategy, as well as provide
some general recommendations for consideration by the USCG and
committee Members as you work to enhance the National cybersecurity
posture. My hope today is that, the Members of the subcommittee, the
audience and my fellow witnesses are better equipped to make informed
risk-based decisions when developing and implementing cybersecurity and
resiliency strategies.
strategic planning at the port of brownsville
The bombing of the USS Cole on October 12, 2000, and the subsequent
terrorist attacks against the United States on September 11, 2001 made
it clear that homeland security as a whole needed to be enhanced
throughout our country. Just as how we travel by air has changed
significantly, the means by which we conduct maritime commerce in ports
and waterways world-wide has been impacted by the reality that
motivated and capable threats do exist, and they pose a risk to the
lives and livelihoods of people everywhere.
To mitigate against physical security threats, in 2002 the Port of
Brownsville established a sworn police department responsible for not
only enforcing laws and providing public safety, but for implementing
programs and measures to protect port infrastructure and maintain
compliance with the Maritime Transportation Security Act (MTSA). In
2007 the Port conducted a comprehensive threat assessment, closely
followed in 2008 by the development of a port-wide strategic risk
management/mitigation and trade resiliency/resumption plan, which has
since been used as a guide for the design and development of PSGP
project applications.
While not required of the Port of Brownsville, the completion of
this first port-wide strategic risk management plan has been critical
to our success in securing approximately $14,000,000 in funds to
implement projects of a wide variety; from the development of
sophisticated wide-area surveillance and TWIC-compliant access control
systems; the construction of a new port command center and commercial
truck entrance; and the purchase of multiple portable generators, light
towers, and security shelters for use during incident response and
disaster recovery operations.
The Port is currently in the process of updating the initial Port-
wide strategic risk management/mitigation and trade resiliency/
resumption plan. This update has an added focus on industrial hazards
at non-USCG-regulated facilities, the ability to coordinate emergency
response activities with all port tenants and evaluating the Port's
cybersecurity and network preparedness posture. A strategic risk-based
approach to managing the threats and hazards at the Port of Brownsville
has resulted in a safer and more secure environment within which
commerce can be conducted.
cybersecurity at the port of brownsville
Using the National Institute of Standards and Technology (NIST)
Cybersecurity Framework as a guide, the Port of Brownsville recently
conducted a basic cybersecurity assessment to identify critical
systems, evaluate their current cybersecurity posture; establish a
target state for cybersecurity; and identify and prioritize
opportunities for improvement within the context of a continuous and
repeatable process. The timing of this assessment was optimal as the
Port had recently hired its first in-house IT manager and was in the
process of performing a significant upgrade to the existing
communications platform, computer operating systems (hardware and
software) and port management information system.
The results of the cybersecurity assessment indicated opportunities
for improvement in all five cybersecurity functions; identify, protect,
detect, respond, and recover. Using the results of the cybersecurity
assessment the Port prepared and submitted a grant project application
through the fiscal year 2015 PSGP, which unfortunately was not selected
for funding. Though this project did not receive funding, the Port
strives to improve cybersecurity and network resiliency through
targeted upgrades and enhancing the capabilities of IT-tasked
personnel.
uscg cybersecurity strategy
In general I support the USCG's vision for operating in the cyber
domain, and the three primary priorities of defending cyber space,
enabling operations and protecting Infrastructure critical to the
maritime transportation system. The risk-based decision-making model
utilized in the overall strategy development and proposed
implementation will be beneficial, and I believe that the stated goals
and objectives are reasonably achievable given support and resources
are on-going and consistent.
The most important goal stated in the strategy in terms of port-
wide risk management is to ``increase operational resiliency'' by
ensuring mission-focused cyber space operations, and incorporating
cybersecurity into U.S. Coast Guard culture. This focus on resiliency
and the concept of establishing a culture of cybersecurity is key to
managing risk posed by a persistent and capable threat, or natural
hazard such as a major hurricane. Given the likelihood of a future
cyber incident impacting the maritime transportation system, the true
measure of a successful cyber risk management program will be the
ability to operate in a degraded manner while the threat is addressed
and systems are restored. This operational resiliency will effectively
reduce the consequence associated with a potential cyber-based
transportation security incident, and work to gain buy-in from port-
area partners and other maritime domain stakeholders. Ultimately, to
adequately address the cyber risk we must all work to establish and
nourish a culture of enhanced cybersecurity vigilance within our own
organizations.
recommendations and closing statement
Recommendations:
Continue to provide resources through the PSGP to promote
the enhancement of cybersecurity and network preparedness
within the maritime domain. Considerations should be made to
reduce the cost match requirement for cybersecurity assessments
and strategic planning projects that follow the NIST
Cybersecurity Framework.
Continue to provide resources through the PSGP to conduct or
update port-wide strategic risk management/mitigation and trade
resiliency/resumption plans. Consider reducing the cost match
requirement for grantee projects that directly address cyber
vulnerabilities identified in the strategic risk management
plans and/or area maritime security assessment (AMSA).
Continue to provide resources through the PSGP to support
cybersecurity training and exercises. Consider reducing the
cost match requirements for projects that provide consistent
and accredited cybersecurity training of varying levels to
members of the port community, specifically those offered to
both public and private entities.
Provide for flexibility in future policies or regulations,
taking into account unique port-specific risk profiles and
operating environments when determining appropriate mitigation
levels.
Further define and provide guidance on what constitutes a
transportation security incident specific to potential or
actual cyber breaches.
Encourage cybersecurity breach reporting by port facilities
by putting in place measures to safeguard information to a
degree that limits the reputational impact on the entity
breached.
Continue to lead and facilitate cybersecurity discussions at
AMSC meetings and other industry groups such as ASIS and the
FBI's Infraguard Program.
Thank you again for the opportunity to testify before this
subcommittee. General Douglas MacArthur is credited with saying,
``There is no security on this earth; only opportunity''. These words
are as relevant today as they were almost a century ago. Cybersecurity
must be approached as an on-going cycle, not a means to an end. Threat
actors will always look for opportunities to exploit system
vulnerabilities. As such, we must always be identifying and
capitalizing on opportunities to increase our own preparedness,
protection, and response capabilities.
Mrs. Miller. Thank you, all of you, gentlemen. I think what
I will do is just ask a more global question and ask each one
of you to respond to it. I will preface it by telling you the
reason I called this hearing, obviously, I mean, if you talk to
anybody at the Pentagon and you ask them, ``What keeps you
awake at night,'' they will tell you cyber attack. That is what
they are worried about, as much as anything else, of all the
threats that we face. When you talk to Members on the Intel
Committee, you know, they will tell you about some of the
things that are happening. I mean, we see some of the things
openly reported of these hackers, like the OPM kind of thing
that happened here in the Government domain recently, where you
had the hackers sitting there probably in the information
environment for could have been a year, you know. As Members of
Congress, we were talking about whether or not we ought to get
credit-security agencies available to all these folks that had
been hacked in. But, look, they weren't looking for somebody's
credit card information probably.
The other hat that I wear besides sitting on the Homeland
Security Committee, I am also the Chair of the House
Administration Committee, where we are concerned about cyber
for the campus here. I won't go into some of the issues that we
have had there. But, obviously, we are a target, right? So you
can imagine.
But, at any rate, as I sort-of think about this whole area
of cybersecurity in the port, in the maritime environment, and
I think about the Coast Guard being missioned with this, and,
Admiral Thomas, I would also say, you know, I also have a
saying, I always say if it is wet and impossible, send in the
Coast Guard because you guys just handle it. Then, you know,
since 9/11, all we have done is load you up, load you up, load
you up with so many other kinds of missions. Now you are tasked
with this as well, with cybersecurity. But, you know, the world
is a changing, evolving threat environment all the time. It is
much more asymmetrical than it has ever been in the past, as
evidenced by the kinds of things, the worries that fellows at
the ports are having.
I guess, just generically, my question is: How do you think
the Coast Guard is doing with this mission? To the rest of
you--and nothing against the Coast Guard--but do you think the
Coast Guard is the proper agency, and do they have adequate
resources, again, to carry out another mission that the
Government has missioned them, tasked them with? Our committee,
we need to hear from all of you of what kinds of situations you
are having out there. Then it is up to us to finance to the
best extent that we can, prioritize the Government's money here
of doing the kinds of things we need to be able to do to make
sure that the missions we give the brave men and women in the
Coast Guard and every other agency is adequate for that. I
guess that is, sort of generally, I am trying to understand
whether or not the Coast Guard is, the kinds of challenges that
you find yourself with and what the rest of you think about how
that is going and what, perhaps, we could do differently if
necessary. Admiral?
Admiral Thomas. Thank you for that great question. In my
statement, I mentioned that we don't view this as a new
mission. We view it as a natural extension of our existing
mission. Maybe I can elaborate on that. When the maritime
industry shifted from sail to steam, the Coast Guard had to
develop standards and the ability to assure compliance with
those standards for boilers and for engineers for the first
time, and then when we shifted from steam to internal
combustion and from internal combustion to major electrical
power. So the industry has moved to operating in cyber. The
Coast Guard has got to move with them. So it is the natural
extension of our mission given to us by Congress to manage
operational risks in the maritime area.
Now, that said, it is a different type of risk that we have
to manage. So we need to develop different expertise, and we
need to bring some different capabilities. We are doing that by
leveraging the expertise and capabilities that exist across the
Government and by building our own work force. One of the
reasons why our commandant insisted that we have a cyber
strategy is so that our entire organization stays focused on
those things that we know we need to do in order to be
operationally effective across all of our missions in the 21st
Century operating environment. That includes building the
workforce. It includes developing the proper kind of standards.
So, again, I don't see this as a new mission. We see it as a
new domain in which we need to conduct all of our missions.
Certainly when I talk to the industry about how do we
manage the risks introduced by cyber systems, and we talk about
how we manage other risks that, you know, have always been out
there, the same types of approaches, the same risk-based
performance standards, the same type of regulatory regime is
what people tell me they think works. So thank you for the
question.
Mrs. Miller. Mr. Wilshusen.
Mr. Wilshusen. Yes, I would just like to add, too, that it
is good to hear Admiral Thomas talk about leveraging other
resources across the Federal Government because there are
several that can help as the Coast Guard tries to bring up
their cybersecurity capabilities. Even within its own
Department, the Department of Homeland Security, the Office of
Cybersecurity and Communications has a number of groups that
are skilled in cybersecurity-related matters, and that
certainly can help inform the Coast Guard's effort. In
addition, the National Institute of Standards and Technology
has developed a framework, a cybersecurity framework for
improving cybersecurity within the critical infrastructure.
That, too, is another framework that can help inform the Coast
Guard's efforts and, indeed, all of the maritime sectors'
efforts to improve the cybersecurity. So there are other
resources available that can help the Coast Guard in performing
those activities.
Mrs. Miller. Mr. Parsons, what is your thought?
Mr. Parsons. Madam Chair, I don't think there is any
question the Coast Guard is the right agency. The Coast Guard
and their Captains of the Port are perfectly positioned to lead
strategy and guidelines for port security measures. As the
admiral says, that is what they have done all along. They are
the right people.
Clearly, something this large and complex, there is going
to be a maturational process to this. I feel like we are at the
beginning of it. But the things that I feel we need in the
maritime environment are leadership, coordination, a strategy,
create a fabric for all the working entities in the port, not
just port authorities but for the business entities in the
port. Quite frankly, we struggle as a landlord port to have
much say in the position of security in our tenants.
You mentioned the fully-automated terminal. Once fully
operative, that will handle 3 million cargo containers a year.
That number, which is expected to be fulfilled through
contracts, would make that one terminal the fourth-largest port
in the United States. We have very little input into their--we
can inquire, we can discuss it, we can confer and collaborate.
But we have no guidelines or standards that could help them
motivate. I am sure they have a very robust cybersecurity
program for a fully-automated terminal. But we don't have any
insight into that and no real insight in how to get there. The
last thing I would say is many of the challenges I mentioned,
again, the Coast Guard I think is postured for systems
awareness, threat awareness, training programs. They are kind-
of a mishmash if they exist.
Our concern is that the level of resources that they have
to do this job and how long it would take to do it. If there
were a National vulnerability assessment, a charge for all
ports, that is going to be a beefy undertaking. It is going to
take a long time. But, again, with their experience of
understanding the difference between the different nature of
the ports, I think the Captains of the Port are, again, the
best postured to take something like that on.
Mrs. Miller. Mr. Sawicki.
Mr. Sawicki. Thank you very much. In my opinion, for the
current operations, yes, the Coast Guard has resources to
continue to facilitate the conversation. I think that is the
most important part right now is that within ports, we have
many experts at many private terminals. But it is very
difficult to get them all into one room to share their own
strategies because they all compete. So I think at this point,
the Coast Guard is doing an incredible role through Area
Maritime Security Committees, to port safety committees to
facilitate that conversation and to better understand what
private industry is doing, some of their concerns. The primary
concern that I see with information sharing specifically with
port tenants is the possibility for reputational impact of a
private company if they share a cyber breach.
So I think, currently, by facilitating these conversations,
by working with private industry and working within existing
regulations, I believe the Coast Guard is the right
organization for this role. I believe it will take us a while
to get there, but this is a very big problem. We are still in
the proactive stage. Fortunately, we are not in the reactive
stage. Thank you very much.
Mrs. Miller. Thank you all very much.
Before I recognize the Ranking Member, I would also like to
recognize, and as you see, the gentleman from Texas, Mr.
Ratcliffe, who is the Chairman of the committee's Subcommittee
on Cybersecurity, Infrastructure Protection, and Security
Technology, be allowed to sit on the dais and participate in
today's hearing.
Without objection, so ordered.
Mr. Vela.
Mr. Vela. Thank you, Madam Chairman.
Mr. Parsons, you hit on two points that I would like to
basically hear about in a broader context of not just
cybersecurity but port security in general. The first is with
respect to communication between ports, for example, in
California, Port of San Diego, Long Beach, Los Angeles, San
Francisco, and many others--in Texas, it would be Port of
Brownsville, Port of Corpus Christi, Galveston, Houston--what
kind of information-sharing systems do we have in place between
all these different ports?
Mr. Parsons. In our area, we have, the first thing and the
best thing is we know each other. We spend a lot of time
together in other emergency management and crisis situations.
We attend the same conferences. We are part of the same
cybersecurity working groups that cover both ports. We share
information.
I will tell you a bright spot in information sharing is the
FBI's Cyberhood Watch Program. That is one place where port
entities and, importantly, private-entity terminals have agreed
to input their defense information as they defend against cyber
attacks into the FBI Cyberhood Watch. The FBI analyzes that
information. One thing we really appreciate is, it is a two-way
flow of information. They provide the information back to the
stakeholders if they see a pattern or a trend that needs
tending. That goes to all stakeholders. So some of that
proprietary influence has been broken down with Cyberhood
Watch.
Mr. Vela. Mr. Sawicki.
Mr. Sawicki. I agree. It would also reinforce that through
the FBI's InfraGard Program as well. That is where a lot of
industry information sharing takes place. Port-wise, you are
looking at conferences, AAPA events, seminars where the same
groups get together, discuss issues they are sharing. I am not
aware of any formal communication platform between ports to
share. Now, if there is an issue, someone receives a breach,
then information sharing takes place through the National
Response Center. I have not seen that process take place. I am
not sure how reactive it can be. But, currently, Area Maritime
Security Committees, existing meetings, the conversations are
happening. Everyone is talking about it. But as far as a formal
platform, I am not aware of one.
Mr. Vela. So would the common thread from coast to coast be
the FBI Cyber Watch Program? Is that what you called it?
Mr. Sawicki. There are multiple programs under, I believe
under the InfraGard Program which is, I am a member, I sign up,
very quick background checks. Then I receive emails on specific
threats that are out there. Most of these are Non-classified
but Sensitive I guess would be the way to put it. So there is
information in industry. When industry partners talked to non-
maritime, like NERC, for example, some of the other regulatory
boards, there is a lot of information out there. But it is more
informal than formally received.
Mr. Vela. Mr. Parsons, the other point I wanted to hit on
is you mentioned the challenge in getting the tenants to share
information. Is that something that we see across the Nation?
Mr. Parsons. Yes. One of those things I don't think is
unique to the maritime environment. It is a valid concern. One
thing I think the Cyberhood Watch Program has done is called
the private-sector tenants together, made the point: We
understand your position; we have seen it happen in the United
States. But, on balance, with the port complex such as Long
Beach and Los Angeles, we do have to balance proprietary
interests with potential damage to National security. That
argument and possibly others have drawn these private-sector
people into Cyberhood Watch. That is a huge step. There has
been a lack of trust, parochial interest in their information.
That has been a tough pull. But this is a glimmer of success
that we have seen.
Mr. Vela. Mr. Wilshusen, what are your thoughts on the 2015
Coast Guard cyber strategy?
Mr. Wilshusen. I think it is a step forward to recognize
and identify the three objectives that they have laid out in
their strategy, particularly with protecting the critical
infrastructure in the maritime environment, which was the focus
of our report and the actions we have done there. So, to that
extent, I think it has been a positive step and something that,
of course, I understand will be guiding their efforts going
forward.
But one thing I would just like to also point out regarding
the information-sharing issue that has been discussed is that
there have been a number of barriers to effective information
security. Mr. Parsons and Mr. Sawicki touched on a couple of
those. One is having, establishing those relationships and how
important it is to establish trust in order for private-sector
companies to share their information with the Government or
among themselves. The other thing is part of what could happen
to facilitate that sharing of information is to have a secure
mechanism in which organizations can provide that information
to Government and, conversely, Federal agencies can provide
actionable threat alert and incident information back to the
private sector. There should also be capabilities to anonymize
the information so the issue with regard to reputational
impairment, if you will, on the part of a private sector who
reports an incident and it is cited, leads could be anonymized
so the individual entity is not being identified, but the
information about the threat, about the incident, and it will
be something that can be shared across the sector. So there are
a couple actions that can be taken to help improve information
sharing across the board.
Mr. Vela. Thank you.
Mrs. Miller. The Chair recognizes the gentleman from New
York, Mr. Donovan.
Mr. Donovan. Thank you, Madam Chair.
I would like to thank you and the Ranking Member for
allowing me and Ratcliffe to intrude on your hearing.
First of all, gentlemen, thank you for what you do for our
country, your interest in protecting our National security. I
have two reasons why I asked the Chairwoman and Ranking Member
if I could join you today. One is we have a great love for the
Coasties. I come from New York. When Governors Island closed,
the Coasties came to Staten Island, where I live. We are very
proud. We are very grateful for their work. We are so honored
that they decided to come to Staten Island.
The other is my dad was a longshoreman for 40 years. Before
containerization, longshoremen would go down into the hull of
the ship with a hook and grab a burlap sack of coffee beans and
walk it out of the hull of the ship. My father used to come
home with the coffee beans, the loose ones, in his cuffs of his
pants. We used to grind them up, and we had coffee. But, you
know, the security back then, I suspect they had dogs that
would sniff the cargo, maybe some detectors for radiological
materials on some of the ships. But your mission has become so
great.
When you spoke, Admiral, about--you guys remind me of Larry
the Cable Guy; you are just going to get 'er done no matter
what it is. But your resources are finite. To take on this
other mission or expanding the mission that you already have in
the security of our ports is going to cost you resources. Are
other parts of the Coast Guard's missions going to suffer
because now you have to direct resources to this new threat
that we face now in cybersecurity?
Admiral Thomas. Thanks for your support of the Coast Guard.
We love Staten Island as well. I would say of the three
objectives in our Coast Guard cyber strategy, the least
resource-intensive is the one around our role for protecting
maritime critical infrastructure. That is because of some
points that have already been made. That infrastructure is
privately-owned. The real responsibility to do the defense of
those systems is with the private sector. So we don't envision
Coast Guard personnel, for example, actively defending private-
sector systems. Our role in that regard is to set a reasonable
performance standard and then have the people in place to
ensure that standard is met. That might involve the use of
third parties. In fact, I am quite certain that it would. We
use third parties across our compliance program. So do we need
additional resources to do that? Yes. Is the demand as large as
you might think? Probably not, at least not for that component
of our strategy because, again, we will leverage the
capabilities across the Government, both in terms of setting
the standards. One of the reasons that we don't have the
assessments in place that the GAO would like to see is because
we want to make sure we use the same assessment tools that are
used in other sectors. They are just not there yet. So it
wouldn't make any sense to move out ahead of them.
But we will leverage all those resources. Yes, there will
be a resource bill. Will it impact our other missions? Our
Coast Guard Commandant has been pretty clear that cyber is a
way to make sure we do our missions better and more
effectively. It is not a mission to detract from others.
Mr. Donovan. Thank you very much.
Madam Chairman, I waive the rest of my time. Thank you.
Mrs. Miller. I thank the gentleman.
The gentlelady from California, Ms. Sanchez.
Ms. Sanchez. Thank you, Madam Chair. Once again, always a
pleasure to serve with you on this subcommittee. As you know, I
probably live about 25 minutes away from the Port of Long Beach
and maybe half an hour away from the Port of Los Angeles.
Almost 50 percent of our goods, I think, come through those two
ports to the United States. The Port of Long Beach alone
handles about $150 billion in trade annually. Of course, we are
talking about a lot of Southern California jobs between these
two ports.
So I would like to ask Mr. Parsons, what would be the
impact of a significant cyber attack on your port? What do you
envision would be, on the high end, something that would just
cripple what is going on? How long do you think, given the
current infrastructure, it would take to get things back to
normal?
Mr. Parsons. Congresswoman, we are always very concerned
about major attacks. But I will tell you, we have experienced
plenty of small ones that have given us some insight into what
happens in port environments. Those have been generated some by
labor action and slow downs, some by malfunctioning of systems,
not only within ports but on a larger scale, with the city of
Long Beach.
Ms. Sanchez. With the automation, and I know the
automation--I understand the whole issue of much of this
infrastructure is owned by these individual maritime companies,
et cetera. But give me an example of something that you think
would be just incredibly crippling and what we could imagine
would be the after-effect. I am thinking from an economy
standpoint in particular for California.
Mr. Parsons. Well, we could go back to 2002 and the work
stoppage there, where the National economy was dramatically
affected. Depending on whose figures you believe----
Ms. Sanchez. Was that like 8 days or 18 days?
Mr. Parsons. Exactly. In 2002 dollars, it was a loss of $1
billion a day to the National economy. So we can assume it has
gone up from there. What we have seen is systems shut down. As
Mr. Sawicki talked about, resiliency and redundancy is a huge
part of cybersecurity; how quickly can we spin back up? What we
have seen is a lack of redundancy and acceptable back-up
systems, in some cases, as simple as power back-up. Some of the
terminals, during the problems we had with the electrical grid
out there, they were down. The irony was the security systems
were up and running, were back up, but the economy isn't
moving. So that is a great concern to us. Again, it goes back
to the awareness of the systems; exactly how long would it take
these individual terminals to come back on?
Ms. Sanchez. I remember it was, even after we solved the
issue, it was a long time in getting the back-up and getting
everything back to normal and getting the ships out. Of course,
much of that was perishable to some extent, et cetera. So it
was a big economic crunch.
I am very confident in my Coast Guard, I have visited a lot
both up in the San Francisco Bay area and, of course, in our
ports, and in San Diego, with respect to your ability to cover
and to have consistent knowledge of each port within the Coast
Guard. So I want to congratulate you on that actually because I
think you are doing a good job with respect to that.
But I think this whole issue, Madam Chair, going back to
this issue of, and we have seen this over and over in other
areas, whether it is petrochemical or anything else, that the
mainstay of the infrastructure is in individuals' hands, right,
in private hands. So what is our role, and how do we ensure
that, in fact, even in an economic situation there is backup
energy generation, for example? So I know that you have all
talked about, you know, we need more communication or we need
more, we need to know more. How do we do that? How do we, if
we, the Government, wanted to somehow take the initiative to
actually get this going, what would that look like? What could
we do, given that everybody, the individual stakeholders have
proprietary information, you know, they want to but they don't
want to come together and figure out how we are better
protected against cyber. Seeming that Homeland Security is
supposed to be in charge of everything but defense cyber in our
agencies and that we are somehow supposed to help private
entities who are so important to us get this act together with
us, what would you suggest? If I told you tomorrow, ``Fix this
problem and let's get this done,'' what would that look like?
To any of you who are on the panel. Give us some ideas of what
we can do as a committee to help you get that done.
Mr. Sawicki. It is a very good question, a very difficult
question. But I think, initially, it is to focus on those
systems that facilitate commerce, the navigation systems. You
know, after a hurricane, as an example, you can have every
facility ready to operate, but if that channel isn't open, then
it really doesn't matter.
So I would say focus on the major navigation systems, the
Federal systems. Ensure private industry's trust in those
systems, and then help facilitate conversations among private
industry because I believe private industry is going to do on
their own to protect their own interest. So other than that
magic bullet, it is just to focus internally first while
everyone else tries to get a handle on the situation on their
own, if that makes sense.
Mr. Parsons. Congresswoman, as a Government and a
committee, it has a lot to do with what we talked about today:
Supporting the Coast Guard to create this fabric; identify
systems through risk-based assessments; identify the priority
gaps. But I think there has got to be some regulation. It can
be voluntary, as it has been in the past. To be honest with
you, left to our own devices, we don't seem to have done very
well.
So the other thing I mentioned is the Port of Long Beach
has used incentives for our private-entity partners to engage
in various programs that we have had there. But you may evolve
to regulations and even requirements, authorities that have
been given to the Coast Guard in some other areas, but we have
to generate whatever motivation it's going to take to get this
done.
The reason it is going to be a maturational process is
there's not one size that fits all with ports, so there has got
to be a recognition that it is a different playing field in
different ports.
Ms. Sanchez. Thank you, Madam Chair.
Yes, and I agree. If you have seen one port, you have seen
one port. Thank you.
Mrs. Miller. I thank the gentlelady very much.
The Chair recognizes the gentleman from Texas, Mr.
Ratcliffe.
Mr. Ratcliffe. Thank you, Chairman Miller and Ranking
Member Vela, again, for the opportunity to be part of your
subcommittee today and for holding this hearing on a critically
important topic.
On the Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies, where I also serve, we
talk a lot about cybersecurity threats to our power grids and
to our nuclear missile silos and other critical infrastructure.
But we, frankly, talk a lot less about the fact that 90 percent
of the world's consumer goods are shipped on boats and vessels
that come through our ports, and that statistic alone really
underscores the gravity of the threat that we are talking about
here. If the maritime industry suffered a major cyber attack,
it could leave grocery store shelves empty. It could leave gas
tanks at filling stations across the country empty, and,
obviously, that would have a devastating, tremendous impact on
our economy.
To that point, I want to ask about a report that was in the
news last year--and maybe, Admiral Thomas, you may be the one
to start with--I read a report that a U.S. port had suffered a
7-hour interruption of a GPS signal. Can you confirm that for
me?
Admiral Thomas. Yes. I mean, there's a container terminal
that is fully automated that relies on GPS signal in order to
locate specific containers and move cranes around. That
particular disruption, if we are thinking about the same one,
was ultimately determined not to be related to an intentional
attack, but it does highlight the vulnerabilities associated
with particularly relying on one system for that type of an
operation.
Mr. Ratcliffe. Terrific.
So given the challenges that the Department of Homeland
Security and the Federal Government--I think it is well-known--
are having in this arena with respect to the ability to retain
a talented and keep a talented cyber workforce, I would like to
get your perspective.
There have been some discussions earlier about leveraging
other resources, and within the Department, there is the NCCIC,
the National Cybersecurity and Communications Integration
Center. Is that a resource that you have been able to leverage?
If not, why not, because a lot of what we have been talking
about on the Homeland Security Committee generally is trying to
elevate the NCCIC and its role and its use as a resource in
this regard?
Admiral Thomas. Well, I think you will be happy to hear
that NCCIC is absolutely a resource for us, and as a resource,
it impacts all three of our strategic priorities in our cyber
strategy.
We have a Coast Guard person there full time. That is one
of the ways we are building our own expertise, but it also
ensures that NCCIC is fully linked up with our Coast Guard
Cyber Security Operations Center. We are sharing information on
a daily basis. We are taking information in from the industry,
and we are providing information dozens and dozens of times a
year to the industry on cyber threats, particularly in the
maritime sector.
So NCCIC is every day getting more and more effective and
getting more well-known and, I think, achieving their mission.
Mr. Ratcliffe. Well, good. I am, actually, very pleased to
hear that. So in follow-up to that, I would like to ask you,
Mr. Parsons--because you talked a little bit about the
information sharing aspect, and obviously, that is one of the
things that the NCCIC tries to accomplish--has that been a
resource for you, and, if not, why not?
Mr. Parsons. In the Port of Long Beach, we have two cyber
functions. We have two completely separate networks on the
security side of the house. That is a reliance we have on the
Enterprise Information Management Group. They have for the last
3 years had staffing, particularly as cybersecurity experts,
and we looked at them to share that information on an
enterprise level. With our stand-alone network, we share with
various Federal databases. Both networks' personnel meet and
talk with each other.
Both the Port of Los Angeles and the Port of Long Beach
have CSOCs, a Cybersecurity Operations Center. The city of Los
Angeles, the mayor's office, stood up a robust Cyber Fusion
Center for the region, and both ports have connectivity with
that.
I think part of the point you are trying to get to, though,
is, to me, there is a lot of sharing going on, but I think
there may need some better leadership and direction to make
sure the right information is getting to the right people.
Mr. Ratcliffe. Okay. Thank you.
Mr. Wilshusen, a follow-up because you, actually, you know,
broached this subject and talked about some of the barriers to
information sharing, but I assume that you're familiar with the
bill that we moved through this committee and then successfully
through the House, the National Cybersecurity Protection
Advancement Act. That is an information sharing bill, and it
does provide for--or intends to provide for, if passed into
law, the opportunity to scrub out the type of information that
has discouraged sharing personal identifying information,
proprietary information, and to limit it to cyber threat
indicators.
Any perspectives on that legislation, and was that what you
were addressing?
Mr. Wilshusen. Well, I think, you know, to the extent that
that legislation will improve the sharing of information on
cyber threat incidents among the various different sectors and
in the Federal agencies, it is going to be a positive. Indeed,
you know, we are also going--we have been mandated--the GAO has
been mandated to look at the NCCIC and how well it is
implementing its mission roles and responsibilities in helping
to facilitate the sharing of information.
Mr. Ratcliffe. I appreciate you all being here today.
Again, I appreciate the opportunity to be on the
subcommittee. I yield back.
Mrs. Miller. I thank the gentleman.
I thank you both for attending. We appreciate it.
The gentleman from Texas.
Mr. Vela. Madam Chairman, I ask unanimous consent for the
gentleman from Rhode Island, Mr. Langevin, to sit and question
the witnesses at today's hearing.
Mrs. Miller. Without objection, the Chair now recognizes
Mr. Langevin, the gentleman from Rhode Island----
Mr. Langevin. Thank you.
Mrs. Miller [continuing]. A former Secretary of State as
was myself.
Mr. Langevin. Likewise. You bet.
I want to thank the witnesses for being here today.
Mr. Sawicki and Mr. Parsons, if I could just start with
you.
Mr. Sawicki, one thing that caught my eye in your written
testimony was your recommendation that DHS ``further define and
provide guidance on what constitutes a transportation security
incident specific to potential or actual cyber breaches.''
Can you and Mr. Parsons expand on this a bit further? What,
if any, guidance have you received?
Mr. Sawicki. Sure. Thank you very much for the question.
My recommendation is--the focus of it is to help understand
that just because a facility is in a port and on the water,
every security incident doesn't always elevate beyond the fence
line to where it impacts the American transportation system. So
I think it is important that we all come up with a--whatever
that line is to where it is purely an internal crime versus
something that needs to be reported through NRC and responded
to by the Federal Government.
I am not aware of any specific guidance on what constitutes
a transportation security incident based on cyber. I think in
the majority of facility security plans or port security
facility plans, there is always a question on what is a breach,
what is a potential breach, and what is a near miss. So I think
helping define that will help port facilities and ports report
incidents that do occur.
Mr. Langevin. So, can I ask you this? How do you report
cybersecurity incidents to the Federal Government, and to whom
have you reported?
Mr. Sawicki. I think that is the question right now. We
have not reported any cybersecurity incidents because we have
not had any, that I am aware of, that are significant enough to
report.
I think one thing to understand, specifically for the Port
of Brownsville and many other mid-tier ports, that our focus
right now is not so much protecting our networks through
additional measures; it is upgrading semi-aging systems, so
upgrading software, hardware that comes with the basic
protections versus adding additional protections.
So, right now, if we were to have a breach to the port's
cyber, to their internal email network, I think it would take
some conversation to see who needs to be reported.
Mr. Langevin. So let me take a different tack.
What incidents do you report, and what are the criteria you
use to determine whether to report?
Mr. Sawicki. Right now, our incidents that we report are
breaches of security based on our facility's security plan--so
somebody who may jump a fence, be seen jumping the fence, you
know, who kind of breaks our perimeter--you know, the basic
intrusion. If there is a threat that is reported, we will
report that. But, right now, it is most of the reporting is
done in accordance with our security plan and is based on an
actual breach of our physical security.
Mr. Langevin. So, right now, no criteria for reporting any
type of a cyber event or intrusion?
Mr. Sawicki. Correct.
Mr. Langevin. Okay.
Mr. Parsons, if I could, in your testimony, you mentioned
that ports can be reluctant to reveal they have been breached.
Are there requirements as to what you must report?
Mr. Parsons. No, sir, in the same vein about reporting.
There is some confusion about what is reported to who. Our
Information Management Division tells us we defend against
approximately a million potential penetrations a day. That
information is fed to the FBI's Cyberhood Watch Center. So they
receive that information, and they analyze it with other
reporting.
Should a major incident occur in the port complex, what we
would do isn't any different than any other potential emergency
situation. We would call the Coast Guard. We would call the
FBI. We would call our partners. We would say, ``Here's what
we've got, where do you think this fits,'' because we have
overlapping jurisdiction within maritime environments. So we
work it out through personal communications and collaboration,
but there isn't guidance to direct us.
Mr. Langevin. Thank you, Mr. Parsons.
Admiral, if I could turn to you, Admiral Thomas.
How does the Coast Guard evaluate risk assessments and
security plans with respect to cybersecurity, and have you
found common challenges across different ports, and are there
any model ports that you could point to in terms of protecting
cybersecurity?
Admiral Thomas. Well, thank you for the question.
If I could just take up the issue of reporting first.
I mean, we do receive reports of cybersecurity breaches in
ports. We did receive one just last night, in fact. So there
are reporting requirements. The cyber incidents that are
related to the physical security requirements are reportable
under the MTSA.
So, for example, if there is a loss of access control to a
facility or a loss of cargo control or a loss of perimeter
control that is associated with a cyber breach, that is a
reportable incident.
The confusion comes because cyber touches all aspects of a
port operation. So if it is a financial system, for example,
that has been breached, well, that would not be reportable to
the Coast Guard because it is not addressed under our
authority. So I think the industry reps here are absolutely
right that it is very confusing to figure out which type of
incident gets reported to whom.
Now, for your question with regard to how do we address
cyber risks in the ports, I mentioned earlier--I think before
you entered the room--that we are working very closely across
the interagency to develop those risk assessment tools so that
what we employ in the maritime is consistent with what is
employed in the power sector and in the financial sector, et
cetera. There are a number of those tools under development--
again, led by DHS--and we have piloted those in some of the
major ports around the Nation.
There are definitely ports that have been more active--
proactive, and it would be the ones that you would think about,
those that have the larger amounts of really high-risk cargoes.
Then there are others who are probably, rightly, just kind of
waiting to see what develops in terms of standards.
Mr. Langevin. Thank you. I see my time has expired, but I
will have some follow-up questions. Perhaps, if you could
respond for the record, I would appreciate it. Thank you.
Mrs. Miller. I thank the gentleman very much.
The Chair now recognizes Ms. Jackson Lee from Texas.
Ms. Jackson Lee. Madam Chair, could I yield to Mr. Donovan,
and I will go last? I am still looking at my notes. Thank you.
Mrs. Miller. Mr. Donovan has already had his 5 minutes. You
are the last one.
Ms. Jackson Lee. Then I cannot yield to Mr. Donovan, as
they say.
Mr. Donovan. Thank you.
Ms. Jackson Lee. Let me thank Mr. Vela and Mrs. Miller for
this, and I am always glad to see the Brownsville Port here and
acknowledge that Congressman Vela has done an excellent job in
this capacity and has provided great leadership on these issues
for the State of Texas.
Obviously, I am going to make note of the fact that we have
the Houston Port, and we have a number of concerns about it.
So let me, first of all, ask Mr. Sawicki, are you aware of
the FBI watch, and do you engage--use any Federal resources
such as the FBI if you think something has occurred with
respect to cybersecurity?
Mr. Sawicki. Thank you very much.
I am aware of the FBI's InfraGard Program because I am a
member of it, so I receive emails about current threats that,
you know, can be sent out to people of my, I guess, stature,
would be the best way to put it. So we coordinate the same way
we coordinate cyber just like we coordinate safety and security
in our ports. The Area Maritime Security Committees and
Subcommittees are our primary method for information sharing
and communication.
I have also worked in and throughout the Port of Houston
and the Houston Ship Channel, and there it is the very same
way. We have very robust Area Maritime Security Committees and
very robust Harbor Safety Committees, and that is where a lot
of that information sharing is happening.
Do we formally engage in Brownsville with the FBI
currently? No, because there hasn't been the need to. We do--
the topic does come up during AMSC meetings, but we have not--
fortunately, we have not had a breach that would require us to
coordinate with the FBI.
Ms. Jackson Lee. What do you think the trepidation is for
maritime companies not to share cyber attacks that have
occurred?
Mr. Sawicki. Competition. Competition and the potential for
impact to their brand. We have seen some major breaches at some
major companies, and we have seen CEOs lose their jobs. We have
seen stock prices impacted. I think cyber is a little different
because the likelihood of a cyber attack is as close to 100
percent as you can get. So I think private industry is
protecting themselves because of that likelihood, and they are
building crisis management programs around cyber just like they
do around environmental issues and things like that. So private
industry is working on it.
Ms. Jackson Lee. We understand that a decade or so ago,
this committee established that over 85 percent of the
infrastructure which would be subject to many attacks was in
the private sector, and we have started to send out messages
for them to prepare.
But what can the Federal Government do that you think would
be effective in sort of easing the concern of competition and
looking more closely at the vast massive impact that would come
from a cyber attack and particularly at the port?
Mr. Sawicki. I think, initially and what is happening right
now, it is facilitating the conversation, but ultimately, it is
ensuring that any data that is shared is protected. So
protecting your own networks first while private industry works
to protect their networks and then to help--to continue funding
training programs. You know, like I said, many ports right now
are not the very large--not the Port of Houston, not the Port
of Long Beach--to where the need is training. You know, we can
have all the systems in the world, but if I click the wrong
email, it can get right around all of it.
So I think facilitating training, continuing to support the
Port Security Grant Program, and then really looking at some of
the cost-mass requirements for cyber projects that could
potentially mitigate risk at a National level.
Ms. Jackson Lee. Thank you.
Admiral Thomas, I can't see you, but I know, by your
excellent answers, that you are here.
Let me have a series of questions with you, albeit briefly
then. I thank the Chairman.
As I do that, let me acknowledge the Brownsville Port, but
then, of course, I have in my jurisdiction the Houston Port,
which is a 25-mile-long complex of diversified public and
private facilities and is a few hours away from Gulf of Mexico,
which makes it vulnerable on a number of occasions--on number
of points: It is man-made. It has major exports. In 2012, Ship
Channel-related businesses contributed 1 million-plus jobs and
178 plus 5 billion in State-wide economic activity.
You heard the gentleman from the Port of Brownsville about
competition and what could be done. You see the difference in
size of the many ports across America.
In terms of the Coast Guard's cybersecurity effort, how
does the present structure of sequester impact that, and what
answer would you give to the private sector who would be
willing to give more information if they could be assured of
the lack of a breach? What are the firewalls that we are
putting in place or have in place?
Admiral Thomas. Well, thank you for the question.
With regard to the impact of sequester on our cyber
operations, particularly our efforts to secure the critical
infrastructure, I would say it is minimal now because we are
still in the assessing and communicating phase, in the process
of figuring out, what are the proper performance standards to
put into place? As we move into a phase where we actually have
to ensure compliance with those standards, then I think the
resource demands become heavier on us.
Ms. Jackson Lee. What is your projection for moving up to
the next step?
Admiral Thomas. Well, one of the interesting things about
this cyber question is that it is not really uniquely maritime
in that what we do in the maritime really needs to be closely
aligned with and look a lot like what goes on in other sectors,
so I think the Government needs to move through this.
In other words, I don't think we want to be implementing
hard standards in the maritime ahead of many of the other
sectors, particularly those sectors that this--the maritime
ports connect with because you wouldn't want to put in place
separate requirements for entities that--you know, my rail is
going to have to meet this, and my port facilities are going to
have to meet that, and my trucking facilities something else.
So I don't know. I think that the time line, though, has to
be carefully coordinated and considered.
Ms. Jackson Lee. Is that the Government's challenge to
coordinate the private sector and cybersecurity, because maybe,
Admiral, you might have a best practices idea under the Coast
Guard that might be utilized by the railroads and otherwise? I
am trying to see who starts, and what would be most helpful to
get us into this process as I conclude.
Admiral Thomas. So DHS really has taken a leadership role
in coordinating across all the sectors, and the Coast Guard
participates in that as does the TSA and all the other sector-
specific agencies. So I think the focus on sharing those best
practices across sectors--and certain sectors are leading,
financial, for example, and energy--is definitely in place, and
the private sector is very involved in that effort.
Ms. Jackson Lee. Thank you, Madam Chair.
Mrs. Miller. I thank the gentlelady. I appreciate it.
Ms. Jackson Lee. If I----
Mrs. Miller. I am going to move on here. We have a hard
deadline.
Ms. Jackson Lee. I understand. When the gentleman finishes,
I just want to put a ``thank you'' on the record.
Mrs. Miller. Certainly.
Ms. Jackson Lee. So I would appreciate it.
Mrs. Miller. The Chair recognizes the gentleman from Texas
now, Mr. Hurd.
Mr. Hurd. Thank you, Madam Chairman.
Thank you all for being here today.
This question is directed at any one of you all that want
to field it, and I want to pick up on some of the questions
that my colleague from Houston has talked about.
You know, ports, like many other industries in the world,
are moving towards automation, integration, you know, and
upgrades to industrial control systems. You know, probably the
two publicly-known cases of physical damage occurring as a
result of a cyber attack is Stuxnet, probably being the most
well-known, and it occurred as a result of cyber attacks
against industrial control systems.
You all have talked about information sharing, but what are
some of the unique challenges you all are dealing with in
protecting industrial control systems, and, you know, what are
you all doing specifically in that area?
The admiral, maybe, or Mr. Parsons.
Admiral Thomas. Well, I mean, I can talk to you about what
I know is going on in some of the higher-tech portions of the
maritime industry.
So, for example, those vessels that are out in the Gulf of
Mexico, drilling in very, very deep water, relying on dynamic
positioning systems and systems that are making decisions
faster than people can humanly make them, which enables them to
drill, you know, miles down--that they really have begun to
focus--rightly, I believe--on what I call a layered cyber
protection strategy, which starts with individual components,
the manufacturers of those components, how those are made, how
they have been integrated into a system, and how that system is
then integrated on the vessel but then, beyond that, really
focusing on the human elements because this is more than just
an IT problem.
Also, how are those systems operated and maintained, and
how are the operators and maintainers trained, because very
basic training, like don't plug your iPhone into this system,
can go a long way to help to prevent?
So what I have seen, particularly in those portions of
industry that rely more heavily on high-tech, is a risk-
management approach for cyber that is akin to what they have
always done for physical threats, and I think that is a
positive step.
Mr. Wilshusen. I would just add, too, that one of the key
elements to the increasing use of industrial control systems
that have communications capability is just making sure that
entities and corporations are aware of that capability and the
threats associated with that.
What we had found in a couple of our reviews is that the
agency--and this is going back a few years--was not even
familiar or did not know that its industrial control systems
were actually connected to the administrative networks of the
organization, and that created another avenue of access, if you
will.
So understanding the threats to the technologies that are
being used and how that technology is being used is going to be
key to that, particularly as it relates to industrial control
systems.
Mr. Hurd. I yield my final 2 minutes to my colleague from
Texas. Thank you.
Ms. Jackson Lee. Thank you, Mr. Hurd.
I wanted to just say to the admiral but pose a question as
well, first of all, thank you for the stunning and--obviously,
I know you will say they were doing their duty work regarding
the cargo ship off the coast of Florida during a very horrific
time. I don't know if the Chairman and Ranking Member know of
the interests that I have because I think security involves
many aspects of our work, and that--we have no evidence of
anything untoward. But certainly it was a tragic episode and a
loss of life of many Americans.
So, Admiral, I am thankful to you, and the question that I
have that you could either do in writing--or I think I have a
few minutes for you to answer--is: Any directions--or does the
company and/or the captain seek information from the Coast
Guard, their communications on-going that might draw the
attention to come back to harbor in any situations like that?
Admiral Thomas. Well, as you know, our investigation of
that particular casualty is just starting under the lead of the
NTSB, and those questions will certainly be asked. It is really
the human element: What information was looked at by whom and
when? Generally, though, a master of a ship of that size is not
consulting with the Coast Guard with regard to his or her
voyage planning.
Ms. Jackson Lee. Is not consulting?
Admiral Thomas. Is not consulting with the Coast Guard with
regards to their voyage planning. Obviously, they are required
to let us know when they tend to make a port call, but the
voyage planning is something that is left to the ship's master
and the company.
But, as I said, our investigation with the NTSB will look
into all of those factors, and we will be in a better position
to let you know the specifics, hopefully in a few weeks.
Ms. Jackson Lee. Thank you.
Mrs. Miller. Thank you.
Ms. Jackson Lee. Thank you, Mr. Hurd.
Mrs. Miller. We thank the gentlelady for those comments.
We began our meeting, actually--our hearing--by thanking
the coastguardsmen and women for their extraordinary service in
that incident.
Thoughts and prayers, obviously, to all the families, the
people that have been lost.
So I want to thank the witnesses--all of you--for joining
us today. I think it has been a very good hearing, a very
timely subject, one that is not going away. It is something
that we have to pay an incredible amount of attention to.
So the Members of the committee might have some additional
questions for the witnesses, and I would ask you all to respond
to those in writing if they do put those in writing.
Pursuant to the committee rule 7(e), the hearing record
will be held open for 10 days.
Without objection, thank you all again for attending.
The committee stands adjourned.
[Whereupon, at 11:30 a.m., the subcommittee was adjourned.]
[all]