The maritime industry needs to invest in a “more equitable balance” of offensive and defensive measures — especially ramping up a strong defense — to protect operations from potentially devastating cyber attacks, the former director of the Cybersecurity and Infrastructure Security Agency told Congress.
Noting the five-year National Maritime Cybersecurity Plan released by the White House last year, Chris Krebs told the House Homeland Security Committee in the Wednesday hearing on cyber threats to the homeland that “CISA coordinates very closely with the Coast Guard; in fact, Coast Guard service members actually sit with CISA and actually support our hunt and incidence response mission.”
“It’s a very collaborative relationship between CISA and the Coast Guard,” he said. “The relationship in terms of going out and working in the maritime sector at ports, on facilities and then coast-wise is a budding relationship that I would suggest again we need to put more resources against.”
Rep. Nanette Barragan (D-Calif.) noted that the maritime sector faced 2018 ransomware and malware attacks impacting the ports of Barcelona and San Diego, attacks that “seem to be focused and potentially made increasingly easier as the convergence of information technology, or IT, and operational technology, OT, systems become more integrated.”
“According to varying industry reports, the number of maritime-focused cyber threats and incidents have risen by as much as 900 percent. The cyber attacks have great economic impact to maritime ports, especially those that are integrated into our transportation networks,” she said. “These attacks can cause reputational harm, financial loss, and even physical damage, especially in the cases of compromised dockside equipment or vessel.”
The Port of Los Angeles, located in Barragan’s district, has invested in creating a cybersecurity operations center and has a dedicated cybersecurity team watching over port operations.
“To create additional centers and resources will require investment by federal, state, local and private industry partners,” the congresswoman said. “Without such investments, this will greatly cripple and potentially hinder America’s supply chains and response efforts to catastrophic events like the COVID pandemic.”
Krebs said that industry partners can work with vendors that can “help them understand what their environment looks like, the controls they need to put in place to secure their systems, to lock them down, to disconnect if at all possible.”
“But that’s not always possible because you need a lot of time for remote access,” he added.
The bigger issue, he said, is “we have to have this balance of stopping the adversary as best we can alongside improving defenses.”
“So, it is not a, you know, just invest in defenses and it’s not just invest in offense. It’s got to be a more equitable balance,” Krebs continued. “I think historically we have over invested — or at least principally invested — in offense, and we have to ramp up defensive investments going forward.”
“Should operation centers like the one at the Port of L.A. be considered for funding, such as like state Homeland Security grant programs, emergency preparedness grant programs?” Barragan asked.
“Yes, ma’am,” Krebs replied, stressing the value of “pulling all the stakeholders together enterprise-wide to be able to manage risk to environments.”
Krebs generally called the cyber threat landscape “more complicated than ever.”
“With foreign governments and criminal gains alike using capabilities that enable everything from run of the mill cybercrime, information operations, intellectual property theft, constructive attacks, and operations with kinetic effects. The bulk of the malicious cyber activity targeting the United States emanates from four countries:Russia, China, Iran, and North Korea,” he testified. “Even in those countries, the difference between state action and criminal activity is increasingly blurred as contractor or proxy cyber actors support or act on behalf of state directed operations. As long as the tools are available, vulnerabilities exist, money and secrets are to be had, and a lack of meaningful consequences persist, there will be malicious cyber actors.”
The former CISA director emphasized the importance of “stronger cybersecurity leadership in industry and more centralized oversight in government.”
“Industry and government must come together collectively to democratize cyber security, better understand where our real risk lies, increase capacity, and work in a meaningful way beyond information sharing,” Krebs said. “This includes coming together to counter the scourge of ransomware.”