Last week, the House Transportation and Maritime Security Subcommitee held a subcommittee hearing on the vulnerabilities in U.S. port security.
The top concern of subcommittee Chairman Carlos Gimenez, R-Fla., was the prominence of Chinese-made cranes from Shanghai Zhenhua Heavy Industries Co. (ZPMC) that operate at U.S. ports.
Those testifying included Rear Adm. Wayne R. Arguin Jr., assistant commandant for prevention policy, Coast Guard (USCG); Eric Goldstein, executive director for cybersecurity, Cybersecurity and Infrastructure Security Agency (CISA); and Neal Latta, assistant administrator for enrollment services vetting programs, Transportation Security Administration (TSA).
Gimenez’s opening remarks highlighted the importance of ports to U.S. economic and national security.
“Ports represent soft targets to our adversaries, and a large-scale operational disruption at a major port could have a debilitating effect on our country," he said. "It is critical that we understand and address the security vulnerabilities at our maritime ports.”
Members of Congress expressed particular interest in measures the coast Guard is taking to combat cyberattacks.
A concern is that Chinese-made cranes present Beijing with an opportunity to spy on U.S. imports and exports, including equipment used in U.S. military operations around the world. These ZPMC cranes contain sophisticated sensors that record and track the distribution of containers, and Congressional members are concerned that this information could be acquired by the People’s Republic of China.
Arguin said that the Coast Guard’s top priority is addressing the marine transportation system (MTS) that supports $5.4 trillion of annual economic activity and employs nearly 30 million Americans.
MTS is shaped by three drivers. “First is the demand for increased capacity, bigger ships, and deeper channels," Arguin said. "Second, reduce transportation’s environmental footprint and promote sustainability. The only way we meet these first two demands is the third driver, the introduction of new and complex technologies. We refer to those three as the triple challenge, because together they create a far more complex operating environment.”
Eric Goldstein of CISA focused on reducing risk in the supply chain, particularly to high-risk devices manufactured by China-based organizations. CISA’s current focus is on devices that are on the federal communications high-risk list, and they’ve identified nearly 100 organizations across critical sectors that are currently running these kinds of high-risk devices. Regional personnel are working with these organizations to modernize and upgrade their equipment. This will ensure these companies are no longer running devices that could pose a risk to their critical networks.
Goldstein also mentioned CISA’s use of Cyber Century, which provides government sensors capable of detecting threats on some of the highest-risk private networks. CISA’s Pre-Ransomware Notifications Initiative also identifies ransomware intrusions that have occurred, but where there hasn’t yet been an encryption event, notifying these victims to mitigate before damage happens. “Using technology that is as hardened as possible will protect us against the threat that we know that we’re facing,” Goldstein said.
The last segment addressed was Coast Guard cyber protection teams (CPT), comprised of 39 highly trained technical specialists that can evaluate and assess a port’s network. Their role is to look for anomalies and provide feedback to network owners on ways they can sure up those vulnerabilities. CPTs are directly connected with CISA teams through information sharing to help identify threats. If an attack occurs, the CPT can also provide forensics support to restore network capability.
The subcommittee hearing was aired live on the National Homeland Security YouTube channel, and you can watch the recording here.