The Department of Homeland Security hasn't done enough to secure the IT systems that manage American ports, Congressional auditors say in a new report.
"While the Coast Guard initiated a number of activities and coordinating strategies to improve physical security in specific ports, it has not conducted a risk assessment that fully addresses cyber-related threats, vulnerabilities and consequences," Gregory Wilshusen, Government Accountability Office director of information security issues, says in a report made public June 5.
Officials representing the Coast Guard, a DHS unit, told GAO they intend to conduct such a risk assessment, but they did not provide details to show how it would address cybersecurity. "Physical port security poses a wide variety of challenges and threats emanating from the global cybersecurity arena add a dimension of complexity that requires deliberative consideration," Jim Crumpacker, director of DHS's GAO-IOG Liaison Office, says in response to the audit.
That answer didn't satisfy Wilshusen. "Until the Coast Guard completes a thorough assessment of cyber risks in the maritime environment, the ability of stakeholders to appropriately plan and allocate resources to protect ports and other maritime facilities will be limited," he says.
Technologies Used in Maritime Ports
Each year, American ports handle cargo worth more than $1.3 trillion, and GAO says the operations of these ports are supported by information and communication systems that are susceptible to cyberthreats. GAO contends failures in these systems could degrade or interrupt operations at ports, including the flow of commerce. Auditors contend federal agencies - in particular DHS - and industries using the ports have specific roles in protecting maritime facilities and ports from physical and cyberthreats.
GAO finds that required maritime security plans generally did not identify potential cyberthreats. Coast Guard guidance for developing these plans did not require cyber-elements to be addressed. DHS officials say guidance for the next set of updated plans being developed this year will include cybersecurity requirements. But Wilshusen says the revised guidance may not adequately address cyber-risks at U.S. ports in the absence of a comprehensive risk assessment.
An industry coordinating council for sharing cyberthreat information among nonfederal stakeholders is no longer active, and GAO says the Coast Guard has not persuaded stakeholders to re-establish it. This puts maritime stakeholders around the nation at greater risk of not being aware of, and thus not mitigating, cyber-based threats, Wilshusen says.
Under a program to provide security-related grants to ports, the Federal Emergency Management Agency, another DHS unit, identified enhancing cybersecurity capabilities as a funding priority for the first time in fiscal 2013, which ended last Sept. 30; it has provided guidance for cybersecurity-related proposals. But GAO says FEMA has not consulted cybersecurity experts regarding cyber-related proposals, partly because the agency has cut the number of expert on a panel that reviews grants. Wilshusen says FEMA is limited in its ability to ensure that the program is effectively addressing cyber-risks at U.S. ports.
In the report, requested by the Senate Commerce Committee, GAO recommends that DHS direct the Coast Guard to assess cyber-related risks, use that assessment to help shape maritime security guidance and determine whether the maritime sector coordinating council should be re-established.
Auditors also recommend that DHS direct FEMA to develop procedures to consult DHS cybersecurity experts for assistance in reviewing grants and use the results of those cyber-risk assessments in the grant process.
DHS concurs with the GAO recommendations.