Strengthening Maritime Cybersecurity

On January 17, the U.S. Coast Guard announced a groundbreaking final rule aimed at bolstering cybersecurity for U.S.-flagged vessels and other regulated maritime facilities. The rule establishes mandatory cybersecurity measures to safeguard the nation’s critical maritime infrastructure from cyber threats. This initiative, stemming from an executive order and proposed rule issued in February 2024, represents a significant step in fortifying America’s ports against potential cyberattacks. However, the rule’s effectiveness depends on sufficient resources and coordination among infrastructure operators and the Coast Guard.

The rule mandates regulated entities to implement comprehensive cybersecurity plans encompassing best practices in cyber hygiene, such as strong password protocols, access management, asset inventories, and encrypted data. Additionally, maritime operators are required to develop incident response strategies, designate cybersecurity officers, and conduct annual audits and training sessions. Furthermore, entities must report cyber incidents promptly to the National Response Center, the FBI, and the Cybersecurity and Infrastructure Security Agency to enable swift response and information sharing.

Rising Cyber Threats Targeting U.S. Ports

The Coast Guard’s rule arrives amid mounting cyber threats targeting the maritime sector, particularly from state-sponsored actors. A December 2024 report by DNV, a maritime technical organization, revealed that 31% of industry professionals experienced cyberattacks within the past year—almost double the frequency of incidents reported in the previous five years. Intelligence agencies and cybersecurity experts have consistently warned of sophisticated cyber campaigns originating from China, with malicious actors allegedly embedding themselves within U.S. critical infrastructure, including ports, potentially to disrupt operations during geopolitical conflicts.

A significant concern lies in the widespread use of Chinese-manufactured cranes and logistics software at U.S. ports. While Congress moved to ban Chinese-made logistics software in late 2023, ongoing reports suggest that ports remain heavily reliant on equipment produced in China. A joint congressional report from September 2024 highlighted the vulnerabilities of this dependency, calling for stronger measures to address risks posed by foreign-manufactured technology in maritime operations.

Investment in Cybersecurity Is Key of Maritime Infrastructure

While the Biden administration has committed $20 billion to enhance port infrastructure, cybersecurity has yet to become a core focus of these investments. The Coast Guard’s port security grant program currently does not prioritize cybersecurity projects, prompting calls for more targeted funding initiatives. Experts suggest that both the administration and Congress need to provide clearer guidance and additional financial incentives to help maritime operators meet the new cybersecurity standards.

Moreover, the Coast Guard faces challenges in its capacity to provide timely cyber threat intelligence and guidance. A shortage of civilian cyber advisors, who support captains of the port in mitigating cyber risks, underscores the need for increased funding and personnel. Experts recommend that the Coast Guard request additional resources in its upcoming budget to bolster its cybersecurity capabilities.

Although long-term investments are necessary to ensure sustained cybersecurity improvements, the Coast Guard’s new rule represents a pivotal first step in protecting U.S. maritime infrastructure from evolving threats. By enforcing these measures, the agency hopes to enhance the resilience of America’s ports and safeguard a vital sector of the economy.