The Biden Administration and the U.S. Coast Guard (USCG) have introduced new measures to reinforce the security of the nation's maritime critical infrastructure and advance cybersecurity in the maritime sector. These measures include the issuance of an Executive Order that strengthens the USCG's authority to directly address maritime cybersecurity threats, alongside the USCG's development of a proposed rule concerning maritime cybersecurity.
Executive Order Strengthening the USCG's Authority to Address Maritime Cybersecurity Threats
On February 21, 2024, President Biden signed an Executive Order strengthening the USCG's authority to directly address maritime cybersecurity threats. The Executive Order grants the USCG the express authority to respond to malicious cyber activity in the nation’s marine transportation system by requiring vessels and waterfront facilities to mitigate cyber conditions that may endanger the safety of other vessels, ports, or waterfront facilities. The Executive Order also institutes mandatory reporting of cyber incidents—and active cyber threats—endangering vessels, ports, or waterfront facilities. The Executive Order further authorizes the USCG to control the movement of vessels that present a known or suspected cyber threat to U.S. maritime infrastructure and to inspect vessels and facilities that pose a threat to cybersecurity.
With this new authority, the USCG has already issued a Maritime Security Directive to owners and operators of certain critical port infrastructure to promptly address cybersecurity vulnerabilities, particularly those associated with ship-to-shore cranes produced by the People’s Republic of China.
USCG Proposed Rule on Maritime Cybersecurity
On February 21, 2024, the USCG also released a proposed rule that would update its maritime security regulations by adding regulations specifically focused on establishing minimum cybersecurity requirements for U.S.-flagged vessels, Outer Continental Shelf facilities, and U.S. facilities subject to the Maritime Transportation Security Act. The proposed rule would require a number of cybersecurity measures including cybersecurity planning, account security, device security, network segmentation, data security, training, incident response planning, drills and exercises, and cyber incident reporting. Regulated entities would also be required to identify a Cybersecurity Officer responsible for overseeing implementation of the new requirements. Notably, in developing the proposed rule, the USCG has leveraged common frameworks from the National Institute of Standards and Technology, or NIST, and the Cybersecurity and Infrastructure Security Agency, or CISA.