DHS Inspector General: Coast Guard Shortcomings Hinder US Maritime Security

The Coast Guard is struggling to secure the US maritime supply chain thanks to inadequate staffing, training, authority, and cyber expertise.

A new report from the Department of Homeland Security's Office of Inspector General paints a picture of an industry reluctant to seek cybersecurity support, and a military unable to adequately provide it.

Coast Guard "Cyber Protection Teams" (CPTs) have offered free cybersecurity help to organizations in the Maritime Transportation System (MTS) since 2021, yet only 36% of qualifying organizations have taken them up on it. The private sector is "hesitant," the report says, despite the many security vulnerabilities CPT assessments typically uncover.

Part of the blame lies with the Coast Guard itself. The DHS Inspector General's Office's found that CPT inspections of marine facilities and vessels don't always account for "the full scope of potential cybersecurity threats. This occurred because Coast Guard does not have the authority or training to enforce private industry compliance with standard cybersecurity practices."

Plus, the service branch lacks staff with cyber expertise, according to the DHS IG.

Coast Guard Role in Private Sector Cybersecurity

Earlier this year, the Biden administration issued an executive order that, among other things, empowered the Coast Guard to take an even greater role in private sector security.

The military branch now has the authority to quarterback response efforts after any facilities, harbors, ports, or individual vessels are impacted by cyber incidents, including by inspecting or even controlling the movement of vessels which might otherwise threaten US infrastructure. It was also assigned the task of creating a set of minimum cybersecurity requirements for the industry.

"You don't see the Air Force directly taking on transportation [security], but it makes sense here in this case due to their [the Coast Guard's] sector expertise," says Itay Glick, operational technology expert and vice president of products at Opswat. "They already have relationships with the different groups — ships, ports, etc. — because of their day- to-day work, and adding that layer of cybersecurity actually makes sense."

In some ways, the Coast Guard has been quite productive so far. Cyber incidents reported to, and reviewed by, the Coast Guard have risen 111% in the past few years. Its vulnerability assessments have uncovered hundreds of incidents involving dozens of vulnerabilities, more than half of "critical" or "high" severity, meaning they could cause complete network, application, or system compromise.

In other ways, though, the service branch has not seemed up to the task. The DHS observed some CPT inspectors ignoring cybersecurity entirely, and found that they "expressed a limited understanding of how to address cybersecurity" thanks to little to no cybersecurity training. And even when vulnerabilities were found, the branch had insufficient means to force companies to comply with its recommendations for remediation.

Threats to Maritime

If it wasn't obvious enough in years prior, the world learned just how valuable and sensitive the MTS is from COVID and the Ever Given incident in the Suez Canal. Hackers learned it, too, and now cyber threats to the system are far greater than they ever were before.

A report from the Coast Guard Cyber Command last year found an 80% rise in reported ransomware incidents, with ransom demands tripling on average. Cyber disruptions to marine industries can come in many other forms as well, and cyber espionage — particularly from capable nation-state adversaries — is a persistent risk.

A failure to account for the kinds of vulnerabilities uncovered by plenty of CPT assessments already could, in the worst-case scenarios, lead to physical danger for crew members or marine life, and major disruptions to the global supply chain.

"Years ago, you saw [how] you couldn't bring new supplies into countries across the world. This is something that can happen again," Glick Warns, "and this is what we need to fear. If you don't have produce coming in, that might terribly impact the commercial industry here in the US."