Coast Guard workforce lacks maritime cyber expertise, watchdog says

A government oversight report out Tuesday said that major foreign adversaries like Russia and China pose a significant risk to the cybersecurity posture of the U.S. maritime ecosystem and noted that the Coast Guard does not have adequately educated personnel ready to tackle those threats.

The Coast Guard “has not fully addressed leading practices to ensure its cyber workforce has the competencies needed to address [maritime transportation systems] cybersecurity risks,” said the report from the U.S. Government Accountability Office. 

“Specifically, the Coast Guard has not fully developed competency requirements. In addition, the Coast Guard has not fully assessed and addressed competency gaps for its cyber workforce. Until it does, the Coast Guard will not have assurance it is effectively mitigating cybersecurity risks to the MTS,” GAO added.

The watchdog said that four officials in the service are responsible for addressing maritime cyber risks, though they are not directly named. The study involved interviews with Coast Guard officials from Cyber Command, Port and Facility Compliance and other key offices, along with site visits to a handful of major ports around the country.

Coast Guard officials told GAO that the maritime law enforcement agency has not addressed these workforce gaps because it was awaiting a rulemaking on minimum cybersecurity standards for maritime system owners and operators to be finalized. 

Those rules were formally finalized last month, and the Coast Guard said in responses to GAO that it would develop competency requirements for personnel with relevant cyber responsibilities by the end of the calendar year. The maritime law enforcement agency will also develop and implement new procedures to document maritime cybersecurity incidents by July.

Around a year ago, then-President Joe Biden signed an executive order that emboldened the Coast Guard to respond to cyber threats on the sea. It earmarked $20 billion toward port infrastructure over the next five years and also required seafaring vessels and their port facilities to shore up cyber defenses and comply with mandatory cybersecurity incident reporting rules.

A House GOP probe found that U.S. seaports are using Chinese-made technology that could enable espionage and sabotage. The year-long investigation flagged Shanghai Zhenhua Heavy Industries, a major crane manufacturer, for pressuring port operators to grant remote system access under the guise of equipment monitoring.

The report added that ZPMC’s partnership with Swiss firm ABB, which holds U.S. defense contracts, exacerbates those security risks. Investigators found modems in crane equipment that could be used to gather data, evade firewalls and disrupt port operations. While port technicians believed the modems were for diagnostics, they were not included in any purchase contracts, the investigation said.

The Federal Communications Commission recently approved an item focused on boosting the security of undersea internet cables that transmit nearly all of the world’s web traffic, amid recent allegations that foreign adversaries are targeting key routing cables for spying and sabotage purposes.