by
MET Staff | Saturday, June 14, 2014 |
According to a new report by the U.S. Government Accountability
Office (GAO), the Department of Homeland Security (DHS), along with the U.S.
Coast Guard and FEMA, has taken limited actions to combat cybersecurity in the
maritime port environment.
The Coast Guard has not yet conducted a full risk assessment,
addressing cyber-related threats, consequences and vulnerabilities, despite
initiating several activities and strategies to improve security in specific
ports. Coast Guard officials promise
such a risk assessment in the future; however, they do not specifically address
how that assessment will handle cybersecurity.
The maritime security plans currently required by law do not
generally address possible cyber-threats, primarily due to the fact that
guidance issued for these plans does not have a requirement for cybersecurity. According to officials, the next set of
updated plans will include cybersecurity requirements, and those plans are due
out this year. However, without a full
risk assessment, any guidance introduced might not properly address the risks
to the maritime sector.
According to the GAO’s report, the Coast Guard has established a
government council to share information across government entities, but the
extent to which that council has shared information related to cybersecurity is
unclear. Additionally, a council for
exchanging information amongst non-federal stakeholders is not active, and
there has been no move to reestablish it. All of these factors put maritime stakeholders at a greater risk of
cyber-based threats, simply because they are not aware of, and therefore cannot
mitigate, such risks.
FEMA has identified capabilities for enhancing cybersecurity as a
priority for the first time in fiscal year 2013, and the agency has also given
guidance for related proposals. FEMA,
however, has not consulted subject matter experts to give a multilevel review
to their proposals, in part because the Agency downsized their expert panel for
reviewing grants. In addition, due to
the fact that the Coast Guard hasn’t assessed cybersecurity in a risk assessment,
FEMA and grant applicants cannot use such information to inform their
proposals, and are therefore limited in the ability to make sure that the
program is addressing such risks effectively.
Why this study?
The GAO performed this study to identify the extent to which
stakeholders have taken actions to address cybersecurity in the maritime
sector. The Organization looked at
relevant regulations and laws, observed the operators at three United States
ports (selected based on their risk value), interviewed both federal and
non-federal officials, and analyzed federal cyber security policies and plans.
Findings/Recommendations
The GAO recommends that the DHS give the Coast Guard a directive
to do the following:
- 1.Assess cyber-related risks
- 2.Use such assessment to inform the maritime
security guidance
- 3.Assess whether or not the sector coordinating
council should be re-instituted
- 4.Develop processes toconsult experts for help in reviewing grant
proposals
- 5.Use risk assessment results to inform guidance
The DHS agrees with the
GAO’s recommendation.