Proposed Cybersecurity Legislation Casts A Wide Net For U.S. Ports
By: Griffen J. Thorne and Sean B. Hoar
On November 7, 2017, Sens. Kamala Harris, D-Calif., and Dan Sullivan, R-Ark., introduced a bipartisan bill designed to strengthen cybersecurity measures in U.S. ports. The bill, S. 2083, is entitled “Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2017.”
The bill comes in the wake of a ransomware attack in California that disabled the largest terminal in the Port of Los Angeles. The bill has bipartisan support — as well as support from a number of other port directors, and the Los Angeles Chamber of Commerce — each of whom has expressed the need to strengthen the cybersecurity of America’s ports. The bill is a companion to proposed legislation in the House of Representatives, H.R. 3101.
The bill has three sections. The first section is designed to implement new security protocols for maritime cybersecurity. The section requires the Secretary of Homeland Security to, within 120 days, develop and implement a cybersecurity risk assessment model which must be consistent with the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity. This requirement follows an executive order requiring federal agency heads to adopt the framework for cybersecurity management. The framework is a risk management tool for assessing cybersecurity risks, protecting against attacks, and detecting intrusions as they occur.
The first section also requires the Secretary of Homeland Security to evaluate, every two years, the effectiveness of maritime cybersecurity measures, seek the participation of information-sharing organizations, and establish a system for voluntary reporting of maritime cybersecurity risks and incidents.
The second section of the bill is focused on port-specific issues and reporting. That section requires the Secretary of Homeland Security, in conjunction with the Commandant of the Coast Guard, to obtain information that would address port-specific cybersecurity risks, and also requires that any vessel or transportation or facility security plan regulated by 46 U.S.C. § 70103 — which codifies various maritime transportation security plans — include cybersecurity mitigation plans.
The final section of the bill amends 46 U.S.C. §§ 70102 and 70103, pertaining to U.S. facility and vessel vulnerability assessments and maritime security plans, requiring the identification of weaknesses in cybersecurity and the prevention, management, and response to cybersecurity risks.