The Government Accountability Office (GAO) has issued a report examining the cybersecurity risks facing the Maritime Transportation System (MTS), the Coast Guard’s efforts to address these risks, and key recommendations for enhancing its oversight and strategic planning.
The Maritime Transportation System (MTS) is a vital sector of critical infrastructure, facilitating the movement of over $5.4 trillion in goods and services annually. As the lead agency overseeing risk management for this system, the U.S. Coast Guard plays a crucial role in safeguarding the MTS against all potential threats, including cybersecurity risks.
The James M. Inhofe National Defense Authorization Act for Fiscal Year 2023 mandates a review by the Government Accountability Office (GAO) of the cybersecurity risks facing the MTS, which encompasses vessels and facilities. This report addresses the following key areas:
- Cybersecurity risks to the MTS;
- The Coast Guard’s efforts to assist and oversee MTS owner and operator actions regarding these risks;
- Strategic planning to mitigate cybersecurity threats;
- The implementation of leading practices for ensuring a competent cybersecurity workforce.
The GAO conducted a comprehensive review that included analyzing federal and industry reports, federal statutes and regulations, and Coast Guard documentation from fiscal year 2019 through June 2024. In addition, interviews were conducted with stakeholders from both federal and non-federal sectors at four major ports, selected based on trade volume, geographic location, and other relevant factors.
The MTS faces escalating cybersecurity risks, including:
- Threat Actors: Cyber threats to the MTS are predominantly posed by state actors such as China, Iran, North Korea, Russia, and transnational criminal organizations.
- Vulnerabilities: Many MTS facilities and vessels increasingly rely on technology that is vulnerable to cyberattacks.
- Impacts: Federal and non-federal officials report that cyber incidents have already affected port operations, and the potential consequences of future attacks could be severe.
While the Coast Guard has developed a cybersecurity strategy to address MTS risks, it has not fully incorporated all of the key components necessary for an effective national strategy. The strategy addresses purpose, scope, and methodology but falls short in other critical areas. Ensuring that all key components are included in the strategy would better position the Coast Guard to allocate resources effectively and focus on mitigating the highest cybersecurity risks.
In response to these findings, the GAO has made five recommendations to the Coast Guard, including:
- Updating its system of record to provide easy access to comprehensive cybersecurity deficiency data.
- Ensuring that its cybersecurity strategy and plans align with all key characteristics of a national strategy.
- Analyzing, assessing, and addressing workforce competency gaps.
The Department of Homeland Security has agreed with the GAO’s recommendations.
