The Government Accountability Office (GAO) recently released a report assessing cybersecurity risks to the U.S. Maritime Transportation System (MTS) and the U.S. Coast Guard’s efforts to secure it. The MTS includes approximately 360 commercial sea and river ports, which are vulnerable to cyber threats, particularly from state-sponsored actors like China, Iran, North Korea, and Russia, as well as cybercriminal groups. The GAO identified several critical gaps in the Coast Guard’s cybersecurity approach and issued five key recommendations aimed at addressing these vulnerabilities and improving the security posture of MTS. These recommendations were made after reviewing data, regulations, and reports spanning from 2019 to June 2024, and after engaging with both federal and non-federal stakeholders at four ports.
One of the key recommendations from GAO is that the Coast Guard should enhance the accuracy of cybersecurity incident information. This includes ensuring that there is ready access to complete cyber deficiency data and that the cybersecurity plans are aligned with the national cybersecurity strategy. The Coast Guard’s current system of record does not provide complete or easy access to data on cybersecurity deficiencies identified during inspections of MTS facilities and vessels. Updating this system would help ensure better oversight and contribute to preventing future cyberattacks that could disrupt port operations.
Additionally, the GAO report revealed that the Coast Guard’s current cybersecurity strategy does not cover all essential elements for an effective national approach. For example, it lacks clear problem definitions, risk assessments, performance measures, and specific roles and responsibilities, which are all critical for an effective cybersecurity strategy. The report emphasized the need for the Coast Guard to improve coordination and ensure that its strategy is comprehensive enough to mitigate the cybersecurity risks facing the MTS. Addressing these gaps would help ensure that the Coast Guard is better prepared to respond to emerging threats.
Lastly, the GAO found that the Coast Guard has not adequately addressed the competency needs of its cybersecurity personnel, particularly those responsible for securing the MTS. The Coast Guard has not fully developed or assessed the competencies required for addressing cybersecurity risks within the MTS and has not ensured that its personnel have the necessary skills to handle these challenges effectively. The report urges the Coast Guard to assess and address these competency gaps, which would be critical for strengthening the overall cybersecurity framework of the MTS. The Department of Homeland Security (DHS) agreed with the GAO’s five recommendations, signaling a commitment to addressing these security concerns and improving the resilience of the maritime sector.
