President Biden on Wednesday signed an executive order creating new rules to bolster security at U.S. ports and committing $20 billion to replace Chinese-made cranes that U.S. officials say could be vulnerable to hacking and fraud. remote control.
The executive order empowers the U.S. Coast Guard to respond to cybersecurity incidents at ports and establishes a new set of security standards that port operators must follow to defend against digital attackers.
“Most owners and operators of critical infrastructure have a list of security standards they must comply with,” said Anne Neuberger, White House deputy national security adviser. “We want to make sure there are similar requirements for cyber attack, where a cyber attack can cause as much damage, if not more, than a storm or other physical threat.”
Nationwide, about 31 million jobs and $5.4 trillion in economic activity are tied to trade passing through ports, all of which could be disrupted by ransomware or another type of cyber attack, Neuberger said.
The ports of Los Angeles and Long Beach constitute the largest container port facility in the hemisphere, with 9.9 million and 9.1 million TEUs (twenty-foot equivalent units, the standard volume metric in shipping) respectively, in 2022. The San Pedro complex in Los Angeles handles 29% of all container-based trade in the US and nearly 20% of all port trade in the country.
That volume of cargo is loaded on and off ships by a forest of about 150 cranes, most of which are manufactured by a single company: Shanghai Zhenhua Heavy Industries Co., or ZPMC. The company claims it controls about 70% of the global crane market and 80% of the U.S. market, according to the Wall Street Journal.
Rear Adm. John Vann, who heads the U.S. Coast Guard's Cyber Command, confirmed that 80% figure to reporters, adding that their computerized control systems leave them vulnerable to attacks. Although the San Pedro port complex is owned and managed by public agencies, the terminals are leased to private companies, which purchase and operate their own cranes.
As part of the $20 billion investment in port infrastructure, the White House also announced that a U.S. subsidiary of Japanese industrial giant Mitsui is “planning to shift domestic manufacturing capacity for U.S. and Korean production onshore for the first time in 30 years.” years, waiting for the final decision.” site and partner selection. The announcement did not include details of how these new cranes and the money to purchase them will reach private port terminal operators in San Pedro and beyond.
The executive order is part of the Biden administration's focus on protecting critical infrastructure such as power grids, ports and pipelines, most of which are controlled by networked software and are therefore vulnerable to attacks. There is no set of national standards regulating how operators should protect themselves against potential online attacks.
The threat continues to grow. Hostile activity in cyberspace – from espionage to installing malware to infect and disrupt a country's infrastructure – has become a hallmark of modern geopolitical rivalry.
For example, in 2021, the operator of the country's largest oil pipeline had to temporarily suspend operations after falling victim to a ransomware attack in which hackers held its data hostage in exchange for money. The company, Colonial Pipeline, paid $4.4 million to a Russian-based hacking group, although Justice Department officials later recovered much of the money.
Ports are also vulnerable. Last year in Australia, a cyberattack forced one of the country's largest port operators to suspend operations for three days.
The Port of Los Angeles was subject to approximately 754 million cyber intrusion threats in 2023, according to an article by its CEO, Gene Seroka, published this month. The port has been an industry leader in cybersecurity efforts for years, since establishing a dedicated Cyber Security Operations Center in 2014 and adding the Cyber Resilience Center to allow all companies and agencies cooperating at the port to coordinate their cybersecurity efforts in 2022.
Late last month, U.S. officials said they had disrupted a state-backed Chinese effort to plant malware that could be used to damage civilian infrastructure. Vann said this type of potential attack was a concern as officials pushed for new standards, but they are also concerned about the possibility of criminal activity.
Vann said Coast Guard cyber protection teams had “assessed cybersecurity or looked for threats” on nearly half of the Chinese-made cranes in the U.S. to date and will continue to monitor the current stock of cranes throughout the country.
The new rules, which will be subject to a public comment period, will be mandatory for any port operator and there will be penalties for non-compliance, although officials did not detail them. They require port operators to notify authorities when they have been victims of a cyber attack and give the Coast Guard, which regulates the country's ports, the ability to respond to cyber attacks and enforce the new rules.
The Associated Press contributed to this report.