Expiring cyber information-sharing law puts US maritime infrastructure at risk, experts warn

The impending expiration of a cornerstone cybersecurity law could leave U.S. maritime infrastructure vulnerable by cutting off port owners and operators from critical threat intelligence, federal experts warned Thursday.

The 2015 Cybersecurity Information Sharing Act lets private sector providers share cyber threat intelligence with government partners with key liability protections in place. It’s set to lapse Sept. 30 unless renewed by Congress, which will soon begin its August recess.

“So if you’re a crane operator, if you are a port authority or governing body, and you’re sharing cyber threat information … a lot of these [mechanisms] will be impacted,” said Emily Park, a cybersecurity staff member for Sen. Gary Peters, D-Mich., the ranking member on the Senate Homeland Security Committee. 

Park and other officials were speaking at a joint event on maritime cybersecurity run by the McCrary Institute and Booz Allen Hamilton. 

“We can expect, roughly, potentially, if this expires, maybe an 80% to 90% reduction in cyber information flows, like raw flows,” she added.

The U.S. military relies on 17 commercial ports for critical logistics and supply chain operations. Last year, a sprawling congressional probe found that numerous seaports around the U.S. contain technology originating from Chinese manufacturers that could enable espionage and sabotage.

Volt Typhoon, a prominent Beijing-backed espionage unit, has been found inside maritime platforms around the U.S. and its territories, including in Guam, which houses a key U.S. naval base close to Pacific allies like Japan and South Korea. The cyberspies also breached the Port of Houston in 2021, The Wall Street Journal previously reported.

U.S. cybersecurity and intelligence officials have assessed Volt Typhoon is embedding into critical infrastructure systems, ready to disrupt or disable them should the U.S. enter into military conflict with China. 

At the event, Steve Casapulla, acting chief strategy officer at the Cybersecurity and Infrastructure Security Agency, said the cyberdefense agency supports a clean re-extension of the law.

“Is it to merely disrupt a few cranes at a port? That could be one thing. But what about if it were all the ports?” said Casapulla. “What about if it were all cargo management systems so they don’t have to do anything physical?”

The Thursday discussion dovetailed with the release of a Booz Allen-McCrary report that said maritime operators need to implement better zero trust controls and mature the security of operational technology systems that often get connected to the internet. “Zero trust” is a security management term in which cyber practitioners never trust and always verify users that enter their organizations’ networks.

The report also said policymakers should incentivize port security improvements and promote the use of maturity benchmarks to help maritime managers determine how cybersecure their networks are.