Via Teleconference
(February 20, 2024)
5:38 P.M. EST
MODERATOR: Good afternoon, everyone. And thank you for joining our background call to preview a series of actions that the Biden-Harris administration will announce tomorrow, Wednesday, February 21st.
For awareness, today’s call will now be held fully on the record. That means both the opening statements and Q&A all on record. And it will be attributable to Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technologies; Iranga Kahangama, Assistant Secretary for Cyber, Infrastructure, Risk, and Resilience at the Department of Homeland Security; and Rear Admiral John Vann, who is the Commander of Coast Guard Cyber Command.
One flag that today’s call will be embargoed until tomorrow, Wednesday, February 21st, at 5:00 a.m. Eastern.
I will now turn it over to Anne for opening remarks.
MS. NEUBERGER: Thank you so much, Sam. Good evening, everyone. Thank you for joining us this evening.
Right now, America’s ports employ 31 million Americans, contribute $5.4 trillion to our economy, and are the main domestic point of entry for cargo entering the United States.
The continuity of their operations has a clear and direct impact on the success of our country, our economy, and our national security. And that’s why the Biden-Harris administration is taking a series of actions to strengthen the cybersecurity of our nation’s ports to not just shore up our cyber defenses, but fortify our supply chains and deliver for the American people.
Tomorrow, we’ll be announcing a set of four actions.
First, President Biden will sign an executive order that will bolster the Department of Homeland Security’s authority to address maritime cyber threats. You see, most critical infrastructure owners and operators have a list of safety regulations they have to comply with, and we want to ensure that there are similar requirements for cyber, when a cyberattack can cause just as much, if not more, damage than a storm or another physical threat.
So this executive order will give the Coast Guard the authority to respond to malicious cyber activity by requiring maritime transportation vessels and facilities to shore up their cybersecurity and institute mandatory reporting of cyber incidents.
The Coast Guard will also issue a notice of proposed rulemaking to establish minimum cybersecurity requirements that meet international and industry-recognized standards to best manage cyber threats.
The administration is also excited to announce that we will invest over $20 billion into U.S. port infrastructure over the next five years through the President’s Investing in America agenda. As part of that, PACECO Corporation, a U.S.-based subsidiary of Mitsui E&S, is planning to onshore domestic manufacturing capacity for American and Korean production for the first time in 30 years, pending final site and partner selection.
Finally, the Coast Guard will announce a maritime security director, which Admiral Vann will outline in greater detail, regarding the security of ports related to these cranes.
Tomorrow’s actions are clear examples of the President’s work to invest in America to secure the country’s supply chain and strengthen cybersecurity of our nation’s critical infrastructure — priorities this administration is focused on relentlessly since taking office.
And before I turn it over, I’d like to begin just by recognizing individuals on the NSC, Caitlin Clarke and Jon Murphy, at DHS and at the Coast Guard, who have put in a great deal of work into this effort over the last number of months.
So now I’d like to turn it over to my colleague, Iranga Kahangama, to detail more the actions of DHS, and then over to the Coast Guard. Thank you.
MR. KAHANGAMA: Thank you, Anne. And thanks, everyone, for being here this evening.
Really to foot-stomp what Anne had mentioned, the department is really excited about the actions that we’re taking as a comprehensive whole-of-DHS approach to mitigating cyber threats to our critical infrastructure, particularly in the maritime sector and port infrastructure, which have downstream implications to our supply chains.
Specifically regarding the notice of proposed rulemaking on DHS regulations and minimum cybersecurity standards, we are excited to put this out for public comment. We believe it is an exemplar of our commitment to partnership in developing these regs and building off of lessons learned as part of the administration’s approach to instituting mandatory cybersecurity minimum standards.
The department worked closely with entities such as TSA, who have done some of this work through some of its emergency directives, and in close partnership and consultation with industry partners to ensure that the cybersecurity requirements are in line with expectations.
And so, we enthusiastically welcome public comment on these as we develop cybersecurity standards in line with the Biden-Harris administration’s approach to identifying and using mandatory regulations to improve critical infrastructure, cybersecurity, where we deem it most necessary.
Also in line with the department’s approach to harmonization, we are attempting to make sure that those rules and regulations align with other efforts that we’re taking underway, and are doing our best to align those with existing frameworks instituted by CISA and partners at NIST as well.
I just wanted to emphasize that the department also sees that the threat posed to critical infrastructure, particularly maritime and port infrastructure, is a whole-of-department approach, not only leveraging the Coast Guard’s authorities and announcements tomorrow, but as mentioned, the department’s newly announced Supply Chain Resilience Center last November as part of a White House rollout, but that this component is going to seek to bolster U.S. supply chain security, harness and maximize the department’s capabilities related to lawful trade and travel, and manage critical infrastructure security, leveraging its unique resources around the department.
In its inaugural effort, we have done things like convene with members of industry and government organizations to share information and guidance to advance supply chain resilience and hosting department-wide tabletop exercises to better understand what causes supply chain disruptions and provide recommendations and develop policy to leadership to mitigate impacts to our domestic supply chain.
The Supply Chain Resilience Center was also created as a recommendation from our Homeland Security Advisory Committee. And just as we are excited about the actions of the Coast Guard, we’re also looking forward to leveraging the Supply Chain Resilience Center to push forward port security and maritime security throughout the industry.
So, with that, I want to turn it over to Admiral Jay Vann to deep-dive on some of the specific Coast Guard actions.
Thank you.
ADMIRAL VANN: Thank you, Iranga. And thanks to everyone for joining us this evening. I’m going to jump right in.
My name is Rear Admiral Jay Vann, and I’m the Commander of the United States Coast Guard Cyber Command. Coast Guard Cyber is responsible for conducting cyberspace operations in support of the administration, DHS, DOD, and Coast Guard priorities.
I want to reemphasize the criticality of the Marine Transportation System that we seek to protect. I’ll refer to it as the MTS. This interconnected system within our transportation critical infrastructure is vital to national security and economic prosperity.
As was mentioned, America’s system of ports and waterways accounts for over $5.4 trillion of our nation’s annual economic activity, and our ports serve as a gateway for over 90 percent of all overseas trade.
The MTS enables critical national security sealift capabilities that enable the U.S. Armed Forces to project and maintain power around the globe. Any disruption to the MTS, whether man-made or natural, physical or in cyberspace, has the potential to cause cascading impacts to our domestic or global supply chains.
The executive order to be signed tomorrow ensures Coast Guard authorities are aligned with emerging cybersecurity threats and reflects the commitment of the administration, DHS, and the Coast Guard to safeguard maritime critical infrastructure.
The EO directly amends federal regulations and provides a Coast Guard captain of the port with clear authority to take action in the face of cyber threats. This includes controlling the movement of vessels that present a known or suspected cyber threat, requiring facilities to correct unsatisfactory cyber conditions that may endanger port safety and security, or inspection and search of vessels and waterfront facilities to include their cyber systems and networks.
The update also empowers the Commandant of the Coast Guard to prescribe measures to prevent, detect, assess, and remediate an actual or threatened cyber incident.
As we undertake measures to prevent cyber incidents, let me address a specific, acute MTS cyber vulnerability that was mentioned earlier.
The People’s Republic of China-manufactured ship-to-shore cranes make up the largest share of the global market and account for nearly 80 percent of cranes at U.S. ports. By design, these cranes may be controlled, serviced, and programmed from remote locations. These features potentially leave PRC-manufactured cranes vulnerable to exploitation.
On the heels of this executive order, the Coast Guard is issuing a Maritime Security, or MARSEC, Directive based on the prevalence of PRC-manufactured cranes in the U.S. and threat intelligence related to PRC’s interests in disrupting U.S. critical infrastructure.
The MARSEC Directive will impose a number of cybersecurity requirements on the owners and operators of PRC-manufactured cranes. The specific requirements are deemed sensitive security information and cannot be shared publicly. Our captains of the port around the country will be working directly with crane owners and operators to deliver the directive and verify compliance.
Finally, also as was mentioned, we’re announcing a notice of proposed rulemaking that will establish baseline cybersecurity requirements to protect the entire MTS from cyber threats. Those draft requirements are primarily based on the Cybersecurity and Infrastructure Security Agency’s cross-sector Cybersecurity Performance Goals, which the maritime industry should already be familiar with.
The proposed regulations would require a number of cybersecurity measures to be implemented by all regulated entities. The Coast Guard highly encourages MTS stakeholders to provide feedback and input during the period of public comment, which begins tomorrow. A federal register notice will outline the process for submitting comments through the federal decision-making portal, and the public comment period will be open until April 22nd of this year.
I look forward to your questions. Thank you.
MODERATOR: Thank you, everyone, for those remarks there at the top. If you have a question, please use the hand-raising feature. If you are on your cell, please use *6 and you should be able to raise your hand.
Our first question will go to Justin with Bloomberg.
Q Hey, guys. Thanks for doing this call. I was wondering if you could talk about the extent to which this is or isn’t a response to the notice that you guys — or the advisory you published earlier this month about Volt Typhoon and concerns that you have there.
MS. NEUBERGER: Thank you so much, Justin.
So, since the — really, since the beginning of administration, we’ve put a focus on securing critical infrastructure. Certainly critical infrastructure that also has ties to national security in terms of our ports from which our military deploys, from which our materiel deploys, as well as through which our economy operates are at the top of the list. So we’ve been working on this notice of proposed rulemaking and executive order for the last 18 months.
So while it certainly ties to particular concerns about Chinese cyber activity, we also have concerns regarding criminal activity.
One of Japan’s largest ports, the port of Nagoya, was disrupted by a criminal ransomware attack for several days. So, Chinese threats are one key threat that this executive order and notice of proposed rulemaking will help protect ports against, and certainly the focus on cranes and the risks, as Admiral John Vann talked about, of remote access to cranes and to their operations.
There’s a reason that we not only are issuing cybersecurity minimum requirements for ports, but also putting in place a maritime directive focused on cyber risk management for ship-to-shore cranes manufactured by China.
MODERATOR: Thank you. Our next question will go to Colleen with the AP.
Q Hi there. I wanted to ask about enforcement — enforcement of requirements for reporting a cyberattack and then also, potentially, you know, enforcement of the cybersecurity requirements that will be put into place.
Can you just talk a little bit about how it would work, how people would be — or, I guess, companies and governments would be encouraged to do, in particular cyberattack reporting, particularly because there’s such an unwillingness to come publicly when people are hit with a cyberattack?
MS. NEUBERGER: Colleen, that’s a great question. The core aspect we have here is ensuring that the regulatory agencies — in this case, the Coast Guard for ports — have the authority to directly require minimum cybersecurity requirements and require that reporting. And as a regulator, that can be enforced.
I’ll turn it over to Admiral Vann, if you’d like to elaborate on that.
ADMIRAL VANN: Yes. Thanks for the question, Colleen.
So, the notice of proposed rulemaking will not only include those requirements but enhanced definition of reporting requirements to include specific regulated facilities and vessels reporting to Coast Guard — Coast Guard sharing reports with CISA and other government agencies.
So, as far as enforcing reporting, is that really your question?
Q Yeah. I’m just wondering how you — you know, if you’re asking people to report when they have a cyberattack, how do you enforce that reporting.
MS. NEUBERGER: It’s a requirement rather than a request. The Coast Guard is the regulator for ports, and the executive order takes their existing physical authorities to set security rules for ports and extends that to the cybersecurity domain.
So, ports will be required to report that to the Coast Guard. As Admiral Vann noted, the Coast Guard can then share that with other entities, including CISA and the FBI.
So it’s a shift from requesting to requiring.
Q Got it. Thank you.
MS. NEUBERGER: Thank you, Colleen.
MODERATOR: Thank you both. Our next question will go to Sean with CNN.
Q Hey, thanks all. Just to follow up quickly on Colleen’s question: What’s the punishment for failure to report?
And then a second question for the Admiral about the cranes trying to track, other mentions of that concern in open source. I’m not seeing a ton. How many — roughly, how many cranes are out there that U.S. officials are concerned about? And
is there any effort to sort of rip and replace, if you will, these machines? Or is it all a case of just trying to manage what’s already out there?
ADMIRAL VANN: Okay, thanks for the question, Sean. I’ll take the second part first.
There are over — by our count, over 200 PRC-manufactured cranes across U.S. ports and regulated facilities. Our Coast Guard cyber protection teams have assessed cybersecurity or hunted for threats, as of today, on 92 of those cranes.
And so, those assessments determine the cybersecurity posture, and the hunt missions actually look for malicious cyber activity on the cranes. And so, we’ve almost canvassed about 50 percent of the existing cranes.
I don’t have an answer for your rip and replace. I might refer that question to Deputy National Security Advisor Neuberger regarding other manufacturers and where we’re heading, as far as that goes.
As for punishments for failure to report, again, what will go out after the EO is signed tomorrow is a notice of proposed rulemaking. And so, after we receive public comment and input on the regulations, regulations will be finalized to include enforcement actions being defined.
MS. NEUBERGER: Thank you very much, Admiral Vann.
Sean, I’ll come in on the rip and replace question. At this point, we’re not exploring rip and replace for ports. What we are focused on is ensuring that all the investment in port infrastructure that I mentioned at the outset, that’s part of the Bipartisan Infrastructure Law, can go to buying trusted cranes and to bringing back manufacturing to the United States, given how important cranes are to port operations.
So our goal is focused that new investment is secure, and then the steps are being outlined here — minimum cybersecurity requirements, the Maritime Security Directive — being used to secure the existing infrastructure.
MODERATOR: Thank you. Our next question will go to Alex with GovExec.
Q Hi, thank you very much for taking my question. Very briefly, I heard the Admiral outline the specific forms of maritime critical infrastructure that the new executive order will apply to, but I did want to clarify that any new cybersecurity provisions and protocols pursuant to the executive action will not cover landing stations that govern undersea cables. Is that correct?
MS. NEUBERGER: Admiral Vann, do you want to speak to that?
ADMIRAL VANN: Alex, thanks for the question.
So what is in the executive order is an enhancement — an addendum, if you will — to the Magnuson Act, which surrounds the captain of the port’s authority to prevent and respond to cyber incidents. The specifics of what is covered by regulations are really what will be covered by the rulemaking process. And so that process, while it will be initiated immediately, will need to play out to its end to determine what is covered and what is not.
Q Okay, thank you very much.
MODERATOR: Thank you. Our next question will go to Christian with CyberScoop.
Q (Inaudible) the infrastructure bill, will there be new markers or, you know, you have to have (inaudible) or some kind of added security benefits in order to receive the funds or something along those lines? Thank you.
MS. NEUBERGER: Hi, Christian. Thank you. That’s exactly what will be in the notice of proposed rulemaking in terms of what the minimum cybersecurity requirements are for products — for technology products that are being used at ports.
MODERATOR: Thank you. We have time for one more question. We’ll go to David with Inside Cybersecurity.
David Jones, you should be able to unmute yourself. Hey, we see you’re unmuted, but we can’t hear you.
Okay, if you want to shoot me your e-mail — I mean, your question over e-mail — we’ll get back to you as soon as we can. And that goes for the rest of the folks. If you start writing your pieces and have any other questions, feel free to reach out and we’ll get back to you as soon as we can.
As a reminder — actually, sorry, I think Anne had one thing that she wanted to mention before we close the call.
Over to you, Anne.
MS. NEUBERGER: Thank you so much, Sam. I’d given a shout-out to some of the folks here at the White House who have worked on this initiative over the last 18 to 24 months, but I didn’t have a complete list. I want to make sure that I say that here, because as you can tell by the actions we’re rolling out tonight, it’s been a lot of work, both on the executive order, on the notice of proposed rulemaking, on the Maritime Security Directive, and working with trusted vendors around the world to see which would be interested in onshoring some crane capacity to ensure that new cranes that were purchased and deployed across our critical port infrastructure could be trusted.
So in addition to the names I mentioned, I want to thank Celina Ladyga, Robert Obayda, and William Hennigan here at the White House, and Rob Le Monde at DHS, and Captain Andy Meyers at the U.S. Coast Guard, for the partnership and hard work over the last number of months.
Thank you all for joining us this evening. We’re excited to roll this out, and appreciate your time.
MODERATOR: Okay. And thank you to all of our speakers. As a reminder, today’s call is embargoed until tomorrow, Wednesday, February 21st, at 5:00 a.m. Eastern. And everything here tonight was on record. Thanks.
6:02 P.M. EST