Biden executive order on port cybersecurity targets China-made cranes

The Biden administration is announcing a series of actions on Wednesday to strengthen the cybersecurity of U.S. ports, the main point of entry for trade, which employ 31 million people and generate over $5.4 trillion for the U.S. economy.

An executive order to be signed by President Biden will bolster maritime cybersecurity by making sure all critical port infrastructure that is owned and operated adheres to international and industry recognized safety regulations. In addition to port land infrastructure, the actions require reporting of maritime cyber attacks to Coast Guard Cyber Command. The Coast Guard, which helps to control the movement of vessels that could pose a threat to national security, will share reports with the Cybersecurity & Infrastructure Security Agency (CISA) and other government agencies covering specific regulated facilities and vessels.

A new maritime security director will also be announced.

“We are taking the cyber threat posed to critical infrastructure as a whole of department approach,” a senior administration official explained to CNBC in a briefing ahead of the formal announcement.

The Biden official said that the new Supply Chain Resilience Center, announced last November, will be included in efforts to enhance port security. In addition to the new rules and regulations, $20 billion will be used to strengthen U.S. port infrastructure through the Investing in America Agenda.

“With over $5.4 trillion in economic activity and over 90% of overseas trade moved through our ports, a cyberattack could cause a cascading impact to both our domestic and global supply chains,” the senior administration official said.

One area of focus in the new port security actions is equipment that moves cargo containers off of vessels, known as remote ship-to-shore cranes. Senior administration officials cited data that estimates 80 percent of the cranes moving trade at U.S. ports are made in China and use Chinese software, leading to concern that the cranes could be used in Chinese surveillance. There are over 200 of these cranes, which include sophisticated sensors that could track container information. The Coast Guard has evaluated 92 of more than 200 cranes.

These cranes have been a focus of debate among national security experts and port officials in recent years.

In early 2023, U.S. defense officials said they were worried that Chinese ship-to-shore crane manufacturer Shanghai Zhenhua Heavy Industries Co.  (ZPMC) could be used by Beijing as a possible spying tool, leading to more pressure on the administration from Capitol Hill. China said at the time that the concerns were “paranoia-driven.”

Over the long term, senior Biden administration officials said they would like to invest in the onshoring of port crane manufacturing.

In its 2022 “Made and Moved in America: Cranes and U.S. Port Equipment Port Equipment Reshoring Initiative” report, the American Association of Port Authorities stated that the most dominant manufacturers of these cranes are based in China, Japan, Austria, Finland, and Germany.

Senior administration officials say while China is one key threat covered by this executive order, criminal cybersecurity concerns are also a major factor, citing Japan’s Port of Nagoya, which in July of last year was disrupted after a ransomware attack.

The subject of maritime port security has been a priority ever since 9/11, when U.S. Customs and Border Protection started to develop antiterrorism programs to help secure trade bound for the United States. The Container Security Initiative (CSI) was created to ensure all containers that could pose a potential terrorism threat would be identified and inspected at the ports before they are placed on vessels bound for the United States.

The first seaport in the United States to establish a Cyber Security Operations Center (CSOC) was the Port of Los Angeles in 2014, with a dedicated cybersecurity team. The CSOC currently monitors the port’s own technology environment to prevent and detect cyber incidents. The port also became the first port to achieve ISO 27001 information security management certification in 2015.

In a 2023 report, the Department of Transportation Maritime Administration warned that U.S. ports are vulnerable to cyber attacks due to the multiple stakeholders involved in the operation of the port, with risks identified related to facility access, terminal headquarters, operational technology systems such as communication systems and cargo handling equipment, positioning, navigation, and timing services, which would impact vessel movements and complex logistics systems at port facilities, and sharing between ships and ports of network connections and USB storage devices, among other technology.

The House of Representatives has introduced port crane security legislation in the past, with the most recent the Port Crane Security and Inspection Act of 2023, proposed in May 2023. It would limit the use of foreign cranes and require CISA to inspect foreign cranes for potential security vulnerabilities. House Committee on Homeland Security Chairman Mark Green (R.-Tenn.) — who recently announced he will not run for re-election shortly after leading the impeachment proceedings against Biden Homeland Security Secretary Alejandro Mayorkas — said in a statement last year that it was “extremely worrisome” that approximately 80% of American port cranes use Chinese software manufactured by a Chinese company.

The AAPA, which lobbies on behalf of the nation’s major container ports, has said in the past there is no evidence to the support the claims about Chinese-manufactured crane cyber vulnerabilities, characterizing the comments as “sensational.”

Public comments begin Wednesday over the notice of the proposed rulemaking and will end April 22.