At 1:25 a.m. on March 26, the world watched aghast as Singapore-flagged vessel DALI blacked out while exiting a major American port. Her 150,000 tons collided with the Francis Scott Key Bridge with five times the force of the Apollo moon launch. The 1.6-mile bridge then collapsed into the river, blocking the channel, killing six people, and incurring massive salvage and repair costs. More importantly, economic and national security were caught in the crosshairs: Ships must divert to over-crowded ports on the Eastern seaboard, and the Navy lost access to its fastest and most capable resupply ships. The ominous question remains: What prevents a disaster of this magnitude (or worse) from recurring
The FBI investigated terrorism. The Coast Guard and the National Transportation Safety Board (NTSB) seek causal factors to address safety. Globally, people are researching DALI’s record, its officers and flag state to assign blame. Cyberattacks have been little discussed. Why? U.S. ports, shipping companies and critical pipelines have repeatedly sustained cyberattacks, with increasing severity and consequences.
Though a cyberattack is not the locus of the DALI incident, the catastrophic failure of interconnected shipboard systems was. And while it may not have been caused by a cyberattack, this tragic incident illustrates what can result from a cyber failure. Networked industrial control systems are not unique to ships, integrated and sometimes autonomous systems on intermodal networks are pervasive in all transportation sectors. The U.S. Maritime Transportation System (MTS) is America’s lifeblood, generating $4.6 trillion annually — 100% of imported oil arrives by sea and 90% of all other commerce. The primary carriers of these goods are more than 8,000 foreign-flagged vessels calling on U.S. ports nearly 51,000 times per year. The U.S. fleet, by comparison, is only comprised of 178 merchant ships. Foreign-flagged vessels are overwhelmingly more likely to be the targets of cyberattacks or the delivery mechanisms for supply chain failures that ripple through the economy. As recently as March 2021, Panama-flagged M/V EVER GIVEN lost steering, running the massive vessel hard aground in the Suez Canal. It took days of 24/7 salvage efforts to free it and restore operations to a global chokepoint through which $10 billion in commerce passes each day.
Cybersecurity Standards
In recognition of these risks, the Coast Guard released a notice of proposed rulemaking (NRPM) on February 22nd to establish minimum cybersecurity standards governing maritime security. The rule is expansive in certain ways — requiring compliance with the National Institute of Standards and Technology (NIST) Cybersecurity Framework, directing cybersecurity training for personnel, mandating new reporting requirements and requiring the establishment of a cybersecurity officer (CySO) for each covered entity. The proposed rule covers U.S.-flagged cargo ships, tankers, passenger vessels and barges, as well as specific types of U.S. ports and maritime facilities. The NPRM is a giant step in the right direction.
However, the Coast Guard guts the NPRM’s impact by excluding foreign-flagged vessels entering U.S. ports, i.e. the 8,000 ships calling on U.S. ports 51,000 times a year. The proposal would exclude DALI from all cybersecurity requirements, even though it sailed through U.S. waters, killed six people, and destroyed major maritime infrastructure in its wake. The NPRM reads, “[Cyber regulations for foreign-flagged vessels under domestic law may create unintended consequences with the ongoing and future diplomatic efforts to address maritime cybersecurity in the international arena.” That is true. Application to foreign flag vessels carries risk and more work for the Coast Guard. Foreign vessels are calling on U.S. ports who will have to seek waivers, and port state control exams will include a cyber certification — likely done by a third party. These issues do not outweigh the need for a standard that stops maritime attacks and failures before they reach U.S. ports. Incentivizing IMO member states to follow American America’s lead and standards will increase safety and security worldwide.
Such an approach is not without precedent. In May 2018, the European Union’s General Data Protection Regulation (GDPR) established extraterritorial jurisdiction over the handling of the personal data of European citizens. Data protection regulations modeled after GDPR are flourishing. Global companies who violate the regulation have been slammed — Ireland recently fined Meta €1.2 billion for violations. Today, data protection is indispensable to business worldwide. Yet, the actual administration of cybersecurity remains completely ad hoc.
The Coast Guard can and should set standards to protect the U.S. from cybersecurity threats and related catastrophic failure from all merchant ships calling on U.S. ports, irrespective of flag. All merchant vessels calling on U.S. ports need a foundational level of cybersecurity.
The U.S. appropriately awaits action by the International Maritime Organization (IMO) on many global safety initiatives to improve safety, but those can take years. Years make sense for the transition to electronic recordkeeping or ballast water treatment equipment, but time is the world’s enemy when it comes to cyber vulnerabilities. The Coast Guard has the ability and expertise to lead on these critical safety and security threats to the MTS through this regulation. It should drop the flag state restriction.
Michael McLaughlin co-wrote this article. He co-leads the Cybersecurity and Data Privacy Practice Group at the law firm of Buchanan Ingersoll & Rooney, PC.
Rear Admiral (Ret.) Melissa Bert Cybersecurity, cybersecurity framework, Cybersecurity officer (CySO) International Maritime Organization (IMO), DALI incident, Flag state restriction, Foreign flagged vessels, General Data Protection Regulation (GDPR), maritime security, National Institute of Standards and Technology (NIST), Networked industrial control systems, Port state control, Supply chain failures, U.S. Maritime Transportation System (MTS)