Removing the Trojan Horse from America’s ports

The Greek legend of the Trojan horse is a tale of deception, a story children everywhere learn as youngsters. Yet America seems to have forgotten what befell Troy, and, consequently, has instead welcomed Trojan horses into ports around the country, according to Pentagon officials. The software embedded in Chinese-made cranes for loading and unloading cargo could possess clandestine abilities capable of providing the Chinese Communist Party with real-time visibility into port operations. Armed with this data, the CCP could track the movement of military equipment and commercial cargo, or, even worse, disrupt operations at major U.S. ports. This is a grave risk to national security and to the American economy.

Concerns about the security of America’s ports are not new. After Sept. 11, 2001, the federal government required port authorities and vessel operators to take steps to identify and mitigate physical threats and, eventually, cyber threats as well. But progress on the latter has stalled, at least in part because the U.S. Coast Guard – the federal agency tasked with working with private companies as the sector risk management agency for the maritime industry – lacks the authorities and resources to help the industry understand and remediate the threats posed by Chinese-made cranes.

Last year, Congress had the opportunity to strengthen these efforts by banning new foreign-made cranes and software at all U.S. ports. The legislation failed to gain enough support, and ultimately was left out of the annual defense authorization act. As a partial solution, however, Congress banned the Department of Defense, federally funded ports, and commercially operated strategic seaports from using Chinese-made logistics management software. The law also required an intelligence community assessment of threats posed by Chinese cranes, which now account for more than 80 percent of cranes in strategic ports.

Not waiting for the results of this report, last week, the Biden administration wisely issued an executive order granting the U.S. Coast Guard greater authority to respond to cyber risks to the nation’s maritime infrastructure. The Coast Guard can now require port operators and vessel owners to implement (as yet unspecified) security measures to “prevent, detect, assess, and remediate” active cyber threats.

To implement this, the Biden administration has tasked the Coast Guard with issuing a maritime security directive outlining risks posed by Chinese cranes and establishing minimum cybersecurity requirements for all maritime infrastructure. The Commander of Coast Guard Cyber Command noted that cyber protection teams have conducted threat assessments of, and looked for malicious cyber activity on, nearly 50 percent of the Chinese-made cranes used in U.S. ports. Their findings will help guide the new security directive.

The new executive order also empowers the Coast Guard’s captains of the port. These are federal maritime security coordinators who are responsible for ensuring the safety and security of designated ports. The executive order now clarifies their role to include the responsibility for inspecting the data, information, and digital systems of ports and vessels.

This increased authority enables the Coast Guard to conduct effective vulnerability assessments. The captains collaborate closely with the cyber protection team by sharing cyber threat intelligence, conducting joint risk assessments, and developing strategies for incident response. Improved insights into the current threat landscape could improve the internal Coast Guard partnerships.

In response to reporter questions, Biden administration officials deny that there will be requirements to remove Chinese cranes. Instead, the administration reaffirmed plans to mobilize $20 billion for U.S. port infrastructure over the next five years. It is not at all clear what percentage of this $20 billion will be used for explicit cybersecurity purposes. Instead, the White House pointed to an announcement by a U.S. subsidiary of the Japanese company Mitsui that the company will manufacture ship-to-shore cranes on U.S. soil, marking the first instance of domestic production in 30 years.

In addition to the steps the White House outlined, the Coast Guard should work with industry partners to utilize the Port Infrastructure Development Program and the Port Security Grant Program through the Bipartisan Infrastructure Investment and Jobs Act. These competitive grants are for modernization and resilience improvement, including for the digital systems and cybersecurity supporting port operations. Congress should ensure that a significant percentage of investments from these grants are allocated to cyber risk mitigation.

Meanwhile, the captains of the port will require exceptional cybersecurity talent to support their increased responsibilities. The Coast Guard employs civilian cyber advisors, who provide contextual information on cyber-related matters in designated ports. Working with the private sector, the Coast Guard could benefit from a workforce rotational program with portable credentialing. This could help build the pipeline of maritime-specific cybersecurity expertise.

While the Biden administration seems to be putting its money where its mouth is, the real test will be the president’s fiscal year 2025 budget, due later this month. The administration has granted the Coast Guard numerous new authorities and responsibilities to improve its support to port operators, but they are only half of the battle. The Coast Guard also needs the resources – namely, the money and the personnel to be able to execute the mission. Historically, the dollars have not followed the tasking; the 2025 budget will need to break that trend.

Strategies to reduce the vulnerability of this dependence on Chinese hardware and software are imperative. The Trojan horse is not just a fabled tale, but a real threat lurking within American ports.

Jiwon Ma is a Senior Policy Analyst at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies. Rear Adm. (Ret.) Mark Montgomery is CCTI’s senior director and also directs CSC 2.0, which works to implement the recommendations of the Cyberspace Solarium Commission, where he previously served as executive director.