January 23, 2025 | Policy Brief
U.S. Coast Guard Issues Landmark Cybersecurity Rule to Protect Maritime Infrastructure
January 23, 2025 | Policy Brief
U.S. Coast Guard Issues Landmark Cybersecurity Rule to Protect Maritime Infrastructure
The U.S. Coast Guard issued a final rule on January 17 establishing minimum cybersecurity requirements for U.S.-flagged vessels and other regulated facilities. The landmark rule aims to strengthen the resilience of the critical maritime infrastructure against cyberattacks, though its success will hinge on whether infrastructure owners and the Coast Guard itself have adequate resources for effective implementation.
Minimum Requirements Include Cyber Hygiene and Incident Response and Reporting
The final rule — building on a proposed rule and an executive order both issued in February 2024 — requires regulated entities to develop and maintain cybersecurity plans. These plans must include cyber hygiene practices like passwords and access management as well as asset inventories, logging network activity, and data encryption.
Entities must also develop cyber incident response plans and designate cybersecurity officers responsible for implementing these plans, conducting annual audits, coordinating inspections and training, and mitigating cyber threats. Finally, the rule requires regulated entities to report cyber incidents to the National Response Center, the FBI, and the Cybersecurity and Infrastructure Security Agency, ensuring rapid notification and information sharing across relevant agencies.
America’s Ports Face an Evolving Cyber Threat From China
The final rule comes at a time of increasingly sophisticated cyber threats targeting the maritime transportation system. A December 2024 report by DNV, a leading maritime registrar and technical standards organization, revealed that 31 percent of maritime professionals reported at least one cyberattack in the past year — nearly double the rate reported in the previous five years. Meanwhile, government officials and cybersecurity firms alike have warned that malicious Chinese hackers burrowed deep into U.S. critical infrastructure — including transportation infrastructure — to be able to disrupt and disable operations at a time of Beijing’s choosing.
China’s cyber threats are particularly concerning given that 80 percent of strategic ports currently rely on Chinese-manufactured cranes. In December 2023, Congress began addressing the risks of using Chinese-made logistics software by banning their use, providing a temporary mitigation measure. Nine months later, however, a joint report by the House Select Committee on Strategic Competition Between the United States and the Chinese Communist Party and the House Homeland Security Committee warned that America’s ports are still “dangerously reliant on equipment and technology that has been produced, manufactured, assembled, or installed” in China.
Improved Maritime Cybersecurity Requires Investment
In February 2024, along with issuing the proposed rule and the executive order on maritime infrastructure security, the Biden administration announced plans to mobilize $20 billion for improving U.S. port infrastructure in the coming years. However, cybersecurity is a priority neither of this funding nor of the Coast Guard’s port security grant program. The Trump administration should clarify that cybersecurity projects can use these funding streams and work with Congress to develop new grant programs or financial incentives to help port operators make necessary cybersecurity investments.
Meanwhile, the Coast Guard’s ability to be a good sector risk management agency by providing timely cyber threat information and guidance to maritime infrastructure owners and operators will remain limited without increased funding and personnel. Civilian cyber advisors provide cybersecurity expertise to captains of the port, who serve as federal maritime security coordinators. However, too few captains have such advisors. In its next budget, the Coast Guard should request — and Congress should appropriate — funds to improve the Coast Guard’s ability to help the maritime industry mitigate cyber risk. While U.S. port infrastructure will require long-term cybersecurity investments, the final rule marks a critical first step in strengthening America’s ports against evolving cyber threats.
Jiwon Ma is a senior policy analyst at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where Maria Riofrio is an intern. For more analysis from the authors and CCTI, please subscribe HERE. Follow Jiwon on X @jiwonma_92. Follow FDD on X @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focused on national security and foreign policy.