Wary of hackers, Biden orders new cybersecurity measures at U.S. ports

President Biden signed an executive order Wednesday that creates new rules to shore up security at American ports — and commits $20 billion to replace Chinese-made cranes that U.S. officials worry could be vulnerable to hacking and remote control.

The executive order empowers the U.S. Coast Guard to respond to cybersecurity incidents at ports, and lays out a new set of safety regulations that port operators must follow to fend off digital attackers.

“Most critical infrastructure owners and operators have a list of safety regulations they have to comply with,” said Anne Neuberger, deputy national security advisor at the White House. “We want to ensure that there are similar requirements for cyber, when a cyberattack can cause just as much, if not more, damage than a storm or another physical threat.”

Nationwide, roughly 31 million jobs and $5.4 trillion in economic activity are linked to trade that passes through ports, all of which could be disrupted by a ransomware or other type of cyberattack, Neuberger said.

The ports of Los Angeles and Long Beach constitute the largest container port facility in the hemisphere, handling 9.9 million and 9.1 million TEUs — twenty-foot equivalent units, the standard volume metric in ocean shipping — respectively, in 2022. The San Pedro complex in Los Angeles handles 29% of all container-based trade in the U.S., and nearly 20% of all U.S. seaport trade.

That volume of cargo is loaded on and off of ships by a forest of roughly 150 cranes, most of which are manufactured by one company: Shanghai Zhenhua Heavy Industries Co., or ZPMC. The company says that it controls around 70% of the global market for cranes, and 80% of the U.S. market, according to the Wall Street Journal.

Rear Adm. John Vann, who heads the U.S. Coast Guard’s Cyber Command, confirmed that 80% number to reporters, and added that their computerized control systems leave them vulnerable to attack. Although the San Pedro port complex is owned and administered by public agencies, the terminals are leased to private companies, which purchase and operate their own cranes.

As part of the $20-billion investment in port infrastructure, the White House also announced that a U.S. subsidiary of the Japanese industrial giant Mitsui is “planning to onshore domestic manufacturing capacity for American and Korean production for the first time in 30 years, pending final site and partner selection.” The announcement did not include details of how these new cranes and the money to buy them will reach private port terminal operators in San Pedro and beyond.

The executive order is part of the Biden administration’s focus on protecting critical infrastructure such as power grids, ports and pipelines, most of which are controlled by networked software and therefore vulnerable to hacks. There is no set of nationwide standards that govern how operators should protect against potential attacks online.

The threat continues to grow. Hostile activity in cyberspace — from spying to the planting of malware to infect and disrupt a country’s infrastructure — has become a hallmark of modern geopolitical rivalry.

For example, in 2021, the operator of the nation’s largest fuel pipeline had to temporarily halt operations after it fell victim to a ransomware attack in which hackers held its data hostage in exchange for money. The company, Colonial Pipeline, paid $4.4 million to a Russia-based hacker group, though Justice Department officials later recovered much of the money.

Ports too are vulnerable. In Australia last year, a cyberattack forced one of the country’s largest port operators to suspend operations for three days.

The Port of L.A. was subject to roughly 754 million cyber-intrusion threats in 2023, according to an article by its executive director, Gene Seroka, published this month. The port has been an industry leader in cybersecurity efforts for years, since establishing a dedicated Cyber Security Operations Center in 2014 and adding the Cyber Resilience Center to allow all the various companies and agencies cooperating at the port to coordinate their cybersecurity efforts in 2022.

Late last month, U.S. officials said they had disrupted a state-backed Chinese effort to plant malware that could be used to damage civilian infrastructure. Vann said this type of potential attack was a concern as officials pushed for new standards, but they are also worried about the possibility for criminal activity.

Vann said that Coast Guard cyber protection teams had “assessed cybersecurity or hunted for threats” on nearly half of the Chinese-manufactured cranes in the U.S. to date and will continue to monitor the current stock of cranes across the nation.

The new standards, which will be subject to a public comment period, will be required for any port operator and there will be penalties for failing to comply, though the officials did not outline them. They require port operators to notify authorities when they have been victims of a cyberattack, and give the Coast Guard, which regulates the nation’s ports, the ability to respond to cyberattacks and enforce the new rules.

The Associated Press contributed to this report.