Global Cybersecurity Threats to the Maritime Sector

by Holland & Knight LLP

Holland & Knight LLP


  • As cybersecurity risks to the nation's critical infrastructure – including those parts in the transportation and maritime sectors – continue to grow, the incoming Trump Administration has made it clear that cybersecurity is one of its top priorities.
  • The administration's new Cyber Review Team has been tasked with conducting an immediate review of all U.S. cyber defenses and vulnerabilities, including "vital" infrastructure in the transportation and maritime sectors. President-Elect Donald Trump also has publicly discussed focusing on a more offensive approach to cybersecurity around the world as well as a more proactive deterrence strategy.
  • To date, the maritime sector has not seen mandatory cybersecurity regulations come to the forefront, but it is expected that the international community will move in that direction in the near future.

Cybersecurity risks to the nation's critical infrastructure (CI) – defined as 16 CI sectors, including transportation and maritime – continue to grow exponentially. The incoming Trump Administration has made it clear that cybersecurity is a mainstream national, homeland and economic security priority. At the same time, President-Elect Donald Trump has included cybersecurity in his top 10 priorities as well as an action item in his administration's First 100 Days. He also has called for a "Cyber Review Team," which includes a core role for the U.S. Departments of Defense and Cyber Command as well as for law enforcement and the private sector.

The new Cyber Review Team has been tasked with conducting an immediate review of all U.S. cyber defenses and vulnerabilities, including "vital" infrastructure that includes the transportation and maritime sectors. The Cyber Review team will "provide specific recommendations for safeguarding different entities with best defense technologies tailored to the likely threats, and will [be] followed up regularly at various Federal agencies and departments."

Nation-states, non-state actors, hacktivists and organized crime represent the range of attackers against the maritime sector. Ports, port operators, vessel operators, shipping companies and others are faced with constant attacks that range from 21st century theft, to more critical risks to the sector as a whole. At the same time, the maritime sector is crucial to the movement of trade around the globe. A major cybersecurity attack could represent both the potential for injury and loss of life as well as physical damage to the maritime, shipping and port infrastructure. The devastation could be dramatic, carrying economic impacts potentially in the hundreds of billions of dollars.

The U.S. Department of Homeland Security (DHS) and U.S. Coast Guard (USCG) has been working for several years with the maritime sector to evaluate and work to mitigate risks to the sector. In 2015, the USCG issued a cybersecurity strategy and began working to identify best practices and voluntary measures designed to help the sector and focused on best practices identified in the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

At the same time, DHS continued to raise awareness about the risks, releasing a report in March 2016, "Consequences to Seaport Operations from Malicious Cyber Activity." Among the report's key findings: 1) "Unless cyber vulnerabilities are addressed, they will pose a significant risk to port facilities and aboard vessels within the Maritime Subsector." 2) "A cyber attack on networks at a port or aboard a ship could result in lost cargo, port disruptions, and physical and environmental damage depending on the systems affected. The impact to operations at a port, which could last for days or weeks, depends on the damage done to port networks and facilities." 3) "The impacts to critical infrastructure sectors depend on how a cyber attack affects a port, the level and length of disruption that occurs at the port, and the capability to divert shipments to other ports. " The report goes on to focus on the potential negative impact to key sectors such as "Critical Manufacturing, Commercial Facilities, Food and Agriculture, Energy, Chemical, and Transportation Systems. If more than one port is disrupted concurrently by a cyber attack, a greater impact to other sectors of critical infrastructure is likely to occur."

Potential Measures and Strategies

As cybersecurity attacks against the maritime sector continue to be substantiated, the global community has come together to discuss the threats to the industry. The international community has also been working through the International Maritime Organization (IMO) to discuss possible approaches to dealing with the challenge. In 2016, the IMO approved "Interim Guidelines on Maritime Cyber Risk Management," focusing on voluntary measures despite some calls by some nations to create mandatory measures.

President-Elect Trump has publicly discussed focusing on a more offensive approach to cybersecurity around the world as well as a more proactive deterrence strategy. He also has said he will direct the "Secretary of Defense and the Chairman of the Joint Chiefs of Staff to provide recommendations for enhancing U.S. Cyber Command." Additionally, Congress has become focused on concerns to supply chain systems and recently mandated a U.S. analysis of cybersecurity threats specifically for the maritime sector. Congress has expressed similar concerns for other key CI sectors and supply chain risks for the past four to five years. The 115th Congress has already kicked off a series of hearings looking at nation-state threats to the United States. At the same time, expect Congress to continue an activist oversight role on how the maritime sector is proactively managing its cybersecurity risk and what the appropriate role is for the U.S. DHS, State, Defense and other departments against ever-increasing global threats.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Holland & Knight LLP | Attorney Advertising

Written by:

Holland & Knight LLP

Holland & Knight LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.