[Congressional Record Volume 161, Number 183 (Wednesday, December 16, 2015)]
[House]
[Pages H9352-H9355]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
STRENGTHENING CYBERSECURITY INFORMATION SHARING AND COORDINATION IN OUR
PORTS ACT OF 2015
Mrs. MILLER of Michigan. Mr. Speaker, I move to suspend the rules
[[Page H9353]]
and pass the bill (H.R. 3878) to enhance cybersecurity information
sharing and coordination at ports in the United States, and for other
purposes, as amended.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 3878
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Strengthening Cybersecurity
Information Sharing and Coordination in Our Ports Act of
2015''.
SEC. 2. IMPROVING CYBERSECURITY RISK ASSESSMENTS, INFORMATION
SHARING, AND COORDINATION.
The Secretary of Homeland Security shall--
(1) develop and implement a maritime cybersecurity risk
assessment model within 120 days after the date of the
enactment of this Act, consistent with the National Institute
of Standards and Technology Framework for Improving Critical
Infrastructure Cybersecurity and any update to that document
pursuant to Public Law 113-274, to evaluate current and
future cybersecurity risks (as that term is defined in the
second section 226 of the Homeland Security Act of 2002 (6
U.S.C. 148));
(2) evaluate, on a periodic basis but not less than once
every two years, the effectiveness of the cybersecurity risk
assessment model established under paragraph (1);
(3) seek to ensure participation of at least one
information sharing and analysis organization (as that term
is defined in section 212 of the Homeland Security Act of
2002 (6 U.S.C. 131)) representing the maritime community in
the National Cybersecurity and Communications Integration
Center, pursuant to subsection (d)(1)(B) of the second
section 226 of the Homeland Security Act of 2002 (6 U.S.C.
148);
(4) establish guidelines for voluntary reporting of
maritime-related cybersecurity risks and incidents (as such
terms are defined in the second section 226 of the Homeland
Security Act of 2002 (6 U.S.C. 148)) to the Center (as that
term is defined subsection (b) of the second section 226 of
the Homeland Security Act of 2002 (6 U.S.C. 148)), and other
appropriate Federal agencies; and
(5) request the National Maritime Security Advisory
Committee established under section 70112 of title 46, United
States Code, to report and make recommendations to the
Secretary on enhancing the sharing of information related to
cybersecurity risks and incidents between relevant Federal
agencies and State, local, and tribal governments and
consistent with the responsibilities of the Center (as that
term is defined subsection (b) of the second section 226 of
the Homeland Security Act of 2002 (6 U.S.C. 148)); relevant
public safety and emergency response agencies; relevant law
enforcement and security organizations; maritime industry;
port owners and operators; and terminal owners and operators.
SEC. 3. CYBERSECURITY ENHANCEMENTS TO MARITIME SECURITY
ACTIVITIES.
The Secretary of Homeland Security, acting through the
Commandant of the Coast Guard, shall direct--
(1) each Area Maritime Security Advisory Committee
established under section 70112 of title 46, United States
Code, to facilitate the sharing of cybersecurity risks and
incidents to address port-specific cybersecurity risks, which
may include the establishment of a working group of members
of Area Maritime Security Advisory Committees to address
port-specific cybersecurity vulnerabilities; and
(2) that any area maritime security plan and facility
security plan required under section 70103 of title 46,
United States Code approved after the development of the
cybersecurity risk assessment model required by paragraph (1)
of section 2 include a mitigation plan to prevent, manage,
and respond to cybersecurity risks.
SEC. 4. VULNERABILITY ASSESSMENTS AND SECURITY PLANS.
Title 46, United States Code, is amended--
(1) in section 70102(b)(1)(C), by inserting
``cybersecurity,'' after ``physical security,''; and
(2) in section 70103(c)(3)(C), by striking ``and'' after
the semicolon at the end of clause (iv), by redesignating
clause (v) as clause (vi), and by inserting after clause (iv)
the following:
``(v) prevention, management, and response to cybersecurity
risks; and''.
The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from
Michigan (Mrs. Miller) and the gentlewoman from California (Mrs.
Torres) each will control 20 minutes.
The Chair recognizes the gentlewoman from Michigan.
General Leave
Mrs. MILLER of Michigan. Mr. Speaker, I ask unanimous consent that
all Members have 5 legislative days within which to revise and extend
their remarks and include any extraneous materials on the bill under
consideration.
The SPEAKER pro tempore. Is there objection to the request of the
gentlewoman from Michigan?
There was no objection.
Mrs. MILLER of Michigan. Mr. Speaker, I yield myself such time as I
may consume.
Mr. Speaker, I rise in support of H.R. 3878, and I urge its passage.
Since the terrorist attacks of 9/11, the U.S. Congress has
appropriated $2.4 billion in port security grant funds to protect port
facilities against potential terror attacks. As a nation, we have done
a fairly good job of updating the physical security at ports, but the
U.S. Government has been very slow to ensure that our ports are secure
from cyber vulnerabilities.
For example, cybersecurity of our Nation's critical infrastructure
has been on the Government Accountability Office's High Risk List since
2003, yet we have not fully engaged on cybersecurity efforts at the
Nation's 360 seaports.
The threat of a cyber attack is real, and, when addressing the
protection of maritime critical infrastructure, we must clearly define
the roles and responsibilities for ensuring our Nation's ports are
protected.
Under the Maritime Transportation Security Act of 2002, the Coast
Guard is identified as the government agency responsible for ensuring
the physical security at our Nation's port infrastructure. This bill
makes it clear that the Coast Guard is also the primary agency
responsible for ensuring the maritime sector is prepared to prevent and
to respond to cybersecurity risk and vulnerability.
More than $1 trillion of goods--from cars, to oil, to corn, and
everything in between--move through our Nation's seaports each and
every year. Like many industries in America, port facilities and ship
operators are increasingly moving cargo through our ports using
automated industrial control systems.
While this automation certainly has a lot of benefits, such as
reducing the time that it takes to stock our shelves and lowering the
cost of doing business, it doesn't come without risks. These computer
systems are controlling machinery at port facilities to move containers
and fill tanks and onload and offload ships.
Terror groups, nation-states, criminal organizations, hackers, and
even disgruntled employees could breach these systems, with potentially
catastrophic results to the Nation's security and economy.
Breaches in the maritime domain are particularly concerning, not only
from an economic standpoint, but because the dangerous cargos, such as
liquefied natural gas and other dangerous cargos, that also pass
through our Nation's seaports are at risk.
Just as we have hardened physical security at our Nation's ports, we
need to do the same in virtual space to protect the systems critical to
the maritime transportation system against malicious actors. This bill
does just that, and it requires the Coast Guard to develop a
comprehensive cyber risk assessment specific to the vulnerabilities of
the maritime industry. It directs the Secretary of Homeland Security to
encourage participation with information sharing to better streamline
coordination at the national level.
H.R. 3878 is a bipartisan piece of legislation, introduced by my
colleague from California (Mrs. Torres), and I give her great credit
for this piece of legislation, working with so many Members on this. It
actually is the result of a hearing held by the Homeland Security
Subcommittee that I chaired back in October on the subject of
cybersecurity at our Nation's ports.
{time} 1230
The bill clarifies the Department of Homeland Security's role in
maritime cybersecurity as well as it ensures that port facilities work
with the Coast Guard to identify cyber risks and vulnerabilities and
share best practices across the industry. This is the first step, Mr.
Speaker, in protecting our ports from cyber threats, and I certainly
urge my colleagues to join this commonsense, bipartisan legislation.
Again, I want to thank the gentlewoman from California for her work
on this issue.
Mr. Speaker, I reserve the balance of my time.
Mrs. TORRES. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, I rise in support of H.R. 3878, the Strengthening
Cybersecurity Information Sharing and Coordination in Our Ports Act.
Mr. Speaker, I introduced H.R. 3878, the Strengthening Cybersecurity
Information Sharing and Coordination in
[[Page H9354]]
Our Ports Act, to ensure the Department of Homeland Security takes a
more proactive approach to address cybersecurity risks at our Nation's
ports and to improve cybersecurity information sharing and coordination
between public and private partners at maritime facilities.
The United States has approximately 360 commercial sea and river
ports which use cyber technology to move over $1 trillion worth of
cargo each year. The Ports of Los Angeles and Long Beach and other
ports in California account for almost 40 percent of the cargo entering
this country, and nearly 30 percent of the country's exports leave
through California ports.
The Port of Los Angeles is the number one port by container volume
and cargo value in the United States, seeing around $1.2 billion worth
of cargo each day. Each year, the Port of Long Beach handles more than
6.8 million 20-foot container units in cargo value at $180 billion and
is the second busiest port in the U.S. With so much economic activity
happening at our Nation's ports, protecting the cyber networks they
rely on is critical to our local and national economy.
This past October, the Subcommittee on Border and Maritime Security
on which I serve held a hearing focused on the threat of cyber attacks
at a port and how the Coast Guard is working with private and public
partners to protect maritime critical infrastructure against such
attacks. This is of particular interest to me because many of the goods
that enter through the Ports of Long Beach and Los Angeles come
directly to my district where the goods are redistributed throughout
the Nation. The hearing was called in response to a June 2014 GAO
report recommending the Department of Homeland Security take action to
strengthen cybersecurity at our Nation's ports.
Mr. Speaker, the report found that maritime Sector Coordinating
Councils are no longer active. These councils include port owners,
operators, and related private industry associations. This means that
today there is no one entity that coordinates information sharing
between the ports, the private sector, and government stakeholders.
At the October subcommittee hearing, we received testimony that
information sharing on cyber risks at ports should be stronger and that
some ports lack the resources to prevent, identify, and respond to
cyber attacks. To address these challenges, I introduced H.R. 3878,
which will require the Secretary of Homeland Security and the
Commandant of the U.S. Coast Guard to take several steps to enhance
cybersecurity at our ports.
Specifically, it requires the Secretary of Homeland Security to
establish guidelines for reporting cybersecurity risks, to develop and
implement a maritime cybersecurity risk model, and to make
recommendations on enhancing the sharing of cyber information. It also
requires the Coast Guard to direct Area Maritime Security Committees to
address cybersecurity risks. These measures will create an environment
where DHS, the Coast Guard, ports, and stakeholders work together to
enhance cybersecurity at our Nation's ports.
Mr. Speaker, I would like to thank Chairman McCaul and Subcommittee
Chairwoman Miller for their cooperation and the bipartisan nature of
the staff discussions on this bill. Mr. Speaker, I urge my colleagues
to support H.R. 3878.
I reserve the balance of my time.
Mrs. MILLER of Michigan. Mr. Speaker, I yield such time as he may
consume to the distinguished gentleman from New York (Mr. Donovan).
Mr. DONOVAN. Mr. Speaker, I rise today in support of H.R. 3878, the
Strengthening Cybersecurity Information Sharing and Coordination in Our
Ports Act of 2015.
This bill by my friend Representative Torres contains an amendment I
offered at committee, which makes an important change to the Maritime
Transportation Security Act of 2002.
More than $1.3 trillion worth of cargo travels through U.S. ports
each year, making them a truly critical part of our Nation's
infrastructure. Any disruption or slowdown of activity could have a
tremendous impact on the entire economy, costing billions of dollars
every day.
Ensuring the security of our maritime infrastructure is a complex
task and one that falls primarily on the United States Coast Guard.
However, while the Coast Guard has the history and the expertise to
provide physical security, its mission of ensuring that our maritime
infrastructure is safe from cyber threats is still evolving.
Currently, the Maritime Transportation Security Act of 2002 requires
vessels and port facilities to conduct vulnerability assessments and
develop security plans for physical security, access controls,
procedural security measures, and communication systems. My amendment
in committee added cybersecurity to that list. This addition will make
it crystal clear that the Coast Guard has the specific authority to
require maritime vessels and facilities to incorporate cybersecurity
into their assessments and plans.
The need for this change and the underlying legislation was
highlighted during a hearing before the Border and Maritime Security
Subcommittee on the topic of cybersecurity at our Nation's ports. In
that hearing, we heard how a range of actors--from narcotics
traffickers to terrorist organizations, and even nation-states--could
exploit cyber vulnerabilities at our ports for the purpose of smuggling
illicit materials or causing severe economic disruption. Mr. Speaker,
this legislation will ensure that we are better prepared to respond to
the growing cyber threat to our Nation's maritime infrastructure.
I thank Representative Torres for offering this legislation and for
accepting my amendment at committee.
Mr. Speaker, I urge my colleagues to support the bill.
Mrs. TORRES. Mr. Speaker, I yield 3 minutes to the gentleman from
California (Mr. Lowenthal).
(Mr. LOWENTHAL asked and was given permission to revise and extend
his remarks.)
Mr. LOWENTHAL. I thank the gentlewoman for yielding.
Mr. Speaker, I rise in support of H.R. 3878, the Strengthening
Cybersecurity Information Sharing and Coordination in Our Ports Act of
2015.
Mr. Speaker, in southern California, I represent the Port of Long
Beach, which is one of the busiest seaports in the country, is set to
handle more than 7 million containers this year, and accounts for
nearly 20 percent of all the loaded containers moving throughout our
Nation. It is a critical link for trade between our country and Asia
and is a linchpin for our national security and our national economy.
In other words, the security of the Port of Long Beach is not to be
treated lightly.
I am not a stranger to the critical nature of the port, but we are
now learning about emerging port-specific cyber threats. This body
recently took the first steps to fight off the growing threats to our
Nation's cybersecurity with a number of bills and hearings on this
topic. I am glad that out of those hearings, our attention now turns to
the cybersecurity of our critical infrastructure, including the
hundreds of cargo ports in this country.
As a result of H.R. 3878, we would see working groups forming at our
ports and coming together to address port-specific cybersecurity
vulnerabilities. These findings would be shared with appropriate
stakeholders, including Federal and local governments, port
authorities, terminal operators, as well as law enforcement, in an
effort to enhance cybersecurity situational awareness at the ports.
Mr. Speaker, I am confident that these working groups will continue
to find innovative solutions in response to this emerging threat.
Within the working groups, I hope that they will codify key definitions
and classification mechanisms and that they will come out of these
discussions to ensure the effectiveness of the group.
In closing, Mr. Speaker, I urge my colleagues to support this
important bill.
Mrs. MILLER of Michigan. Mr. Speaker, I reserve the balance of my
time.
Mrs. TORRES. Mr. Speaker, I yield 3 minutes to the gentlewoman from
California (Ms. Hahn).
Ms. HAHN. I thank my colleague, Congresswoman Torres, for introducing
this very important bill.
Mr. Speaker, as co-chair and cofounder of the Congressional PORTS
Caucus and also as a representative of the busiest port complex in the
Nation,
[[Page H9355]]
I have long advocated for much-needed cybersecurity at our Nation's
ports.
In 2013, a report by the Brookings Institution found that there is a
serious cybersecurity gap at many of our Nation's ports, putting them
at risk for an attack. A significant cyber attack at one of our major
ports could bring commerce in an entire region to a halt and send shock
waves throughout the national and global economies.
This is a problem that needs to be addressed, but unfortunately, we
do not have a clear picture of where cybersecurity vulnerabilities
exist at our ports.
Earlier this year, the House passed my amendment to instruct the
Department of Homeland Security to identify gaps in cybersecurity at
the Nation's 10 most at-risk ports and then to make recommendations for
how we can address these problems. I am pleased that that amendment has
been included in the omnibus that we will be voting on later this week.
Mr. Speaker, the bill we are talking about today expands on this
progress and is a great vehicle to identify cybersecurity problems at
our Nation's ports. I would like to commend my colleague Congresswoman
Torres for bringing this important issue to the floor.
Mr. Speaker, I urge all my colleagues to vote ``yes'' on this bill.
Mrs. MILLER of Michigan. Mr. Speaker, I have no further speakers. If
the gentlewoman from California is prepared to close, I will then close
for our side.
Mrs. TORRES. Mr. Speaker, I yield myself such time as I may consume.
Mr. Speaker, H.R. 3878 will enhance our understanding of cyber risks
at our ports and the countermeasures needed to mitigate them.
With the increased levels of technology at maritime facilities, all
public and private port stakeholders must share information and
coordinate efforts to make sure that our Nation's ports are protected
from cyber attacks.
Again, I appreciate the bipartisan cooperation on this legislation.
Mr. Speaker, I encourage my colleagues to support H.R. 3878.
Mr. Speaker, I yield back the balance of my time.
Mrs. MILLER of Michigan. Mr. Speaker, I simply, once again, urge my
colleagues to support H.R. 3878. It is a very good bill, and it is a
very important bill--again, in a bipartisan way--for the security of
our ports and the homeland security of our Nation as well.
Mr. Speaker, I yield back the balance of my time.
Ms. JACKSON LEE. Mr. Speaker, I speak in support of H.R. 3878, the
Strengthening Cybersecurity Information Sharing and Coordination in Our
Ports Act.
I thank Chairman McCaul and Ranking Member Thompson for their
bipartisan work and stewardship of the Committee on Homeland Security's
work, which includes H.R. 3878.
Congresswoman Torres should be commended for her hard work that led
to the introduction of the Strengthening Cybersecurity Information
Sharing and Coordination in Our Ports Act.
H.R. 3878, requires the Department of Homeland Security (DHS) to seek
to enhance cybersecurity situational awareness and information sharing
between maritime security stakeholders, the maritime industry, port
owners and operators, which include maritime terminal owners and
operators.
This bill requires DHS to:
consult with the Coast Guard to enhance participation by the Maritime
Information Sharing and Analysis Center in the National Cybersecurity
and Communications Integration Center; and
request that the National Maritime Security Advisory Committee report
and make recommendations to DHS on methods to enhance cybersecurity and
information sharing between stakeholders.
The bill also assures DHS leadership in port security by requiring
the agency's maritime security risk assessments to include
cybersecurity risks to ports and the maritime border of the United
States.
Ports serve as America's gateway to the global economy. The nation's
economic prosperity rests on the ability of containerized and bulk
cargo arriving unimpeded at U.S. ports to support the rapid delivery
system that underpins the manufacturing and retail sectors.
My service in the House of Representatives has focused on making sure
that our nation is secure and prosperous.
A central component of national security is the ability of our
International Ports to move goods into and out of the country.
The Port of Houston is critical infrastructure:
According to the Department of Commerce in 2012, Texas exports
totaled $265 billion.
The Port of Houston is a 25-mile-long complex of diversified public
and private facilities located just a few hours' sailing time from the
Gulf of Mexico.
In 2012 ship channel-related businesses contributed 1,026,820 jobs
and generated more than $178.5 billion in statewide economic impact.
In 2014, the Port of Houston was ranked among U.S. ports as the 1st
in foreign tonnage; largest Texas port with 46 percent of market share
by tonnage and 95 percent market share in containers by total TEUS in
2014; largest Gulf Coast container port, handling 67 percent of U.S.
Gulf Coast container traffic in 2014; and 2nd ranked U.S. port in terms
of total foreign cargo value.
The Government Accountability Office (GAO), reports that this port,
and its waterways, and vessels are part of an economic engine handling
more than $700 billion in merchandise annually.
A Maritime Cyber-RISKS report published in 2014 outlined examples of
cybersecurity vulnerabilities that are specific to ports.
The Cyberattacks examined included:
Theft of money by deceiving a company into transferring large amounts
of funds to a bank account owned by criminals;
In 2013, the FBI issued a warning to maritime companies warning them
of a fraud committed against several companies using a man-in-the-
middle cyberattack that resulted in $1.65 million in losses.
In this attack an impersonation occurs when the email address of a
trusted party is co-opted or taken over by an unknown 3rd party.
The trusted 3rd party makes a request to change banking information
that should be used to provide payment for legitimate services provided
an established business relationship.
The legitimate business is not aware of the request to change bank
payment information.
When the payment is sent, thieves receive it and quickly close the
account so that the funds cannot be retrieved.
Another malicious attack that does not involve theft of funds can
occur if the location of cargo information is deleted by a cyber-
attacker.
According to CyberKeel this type of attack happened to a shipping
company in 2011.
In this attack data related to rates, loading, cargo number, date and
place were corrupted.
This cyberattack meant that no one at the port could identify where
containers were, whether they loaded, nor identify which containers
were on ships.
Cyberattack that targeted technology used by companies who are taking
receipt of cargo at port locations.
The Firmware software code on handheld scanning technology that reads
barcodes on containers was corrupted by malware.
When the scanners were plugged into the company's network the
corrupted code started a series of automated cyberattacks that searched
the company's network for financial information.
After finding the information, a connection was established with a
computer in China.
Cyberattack at the Port of Antwerp was run by a drug smuggling ring.
In this attack the cyber criminals were able to gain control of the
port terminal system that allowed them to release containers to their
own trucks without the knowledge of port authorities.
This attack is particularly chilling when considering our efforts to
protect against weapons of mass destruction in the form of biological,
nuclear and chemical weapons from being brought into the country
undetected.
This type of attack also has implications for persons entering the
country undetected.
The same attack carried out against port worker automated
identification systems would open the door on a host of domestic
security issues.
Our nation has thousands of miles of coastlines, lakes, and rivers
and hundreds of ports that provide opportunities for legitimate travel,
trade, and recreation.
At the same time, these waterways offer opportunities for terrorists
and their instruments, and drug smugglers to enter our country.
Cybersecurity at ports must be national priority, for this reason, I
ask my colleagues to join me in voting in favor of H.R. 3878.
The SPEAKER pro tempore (Mr. Donovan). The question is on the motion
offered by the gentlewoman from Michigan (Mrs. Miller) that the House
suspend the rules and pass the bill, H.R. 3878, as amended.
The question was taken; and (two-thirds being in the affirmative) the
rules were suspended and the bill, as amended, was passed.
A motion to reconsider was laid on the table.
____________________