U.S. commerce “would grind to a halt in a matter of days” in the aftermath of a crippling cyberattack that the nation’s ports — including Baltimore — are ill-prepared for, according to a new Brookings Institution report.
But port officials here and elsewhere dispute the assessment written by Coast Guard Cmdr. Joseph Kramek, who spent a year as a Brookings fellow looking at cybersecurity at six of the nation’s busiest waterfronts.
The study concluded that failure to bolster defenses against hackers could lead to disruption of the computer networks used to move goods, fuel and food from ships to the marketplace.
“Shelves at grocery stores and gas tanks at service stations would run empty,” the study said. A halt in “energy supplies would likely send not just a ripple but a shock wave through the U.S. and even global economy.”
In addition to Baltimore, Kramek examined California’s ports in Los Angeles and Long Beach, Houston and Beaumont in Texas, and Vicksburg on the Mississippi River.
But Baltimore port officials and their West Coast counterparts in Long Beach disputed some of Kramek’s findings, which were released last week by Brookings.
Port of Baltimore spokesman Richard Scher called the 50-page study “misleading and factually incorrect.”
Kramek concluded that “the cybersecurity culture is not high” at the Maryland Port Administration, which oversees the port of Baltimore. He said port officials have not conducted a threat assessment or developed a response plan. Further, he said, port officials had not applied for federal grants to carry out a cybersecurity project.
Kramek wrote that a successful attack on the computer systems of Baltimore’s port or its tenants “would quickly disrupt cargo operations and slowly ripple out to impact the one-third of the U.S. population that resides within an overnight drive” of the port.
The port, ranked 12th in cargo tonnage in the nation, has been unsuccessfully attacked by hackers, but because the facility’s computer system is part of the Maryland Department of Transportation network, the target was unclear, the study said. Attempts to break into the port’s wireless network were blamed on crew members aboard visiting ships trying to access free WiFi.
Scher said the port and the MDOT take cybersecurity seriously, as evidenced by the ability to fend off such attempts. The port and the MDOT work with the FBI Baltimore Cyber Crime Unit and a liaison with the National Security Agency at Fort Meade to ensure the integrity of the computer network, he said.
“We have the highest level of security available and a thorough response plan. MPA is very comfortable with what’s being done,” he said.
Port officials were on their guard when speaking with Kramek, Scher said.
“Cybersecurity is a very, very sensitive topic,” Scher said. “A lot of issues we did not divulge because this wasn’t an official Coast Guard inspection. The MPA was very cautious with him. He did not need to know, in-depth, any MPA cybersecurity information or background.”
In footnotes, Kramek said he had “an in-person port visit, tour and interview” on Jan. 7 with David Espie, head of port security; John Cumberledge, head of information and technology; and an unnamed representative from Ports America Chesapeake, which operates the Seagirt Marine Terminal.
A Brookings spokeswoman said that before interviewing port officials, Kramek identified himself as a Brookings Federal Executive Fellow and as a Coast Guard officer on leave. In addition, port officials requested and received a written agenda and Kramek’s resume before the meeting.
“There was no room for confusion about who he was or the nature of the research he was conducting,” spokeswoman Gail Chalef wrote in an email.
She said Brookings has hosted Coast Guard officers for more than a decade as part of its Federal Executive Fellow program.
“As per our usual practice … Kramek’s study was vetted and reviewed by a group of policy and cybersecurity experts, as well as presented at a public conference of his military officer peers,” Chalef wrote.
The Washington-based think tank did not make Kramek available for comment.
Kramek’s conclusion urged Congress to put the Coast Guard in charge of enforcing port cybersecurity standards and argued that the Department of Homeland Security should steer more money to enhance cybersecurity at ports.
In February, President Barack Obama issued an executive order requiring federal agencies, including the Coast Guard, to work with industry partners to secure critical infrastructure from cyberattacks. Cybersecurity gained more attention this year following a New York Times report that linked sophisticated hacking attacks to China’s army.
Scher said port officials made clear to Kramek that computer security is handled by the MDOT, but that to the best of their knowledge, Kramek never followed up with staff there.
Contrary to the study’s assertion that the port spent more than $7 million on security enhancements, Scher said more than $12 million was spent on thermal imaging devices, an extensive camera network and a mobile sonar detection unit. Recently, the port opened a new visitor access control center on Broening Highway.
In addition, the report said the port uses radio frequency identification tags to monitor truck traffic entering and leaving the port.
“We do not have RFID. We have other systems in place,” Scher said.
In 2012, the Coast Guard gave the port’s physical defenses its highest security rating for the fifth consecutive year, Scher noted.
The ports of Los Angeles and Long Beach — the country’s largest and second-largest, respectively — also have taken defensive steps. Los Angeles used a $1.6 million grant to protect its computer networks from hackers, and Long Beach spent $35 million to build a secure communications infrastructure.
But neither has done all it should, Kramek wrote.
Los Angeles “has not conducted a cybersecurity vulnerability assessment, nor does it have a cyber incident response plan,” the report said. Long Beach has no written cybersecurity directive or response plan.
John Holmes, a former Coast Guard officer who is deputy director for operations at Los Angeles port, called Kramek’s conclusions “relatively accurate” and said authorities take cyberthreats seriously and are conducting a vulnerability assessment.
Long Beach port officials disputed some of the study’s claims and conclusions.
“We have the latest cyber security technologies,” spokesman Art Wong wrote in an email. “We patch all of our systems on a regular basis. We continuously train our users on cyber security best practices.”