Sunday, July 12, 2020

S 4023 Introduced – Maritime Cybersecurity

Last month Sen Markey (D,MA) introduced S 4023, the Enhancing Maritime Cybersecurity Act of 2020. The bill would require that the DHS Cybersecurity and Infrastructure Security Agency (CISA) ensure the availability of a resource, or a consolidated series of resources, to assist maritime operators in identifying, detecting, protecting against, responding to, and recovering from cyber incidents. No funding is authorized by this bill.


Section 2(a) of the bill provides the definition of key terms used in the legislation. It takes the definition of the term ‘cyber incident’ from the Presidential Policy Directive #41 (July 26th, 2016). That document defines the term as:

“An event occurring on or conducted through a computer network that actually or imminently jeopardizes the integrity, confidentiality, or availability of computers, information or communications systems or networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon. For purposes of this directive, a cyber incident may include a vulnerability in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.”

Cybersecurity Resources

Section 2(b) of the bill would require CISA, in consultation with the Maritime Administration and the Coast Guard, to make available cyber security resources designed to “to assist maritime operators in identifying, detecting, protecting against, responding to, and recovering from cyber incidents” {2(b)(1)}. The cybersecurity resources would be based upon the NIST Cybersecurity Framework and the IMO “Guidelines on Maritime Cyber Risk Management”. The resources directive includes a mandate for CISA to “establish a structured cybersecurity assessment and development program” {§2(b)(2)(C)}.

Cyber Coordinator

Section 2(c) would require the DOT’s Maritime Administration to “designate an office as a ‘cyber coordinator’. That office would be responsible for:

• Coordinating with the CISA and the Coast Guard on cybersecurity activities for the commercial maritime sector and cyber incidents that affect maritime operators,
• Ensuring that maritime operators are aware of available secure methods of notifying the United States Government of cyber incidents,
• Notifying the CISA and the Coast Guard of unaddressed cyber incidents that affect maritime operators,
• Ensuring that maritime operators have access to educational resources, conducting outreach, and ensuring awareness on fundamental principles and best practices in cybersecurity for maritime systems, including the cyber resource developed under this section.

Moving Forward

Markey is a member of the Senate Commerce, Science, and Transportation Committee to which this bill was assigned for consideration. Markey is the Ranking Member of the Security Subcommittee. This should mean that he would have enough influence to see this bill considered in Committee. Unfortunately, this is a COVID-19 reduced election year where minor bills like this are unlikely to receive consideration.

I see nothing in this bill that would engender serious opposition to the bill, especially since no monies are authorized.


With no cosponsors associated with the bill, this looks like another stone in Markey’s cybersecurity house that will not be going anywhere. It will help to establish Markey as a cybersecurity legislator but will do nothing to see actual cybersecurity law or policy affected.

If this bill were to advance there are a couple of changes that I would like to see included in the bill. First I would like to see §2(c) changed from designating an existing office as ‘cybersecurity coordinator’ to establishing an Office of Maritime Cybersecurity. That Office would work closely with the Coast Guard’s Cyber Command on maritime cyber incident investigations. It would also be responsible for sharing anonymized information about cybersecurity incidents with maritime operators. Finally, the Office would be responsible for working with the United States Merchant Marine Academy and six State Maritime Academies to ensure that cybersecurity education is an integral part of the academic program at the academies.

No comments:

/* Use this with templates/template-twocol.html */