In 2006, Congress passed the Safe Port Act to help ensure that maritime transportation infrastructure was effectively secured from the threat of terrorism. Today, 10 years since the enactment of the law, are U.S. ports safe? This is a complex issue with an equally complex answer.
The established security measures implemented through public and private sector cooperation have improved port security while maintaining port efficiency. Still, many of the threats that motivated the Safe Ports Act remain, and new dangers have emerged, including cyber threats.
America's ports remain a vital driver of its economy. Each year, more than 60 thousand vessels make calls on U.S. ports moving about 50 percent of America's imports and about 40 percent of its exports (by value). Ferries transport more than 300 million passengers, and the cruise-ship industry contributes almost $40 billion to the U.S. economy.
The economic importance and visibility of ports make port infrastructure and operations attractive terrorism targets. The potential vulnerability of these targets further increases maritime terrorism risk. The efficiency and speed of maritime shipping itself could be used by terrorists to move operatives or weapons. Attacks on both vessels and the port infrastructure used to move cargo and commodities could damage the U.S. economy by disrupting trade and commerce. Attacks on cruise ships or ferries, such as the 2004 bombing of SuperFerry 14 in Manila, the hijacking of the Achille Lauro in 1985, or the hijacking of a Turkish passenger ferry in 1996, could affect countless victims and spawn fear and terror.
Security measures implemented over the past 10 years respond to an array of threats. Port and vessel security inspection authorities have increased the number of guards, gates, and cameras monitoring ports. The Port Security Grant Program has helped develop and sustain prevention, preparedness, and response capabilities around ports. The Transportation Worker Identification Card program has increased the screening of those with access to critical port infrastructure. Regulations and programs to collect and screen cargo manifests and participation with shippers through the Customs-Trade Partnership Against Terrorism has increased transparency into the supply chain and made it easier to identify suspicious shipments. Installation of radiation detectors at U.S. ports and collaborations with foreign partners through the Container Security Initiative have increased the ability of authorities to detect illicit movement of radiological materials. Together these programs established a system to secure ports that matches the complexity of the system of infrastructure, vessels, cargo, shippers, and people that they were designed to protect.
While many of the security challenges that were recognized in 2006 appear to have been met, new potential threats have emerged from the cyber environment. The pervasiveness of information and communications technology has fully penetrated maritime and port infrastructure. The efficiency of logistics systems rests on technologies that track the flow of shipments and pass transactions among manufacturers, carriers, and shippers. Vessel navigation is guided by the global positioning system. Automated control systems are used widely across port infrastructure, for example in vessel navigation, natural gas and oil loading and unloading, and in the electric grid upon which ports depend.
These same technologies that drive efficiency in maritime transportation also increase the system's vulnerability. Each of these systems could be exploited to disrupt port operations or damage port infrastructure. Data systems could be compromised so that the integrity of manifests cannot be trusted. Navigation systems could be attacked increasing risks of vessel collisions. Control systems could be hacked to damage critical infrastructure. Yet the risk from these vulnerabilities is not well understood. Which groups or people might attempt to exploit cyber vulnerabilities and have the capability to do so? What existing protection and redundancies mitigate these vulnerabilities? Who will respond if a cyberattack on port infrastructure occurs? What response capabilities are required? Is America prepared?
This increased threat environment has been recognized and efforts are underway to better understand it and to craft new security responses. For example, the U.S. Coast Guard Cyber Strategy (PDF) outlines the service's objectives to defend cyberspace, enable operations, and protect infrastructure in the maritime environment. Key among the objectives laid out in the strategy are understanding and promoting awareness of cyber risks; improving information sharing about threats and vulnerabilities to maritime operations; and reducing the risks that threaten port infrastructure and operations.
The advances in port security since 2006 were made possible through public and private collaboration as new security measures became part of doing business in the maritime environment. The security measures increased costs, but cooperation between the public and private sector helped offset these costs, while balancing the need for efficiency and security. Addressing cyber risks will require the same attention to balancing port efficiency and security that has been used since 2006. As the United States confronts cyber threats in the maritime domain, it must mobilize the public and private organizations engaged in port operations to understand these new risks and to work together to ensure U.S. ports remain efficient and secure.
Henry H. Willis is director of the Homeland Security and Defense Center at the nonprofit, nonpartisan RAND Corporation and a professor at the Pardee RAND Graduate School.
This commentary originally appeared on The Cipher Brief on April 6, 2016. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.