Port of Baltimore is vulnerable to cyber attack, Brookings study says

Port officials dispute report, saying author misled them before interview

July 05, 2013|By Candy Thomson, The Baltimore Sun

U.S. commerce "would grind to a halt in a matter of days" in the aftermath of a crippling cyberattack that the nation's ports — including Baltimore — are ill-prepared for, according to a new Brookings Institution report.

But port officials here and elsewhere dispute the assessment written by Coast Guard Cmdr. Joseph Kramek, who spent a year as a Brookings fellow looking at cybersecurity at six of the nation's busiest waterfronts.

The study concluded that failure to bolster defenses against hackers could lead to disruption of the computer networks used to move goods, fuel and food from ships to the marketplace.

"Shelves at grocery stores and gas tanks at service stations would run empty," the study said. A halt in "energy supplies would likely send not just a ripple but a shock wave through the U.S. and even global economy."

In addition to Baltimore, Kramek examined California's ports in Los Angeles and Long Beach, Houston and Beaumont in Texas, and Vicksburg on the Mississippi River.

But Baltimore port officials and their West Coast counterparts in Long Beach disputed some of Kramek's findings, which were released last week by Brookings.

Port of Baltimore spokesman Richard Scher called the 50-page study "misleading and factually incorrect."

Kramek concluded that "the cybersecurity culture is not high" at the Maryland Port Administration, which oversees the port of Baltimore. He said port officials have not conducted a threat assessment or developed a response plan. Further, he said, port officials had not applied for federal grants to carry out a cybersecurity project.

Kramek wrote that a successful attack on the computer systems of Baltimore's port or its tenants "would quickly disrupt cargo operations and slowly ripple out to impact the one-third of the U.S. population that resides within an overnight drive" of the port.

The port, ranked 12th in cargo tonnage in the nation, has been unsuccessfully attacked by hackers, but because the facility's computer system is part of the Maryland Department of Transportation network, the target was unclear, the study said. Attempts to break into the port's wireless network were blamed on crew members aboard visiting ships trying to access free WiFi.

Scher said the port and the MDOT take cybersecurity seriously, as evidenced by the ability to fend off such attempts. The port and the MDOT work with the FBI Baltimore Cyber Crime Unit and a liaison with the National Security Agency at Fort Meade to ensure the integrity of the computer network, he said.

"We have the highest level of security available and a thorough response plan. MPA is very comfortable with what's being done," he said.

Port officials were on their guard when speaking with Kramek, Scher said.

"Cybersecurity is a very, very sensitive topic," Scher said. "A lot of issues we did not divulge because this wasn't an official Coast Guard inspection. The MPA was very cautious with him. He did not need to know, in-depth, any MPA cybersecurity information or background."

In footnotes, Kramek said he had "an in-person port visit, tour and interview" on Jan. 7 with David Espie, head of port security; John Cumberledge, head of information and technology; and an unnamed representative from Ports America Chesapeake, which operates the Seagirt Marine Terminal.

A Brookings spokeswoman said that before interviewing port officials, Kramek identified himself as a Brookings Federal Executive Fellow and as a Coast Guard officer on leave. In addition, port officials requested and received a written agenda and Kramek's resume before the meeting.

"There was no room for confusion about who he was or the nature of the research he was conducting," spokeswoman Gail Chalef wrote in an email.

She said Brookings has hosted Coast Guard officers for more than a decade as part of its Federal Executive Fellow program.

"As per our usual practice ... Kramek's study was vetted and reviewed by a group of policy and cybersecurity experts, as well as presented at a public conference of his military officer peers," Chalef wrote.

The Washington-based think tank did not make Kramek available for comment.

Kramek's conclusion urged Congress to put the Coast Guard in charge of enforcing port cybersecurity standards and argued that the Department of Homeland Security should steer more money to enhance cybersecurity at ports.

In February, President Barack Obama issued an executive order requiring federal agencies, including the Coast Guard, to work with industry partners to secure critical infrastructure from cyberattacks. Cybersecurity gained more attention this year following a New York Times report that linked sophisticated hacking attacks to China's army.

Scher said port officials made clear to Kramek that computer security is handled by the MDOT, but that to the best of their knowledge, Kramek never followed up with staff there.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.