Ports must prepare now for ‘forever war’ with cyber threats, including infrastructure targeting from China

Vulnerable ports must prepare for “forever war” with malicious cyber actors who eye the sector – with frequently outdated systems supporting critical civilian and military operations – as ripe for attack, experts said at a Thursday event urging imperative action to better secure maritime infrastructure.

The McCrary Institute for Cyber and Critical Infrastructure Security, which runs Threat Beat, and Booz Allen hosted the discussion to launch the report “Anchored in Zero Trust: Taking Action to Create Resilient U.S. Port Infrastructure” and spotlight its findings and recommendations.

McCrary Institute Director Frank Cilluffo said that few security challenges are “more burning, front and center, than our ports – to both our economy and our national security.”

Dave Forbes, director of cyber-physical defense at Booz Allen, said the goal of the report’s release is to raise awareness of port security, stimulate discussion about mitigations and get critical information to as many stakeholders as possible. “Adversaries are already inside of our port infrastructure,” he said, as Chinese-manufactured cranes coupled with outdated operational technology (OT) and IT legacy systems continue to raise concerns about readiness at ports.

Volt Typhoon is a campaign by China-sponsored cyber actors to “pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States,” according to a CISA assessment.

Forbes noted that Volt Typhoon underscores how cyber threats are “one continuous battlespace” and why a zero-trust framework should be a “fundamental shift” in the protection of OT environments.

Booz Allen Executive Vice President Brad Medairy, a McCrary Institute senior fellow, said the past few years have been “defined by continued escalation” from China, with Volt Typhoon “one of the most significant cyber events I’ve seen” – crossing the line from hacking for espionage to being poised to inflict harm on critical systems.

“China’s using cyber capabilities to shape, influence and exert power in this forever war in cyberspace, and it’s not going to go away,” he said. Along with vulnerabilities in OT environments that can be exploited by threat actors, many in the sector “aren’t fully resourced to protect and defend their environment” and may not even have a chief cybersecurity engineer.

Medairy stressed that “a well-resourced adversary can and will be in your environment,” so the sector needs to adjust its mentality to “we are going to be breached” – with a focus on resilience, recovery and hunting down those responsible. While there is “no one single silver bullet” for implementing zero-trust principles, the five pillars as defined by CISA’s Zero Trust Maturity Model – identity, devices, networks, applications/workloads and data – help pinpoint an organization’s risks and controls with a focus on resiliency and deterrence.

“You want to convince them that today is not the day,” Medairy said of increasingly skilled hackers.

There are 22 strategic seaports deemed critical to military readiness in the United States, and 17 of these are commercial ports – further highlighting the national security risk posed by weak maritime cyber hygiene.

“We should not accept the fact that the PRC is pre-positioning in our critical infrastructure and attacking telecommunications,” Medairy said, emphasizing the importance of having a plan “so that we can buy down this risk.”

“We have been a victim too long and we have to get out of that mindset,” Cilluffo said, adding that OT has also been the “stepchild of the cyber community for too long” despite its essential role in critical functions. Medairy characterized OT as “where the physical world meets the digital world” and pointed to the 2021 cyberattack on Colonial Pipeline as a prime example of the broad impacts of breaches on physical systems.

“When we talk about APTs [Advanced Persistent Threat Actors] ‘p’ is one of the most profound for me,” Medairy said. “Nation-state adversaries are persistent. Just because we found them doesn’t mean they’re going to stop.”

Steve Casapulla, acting chief strategy officer at the Cybersecurity and Infrastructure Security Agency, called port security “an issue very near and dear to my heart” given his background as licensed merchant mariner.

“We still don’t actually know what the result of that is going to be,” Casapulla said of the Volt Typhoon campaign. “They are in those systems.” While assessing what the end goal of the campaign may be, officials have to mitigate the threat – which could hit port infrastructure from cranes to cargo management systems. “They can just shut down a database and limit our ability to track cargo that moves on and off of ships, effectively shutting down the ports and the entire transportation system that way.”

“Those are the kind of second-, third-order effects that I also worry about,” Casapulla added.

To help counter these threats, he advocated deepening relationships across government, discussing resources and assistance for organizations that want to upgrade their infrastructure, and starting from the ground up with basic cyber hygiene.

“Ports and the maritime sector are reliant on the other sectors, so it’s critical we have those relationships as well,” Casapulla said. “So if power goes out at a port, we don’t have issues all over.”

Emily Park from the Senate Homeland Security and Governmental Affairs Committee staff stressed that Congress needs to renew the Cybersecurity Information Sharing Act of 2015 with limited working days on lawmakers’ calendars before its Sept. 30 sunset.

“If you’re not a little concerned about that upcoming expiration date, you should be,” she said, noting that there are “lots of champions for this in Congress” along with “a lot of naysayers, too.”

An expiration of CISA 2015 would be expected to cause “significant impact” across all critical infrastructure sectors, Park said, with an expected “80 to 90% reduction in cyber information flows.” And “that doesn’t say anything about the break in trust that will occur as well,” she added.

THREATS IN-DEPTH: Critical ports and maritime systems are under attack

Park also highlighted a congressional push to get the Pentagon to “ensure that phishing-resistant authentication, which includes hardware-based public key infrastructure, is used by all personnel of the DoD,” as the Senate version of the 2026 defense policy bill states. Park characterized the Defense Department as having room for improvement in its ports security responsibilities with CISA and the U.S. Coast Guard, which have been doing a “great job.”

“Now is definitely the time to shine for agencies,” she added, acknowledging challenges posed by departures at CISA and uncertainty in the federal workforce.

Sam Stevens, former chief of the U.S. Coast Guard Intelligence Division who previously served as captain of the port and commander of Coast Guard Sector Virginia, said that being on the ground in a port “where the rubber meets the road” brings home the complexity of the environment that must be defended.

Port security includes planning and preparing for attacks, detecting and responding to incidents, and investigating and attributing them – all while encouraging cooperation in a naturally competitive industry and navigating foundational regulations, he said.

“I’d like to see it turn from not just ‘my port’ to our nation’s ports in terms of trust and information” in which “industry competitors see themselves as one holistic system,” Stevens said.