More than a year after reporting that the Department of Homeland Security (DHS) has taken limited steps in addressing cyber security risk in the maritime domain, a Government Accountability Office (GAO) official said Oct. 8 that needed enhancements are still lacking.

While DHS concurred with a recommendation in the June 2014 report that the Coast Guard should work with maritime stakeholders on re-establishing a national level sector coordinating council to facilitate the sharing and coordination of security-related information, so far no action has been taken, Gregory Wilshusen, director of Information Security Issues at GAO, told the House Homeland Security Subcommittee on Border and Maritime Security. “The absence of a national-level sector coordinating council increases that risk that critical infrastructure owners and operators will be unable to effectively share information concerning cyber threats and strategies to mitigate risks arising from them.”

Rep. Candice Miller (R-Mich.), chairman of the subcommittee, said in her opening comments that “Despite the fact the GAO has placed cyber security of our nation’s critical infrastructure on the ‘High Risk’ list since 2003, the Coast Guard, and DHS as a whole, have been slow to fully engage on cyber security efforts at the nation’s 360 seaports.”

Wilshusen also said that recommendations to address cyber security risks through the Port Security Grant Program managed by the Federal Emergency Management Agency (FEMA) haven’t been acted on. FEMA officials have told GAO that they have consulted with the Coast Guard on “high-dollar value cyber projects” at ports, he said, but the agency “did not provide written procedures at either the national level or the port area level for ensuring that grant reviews are informed by the appropriate level of cyber security expertise.” FEMA will provide guidance as part of the 2016 Port Security Grant Program, he added.

Jonathan Sawicki, security improvement program manager for the Ports of Brownsville and Harlingen in Texas, said one of the most important things the Coast Guard is doing in the cyber security area for ports is bringing together various stakeholders “in one room” to “facilitate the conversation.” He said the private terminals within ports have plenty of security experts but it is “difficult” to bring them together “to air their own strategies because they all compete.”