The US Government Accountability Office (GAO) has raised concerns about cybersecurity risks in the maritime transportation system (MTS), identifying key vulnerabilities and deficiencies in the US Coast Guard’s oversight.

In a report published last week, the GAO highlighted threats from China, Iran, North Korea, Russia, and transnational criminal organizations, while also pointing to gaps in cybersecurity incident tracking and workforce competency.

The GAO recommended that the Coast Guard improve its case management system to provide complete data on cybersecurity deficiencies, ensure its cyber strategy aligns with national security goals, and address workforce competency gaps. The Department of Homeland Security (DHS) concurred with these recommendations and outlined steps for implementation.

Among the findings, the report criticized the Coast Guard for not maintaining reliable records of cybersecurity incidents affecting the MTS. Without accurate data, the agency struggles to track vulnerabilities and develop effective mitigation strategies. The GAO also found that cybersecurity planning efforts lacked key elements necessary for a robust national strategy.

“To assess the reliability of Coast Guard’s data on cybersecurity incidents impacting the MTS from July 2019 through May 2024, we compared the data to the definition that the Coast Guard uses for a cybersecurity incident. We determined that Coast Guard’s data were not sufficiently reliable for our purposes of describing the number of reported cybersecurity incidents impacting the MTS.” the report explained.

Additionally, the report emphasized the need for workforce improvements. The GAO urged the Coast Guard to assess competency gaps in its cyber workforce and implement necessary training. The DHS acknowledged these shortcomings and committed to developing a framework to address them.

As cyber threats to critical infrastructure grow, the GAO stressed that strengthening the Coast Guard’s cybersecurity oversight is essential to safeguarding US ports and waterways. The implementation of its recommendations will be closely monitored in the coming years, with the Coast Guard’s updated cybersecurity requirements set to take effect in July 2025.