Executives and staff at the agency responsible for protecting the health of the U.S. domestic maritime industry are vulnerable to cyber hacking that could cause the agency “serious public embarrassment,” a government watchdog has found.
A report made public today (July 26) by the U.S. Department of Transportation Inspector General (DOT OIG) revealed that “malicious attackers” could have obtained records and stolen the identities from 13 executives and staff who recently joined the U.S. Maritime Administration (MarAd), potentially costing the agency $103 million in credit monitoring fees.
The report outlines how OIG auditors were able to gain unauthorized access to MarAd’s network, in part because the agency did not have a government-recommended alert system able to detect intruders. “We also gained access to records containing PII [personally identifiable information], the report states. “While DOT policy requires the use of encryption to protect sensitive data, these records and other data we obtained were not encrypted.”
The OIG report notes that a DOT official could not explain why employees did not encrypt sensitive information given that the information security awareness training they received included a section on the protection of sensitive information. “This official also could not explain why administrators had not applied least privilege controls to the MarAd service account we accessed,” according to the report.
“The same official acknowledged that users were not following DOT policy and security awareness training to adequately protect passwords. The official informed us that [DOT’s Office of the Secretary] is transitioning to the use of personal identification verification cards for network and facility access. MarAd’s lack of adherence to DOT policy on encryption, use of least privilege, protection of PII, and password storage creates a risk for unauthorized access to MarAd” and other information, the report affirmed.
The report concluded that the agency, which is part of DOT and connected to the entire DOT information technology network, has “serious vulnerabilities that create a risk that hacking attempts against the network will succeed. Furthermore, once compromised, MarAd’s information can provide access to interconnected networks.”
The DOT IG outlined 19 recommendations for the agency, which included developing a training program on security awareness, with a focus on phishing attacks for those who provided credentials during the IG’s phishing test.
Officials from MarAd were not immediately available to comment. In a response included in the report dated July 1, DOT’s chief information officer and MarAd stated they concurred with the 19 recommendations and had already addressed several of them. MarAd said all recommendations would be addressed by September 2020.
In addition to dealing with domestic waterborne transportation, MarAd is also involved with the U.S. shipbuilding industry, port and vessel operations, and national security.
While there was no indication that MarAd’s vulnerability extends beyond its internal IT systems and into outside systems with which it interacts, the increasing use digital technology is making cyber protection a top priority at U.S. ports, such as the Port of Los Angeles. The U.S. Coast Guard in May issued a marine safety bulletin warning of email phishing and malware attacks against commercial vessels.