U.S. ports are strategic infrastructure upon which the nation’s economic stability and military readiness depend, yet they remain highly exposed to an attack that could grind billions of dollars in trade activity or defense operations to a halt. In fact, adversaries have already infiltrated U.S. port infrastructure, and the path forward must be one that adopts “zero trust” principles, according to experts.
“It changes the way we think about cyberdefense, so we are here assuming breach.”
The report, titled “Anchored in Zero Trust: Taking Action to Create Resilient U.S. Port Infrastructure,” outlines the current exposure to risk and offers policy recommendations and operator best practices to secure the ports.
Ports Exposed
The roughly 360 ports in the United States handle more than 40 percent of goods entering or leaving the country, valued at about $2.1 trillion.The zero trust approach assumes that systems are already breached, building in continuous verification rather than defending systems at the perimeter.
The McCrary Institute–Booz Allen Hamilton report notes cases in which U.S. ports have already been subject to disruptive cyberactivity, including a Volt Typhoon hack of the Port of Houston in 2021.
Lawmakers have sounded the alarm over the fact that a single Chinese company, Shanghai Zhenhua Heavy Industries Co., currently dominates the ship-to-shore cranes market, accounting for 80 percent of those used in U.S. ports.
A U.S. Coast Guard review of 90 foreign-made cranes found that they posed no unique vulnerabilities, although the cranes had the same security weaknesses that often plague such technology systems. These networks can often have poor password policies, unpatched systems, or unnecessary connections to other systems.
The Coast Guard already requires owners and operators of Chinese-made ship-to-shore cranes to eliminate crane connections to the internet and take other risk management actions.
The report recommended an approach wherein port operators ensure that systems can run even when disconnected from networks. It also recommended that systems be segmented as much as possible, with strict identity security for all user accounts and automated services, clear visibility into all critical data flow, encryption of sensitive information, and active threat analyses.
The cybersecurity of today extends far beyond the digital space. The disclosure of Volt Typhoon, a Chinese communist regime-backed cybercampaign that has infiltrated U.S. critical infrastructure systems and is pre-positioned to cause disruption, revealed a significant escalation in Chinese state-sponsored cyberactivity—from espionage and IP theft to a potential willingness to cause widespread physical damage.
Brad Medairy, executive vice president for national security at Booz Allen Hamilton, said that as the United States becomes a bigger cybertarget, there should be a shift in approach to provide deterrence.
“Our national attack surface is continuing to expand, our risk posture continues to get bigger,” Medairy said at the July 31 event. “We should not accept the fact that the [Chinese regime] is pre-positioning capabilities in our critical infrastructure that could cause us harm. We shouldn’t accept that the [Chinese regime] is attacking our telecommunication infrastructure, our defense industrial base.”
McCrary Institute Director Frank Cilluffo agreed.
“We have been a victim for too long, and we’ve got to get out of that mindset,” he said.







