Cyberattacks Are 'Not a Matter of If, but When,' CBP Official Says

In fiscal year 2022, there were three cyberattacks directed at trade partners, according to Shari McCann, director of CBP’s Commercial Operations, Revenue and Entry office. In FY 2023, that number rose to 11 (see 2307250028); in FY 2024, just ended on Sept. 30, that total was 18.

“You can see how it's growing. And I think that highlights that, unfortunately, it's not a matter of if, but when,” McCann said during a panel on cybersecurity downtime. “Our intent and hope is that we all collectively can be better prepared.”

Phishing for email passwords is one common entryway for a cyberattack, panelists said. But AI-generated automation to enhance malicious attacks is also on the horizon, according to McCann.

When a cyberattack hits a broker, “everything is shut off,” from access to ACE and CTPAT to losing the ability to approve statements for clients, said panelist Geoffrey Powell, CEO of C.H. Powell Company.

To facilitate broker operations following a cyberattack, brokers need to ensure that their interconnection security agreements with CBP are up-to-date, according to Powell. Brokers should also have entry numbers outside of the system so that brokers can do regular entry scale and provide supporting documents, he said.

Communication between a broker and its clients during and after a cyber-related event is also key so that clients can stay informed about the status of their shipments, including when they have been cleared.

“If we've been attacked, we're thinking about getting our system back up again. Communication becomes secondary, but it can't, so we recommend making sure that you've got contacts of all your employees outside of the system -- personal email addresses, cell phone numbers or this type of thing -- and make sure that that communication chain is there so they're aware of what's going on in case customers are contacting them," Powell said.

Powell recommended establishing business continuity plans and developing policies for cyber-related activities such as assigning passwords and performing data backup. Technology vendors and insurance companies can also aid by looking at a broker’s systems for vulnerabilities.

“If CBP's system ever got impacted by a cyberattack, it goes right to DHS. It goes right to the president type of thing. It is that critical. So, [CBP] cannot be working with any broker if there's a chance” that the broker’s cybersecurity breach will impact government systems, Powell said. He added that CBP itself is cyberattacked roughly 111 million times a day.

To resume normal operations, it's key that brokers share information with CBP, according to Brad Slutsky, director of the division for cargo security and control with CBP’s Office of Field Operations.

Providing data “helps us make the decisions, because then what we could do with the approval for downtime is, we usually approve it in increments of time. So, it could be a month of time or for a second period, based on what we know at that point," Slutsky said. "As soon as we have that information, we're able to check off those boxes and look into our own internal databases and how things are interacting. As the operators, we can make that decision to approve the downtime.”

As a broker and CBP work toward restoring a downed broker system, CBP determines on a case-by-case basis whether it can authorize enforcement discretion. This means that CBP can opt not to issue liquidated damages for late file transactions or payments.

Different CBP offices work together to deal with cybersecurity incidents, Slutsky continued. In each incident, CBP looks at all the different connections the affected company may have with CBP to ensure that there’s not a wider impact.

“It is very necessary for us to involve other offices in CBP, specifically our security operations center out of the Office of Information Technology,” Slutsky said. Slutsky's role entails interacting with the ports of entry, approving downtime procedures and helping to facilitate the movement of cargo during any outages.

CBP has put out guidance that calls for the agency to review actions, and the agency will “continue to work with the brokers after the incident and assist in bolstering a cybersecurity posture,” according to Slutsky.

That guidance, which was published this past spring (see 2403130041), is a broker cybersecurity incident procedures document and is available on CBP’s cybersecurity resiliency page, according to McCann. The document, which McCann described as a “living document,” details procedures following a cybersecurity event pertaining to the cargo release manifest, cargo release liquidation and final liquidation.

The Commercial Customs Operations Advisory Committee has also been working with CBP on the guidance, identifying where items need clarifications, McCann said. Those clarifications are in the works now and will be on CBP’s cybersecurity resiliency webpage as an FAQ.

“One good thing that has come to fruition within CBP and jointly with our trade partnerships is when these events occur, we do have daily -- and even more, if necessary -- conference calls with our systems folks and our operational folks, with whichever member of the trade is impacted,” Slutsky said. “We also realize that when you have a cybersecurity incident, it's sensitive information, so we work through a lot of those items as well, talking through the impact to the ports of entry and how your communications are going with your clients.”

CBP and Homeland Security Investigations also have a partnership with the trade community involving 14 partners so far: six brokers, one carrier and seven vendors. The partnership aims to add “an additional level of cyber defense for all the goods that are covered,” McCann said. This partnership will help HSI develop scalability so that CBP and HSI can learn how to get information to a party before any impacts take place (see 2404170007).

The partnership has “been successful in thwarting the impacts of some of these brewing cyberattacks, and so we want to grow that potential as well,” McCann said.

McCann reminded the trade community to input a cybersecurity point of contact into the ACE portal account so that CBP can connect with the appropriate person while in the throes of a cyberattack (see 2407230031).

CBP also has a security operations center that operates “24/7,” according to Slutsky. He urged brokers to contact CBP so that CBP can assess the damage.

“Please don't be shy. [In] a lot of cyber incidents, you are the victim,” Slutsky said. “As soon as you know something might have happened, [CBP’s security operations] will go in. They'll look at the avenues into CBP systems. They could look at what the impact is to, whether it's the CTPAT portal, the ACE portal, looking at what is their impact to CBP. They may unplug access. We've done that in a few cases, and it's for the integrity of our systems, or it might be for them to do an initial review and make sure that there's no higher risk than just an account being compromised. So each situation has been different.”

Meanwhile, if CBP were to encounter a cyberattack on its systems, it would treat it like any other disruption, like one stemming from an extreme weather event or a software upgrade, according to Slutsky.

“Our security operations center ... has a robust response there,” Slutsky said. Rather, CBP’s concern would be its ability to segment out high-risk cargo, particularly as it is crossing the border or exiting a seaport terminal, he continued.

But “even if ACE is down, if we still have data that we receive, we might be able to operate off of that through a slowdown,” Slutsky said.