Appropriate or Overreaching? The Coast Guard’s New Maritime Cybersecurity Rule

Author: Michael Goltra
Publish Date: 10.15.2025

Last year, an unauthorized actor infiltrated the Port of Seattle’s computer system and encrypted access to much of the port’s data.[1] This ransomware attack halted all port operations and exposed partners and travelers to leaks of personal and sensitive information. [2] This incident is just one of the exponentially growing number of cyberattacks in the maritime industry, ranging from data interception to full system crashes, sometimes causing millions of dollars in losses.[3]

In response, regulators are finding new ways to enhance cybersecurity across all aspects of the maritime sector.⁴ One initiative is the Coast Guard’s recently finalized Cybersecurity in the Marine Transportation System (the “Rule”), which represents the most comprehensive U.S. effort to date.5 Issued under the authority of the Maritime Transportation Security Act of 2002 (MTSA), the Rule reflects the Coast Guard’s attempt to enhance security measures in maritime cyberspace.⁶ Yet, despite its ambition, the Rule may be an overextension of the Coast Guard’s authority.⁷

Effective July 16, 2025, the Rule requires U.S.-flagged vessels, port facilities, and offshore platforms to: (1) designate a Cybersecurity Officer, (2) maintain detailed cybersecurity plans, (3) conduct cyber-incident drills and exercises, and (4) implement up-to-date cybersecurity measures such as penetration testing and vendor vulnerability reporting.⁸

Though comprehensive in scope, the Rule has drawn criticism since its proposal in 2024.⁹ Industry stakeholders claim the rule is overly burdensome and duplicative of existing standards.10 Recent Supreme Court decisions also call into question the Coast Guard’s authority to enforce the Rule. Under the “major questions doctrine,” if an agency takes action on an issue of vast economic or political significance, it cannot rely on vague or general statutory authority but rather explicit authorization from Congress.12 The opinions in West Virginia v. EPA and Loper Bright v. Raimondo show a trend of closer scrutiny for agency rules.13 Put in practice, if a player in the maritime industry challenges the Coast Guard’s rule in court, it could argue that the MTSA does not clearly grant the Coast Guard authority to regulate cybersecurity in such detail.14

Undoubtedly, maritime , but the question is: Does the Coast Guard have the authority to chart the course by stretching an older statute to tackle modern threats, or should Congress step in to provide explicit authority to set strict maritime cybersecurity measures?15 As is the case with most cybersecurity issues, the answer may not arise until after another unauthorized actor infiltrates a critical maritime computer network.16

[1] Syed Rakin Rahman, Port of Seattle Shares Details of a Cyberattack, Port Technology International (Sept. 19, 2024), https://www.porttechnology.org/news/port-of-seattle-shares-details-of-a-cyberattack/.
[2] Id.
[3] Maersk Fights Against ‘Petya’ Cyber Attack Damage, Port Technology International (June 19, 2017), https://www.porttechnology.org/news/maersk_fights_shipping_backlog_caused_by_petya_cyber_attack/.
⁴ Dr. Brian McNamara, An Empirical Analysis of Public Comments for “Cybersecurity in the Marine Transportation System”, 49 Tul. Mar. L.J. 85, 86 (2025).
5 Cybersecurity in the Marine Transportation System, 90 FR 6298-01 (Jan. 17, 2025).
⁶ McNamara, supra note 4.
⁷ Id. at 87.
⁸ 33 C.F.R. §§ 104.105(a), 105.105(a), 106.105(a) (2025).
⁹ McNamara, supra note 4, at 100-03.
10 Id. at 102.
11 Id. at 92.
12 Id. at 95.
13 W. Virginia v. Env’t Prot. Agency, 597 U.S. 697, 142 S. Ct. 2587, 213 L. Ed. 2d 896 (2022); Loper Bright Enters. v. Raimondo, 603 U.S. 369, 144 S. Ct. 2244, 219 L. Ed. 2d 832 (2024).
14 Id. at 96.
15 See generally McNamara, supra note 4.
16 Id.