Bodhisattwa Majumder*
In the 21st Century, the COVID pandemic has not only affected human life, but the time of the pandemic has also witnessed a cohort of cyber-crimes against vessels which has led to loss of economy. Maritime law consists of a multi-billion-dollar industry which involves transport of cargo through vessels operated digitally in most of the cases. The huge volume of cargo transported globally makes it one of the most sought-after areas of cyber-attacks. Taking the example of India, according to the Ministry of Shipping, around 95% of the Cargo (Volume) is transported through sea. These cargos are transported by Vessels which use digital mechanisms for navigation and communication, which makes it vulnerable to cybercrimes such as ‘digital piracy’. This article strives to provide an interconnection between the two spheres of Cyber Space and Maritime law.
What is Cyberspace and How is it Threatened
The word Cyber space was coined first used by William Gibson in his story book named “Burning Chrome”[1]. Cyberspace comprises a virtual world run by electronic devices which cannot be touched seen or felt by the senses. Collins English Dictionary[2] defines it as:
“A domain characterized by the use of electronic and electromagnetic spectrum to store, modify, and exchange data via networked systems and associated infrastructures or the electronic medium of computer networks, in which online communication takes place.”
Cyberspace can be used interchangeably with “internet” which is basically a digital word which exists in the cyber space via physically located servers.[3] In order to run a virtual space, huge amount of data needs to be stored, modified and exchanged between users, and this is where the attacks take place. Cyber attacks are basically theft of data or modification of it for own personal benefit. The motive behind a cyber attack is manifold ranging from economic benefit to threatening national security or mere recognition among peers.[4]
The cyber-attacks are classified into two major categories, they can be either targeted or untargeted. The targeted attacks are termed so as they are the objectives behind creation of cyber threatening agents and it was an intended cybercrime. The second category being untargeted, consists of malware attacks which are not aimed specifically however due to interaction of the vessels interface with these floated malwares result into loss of cyber privacy.
Evolution of Digitisation in Maritime Trade
Gone are the ancient times which involved navigation using star tracking, sextant, water compass or magnetic compass. Nowadays every vessel has modern digital equipments to assist the vessel in navigation and communication.[5] The vessels use RADARs for detecting surrounding objects which are submerged or floating to avoid a possible collisions and other destruction to the vessel. To obtain a broader range than Radar, ships use Automatic Radar Plotting Aid (ARPA) to obtain the positions of nearby located ships and chart the vessel safely avoiding collisions. Further, nowadays most of the vessels are automated with an auto-driving mode enabled.[6] This is done to provide the operator of the vessel to undertake other aspects of his job and seek assistance through the bridge navigational equipment. However, the most vulnerable equipment to cybercrime has been ECDIS, which is Electronic Chart Display Information System which provides a paperless navigation of a vessel.
Apart from navigation, technology has occupied space in various equipments used in a voyage such as tracking cargo containers, equipment checks, tracking route, communicate with the port and other authorities.
Maritime Law and Cybercrimes
Maritime Law is the body of law which governs the trade and marine commerce on the seas and other navigable waters. The history of mankind stands incomplete sans the commerce through the sea and every country which engages in marine commerce has, in its national legal system, incorporated a specialised branch of law called as Maritime Law. Likewise, India has a magnificent maritime history and tradition for several decades, which existed even before ascending of the European maritime laws. Maritime law regulates the shipping, salvage, docks, injuries, piracy, permissible fishing limits, crew employment issues, property damage, pollution on seas, the arrest of ships, trade and commerce on sea. In addition to the above, maritime law also regulates the enforcement of contracts and awarding damages to parties who have suffered some form of loss at the hands of a contracting party. In the era of globalization, maritime transportation has been the spine of universal exchange having more than eighty per cent of the stock transportation done by the ocean. Maritime commercial trade is one of the most international industry. The jurisdictions often overlap when the parties namely the vessel, the shipowner, master, cargo and crew are from different countries, transiting different waters and carrying out commercial activity in other country’s judicial boundaries. As a result, huge number of legislations from multiple jurisdictions come into picture.
The maritime voyages are vulnerable to cyber-attacks and hence they face cyber threats in more than one fronts being navigation, cargo and propulsion. An outdated software lacking proper anti-malware systems induce risk of cyberattacks. Further cyber-attacks also occur due to use of public network by the crew for personal communication or ecommerce. In many cases malwares were also transmitted by plugging storage devices into the operational mainframe.[7]The attacks consisted[8] of snooping on schedules, injecting malicious softwares, tampering with ECDIS systems, changing ship positions, tracking navigational charts, and triggering system alerts. Various groups from Nigeria were also spotted in carrying false emails compromising the dealings. It has been also seen that there have been organising hacking attacks by criminal syndicates which used cyber-attacks to meddle with the navigation system and later hold it for ransom or kidnap the crew. There have been also instances when the high valued cargoes were stolen for resale and smuggling.[9]
Recent Developments in Cyberspace Crimes (Shipping)[10]
- MAERSK: In the year 2017, Maersk was attacked by a malware named Notpetya which was an untargeted attacl. The attack was not specifically directed to Maersk however it had huge impact on the company and as a result the operations were disrupted. The operating terminal was also a victim as a result a total loss of 300 million US dollars was inflicted.
- COSCO: COSCO, a shipping line company was also attacked which had resulted in complete breakdown of their internet connection across the offices spread in the United States of America. The devastation lasted five long days and only after that the emergency systems were plugged in by COSCO. However, this contingency plan was only possible because COSCO was aware of the incident with Maersk and had taken sufficient precautionary measures.
- AUSTAL: Later the same year as COSCO, Austal was attacked. It was a Australian ferry shipbuilder which also indulged in defenceship making. The attackers were allegedly Iranian by origin. The attack resulted in loss of internal data which was later traded and offered on the dark web. This was an attempt to extort money in exchange of the stolen data.
How can Cyber-attacks be Prevented by Shipowners?
According to the study conducted by Plymouth University, these threats can be easily mitigated against such dangers by updating security systems, improving ship design and providing better training for crews. Professor Kevin Jones in this study states:
“In an increasingly connected and technologically dependent world, new areas of vulnerability are emerging. However, this dependency increases the vessel’s presence in the cyber domain, increasing its chances of being targeted and offering new vectors for such attacks. Longer term, there needs to be a fundamentally different approach to security of the entire maritime infrastructure meaning there is great need for specific cyber security research programmes focused on the maritime sector.”
The basic problem therefore lies is the lack of awareness by the crew members of the ship. Often it is found that the attacks are untargeted and is due to accidental breaches by the crew members. The victims of the attacks are not limited to shipowners but also the cargo owners and the port authorities, however the shipowners mostly face the burnt. The shipowners must be updated and aware of the technology used in their operations and IT. Certain restrictions need to be placed towards the crew regarding the use of personal communication devices and storage devices with locational features. Often it happens that mistakenly by clicking on malwares or trackers the crew invites a cohort of viruses and other potential threats. Further, in order to have a smooth operation the shipowner can have occasional ‘cyber penetration tests’ to keep the navigation devices updated.
The following guidelines were provided by Riviera in their website[11] which can be referred by the shipowners:
- EU general data protection regulation (GDPR) 25 May 2018.
- IMO – Resolution MSC.428(98) – from January 2021 cyber security will be included in the ISM Code.
- TMSA 3 – cyber security was added to tanker management and assessment in January 2018; EU directive on the security of networks and information systems (NIS Directive) from May 2018.
- EU privacy rule (PECR) of individuals’ traffic and location data.
- Rightship added cyber security to inspection checklist.
- BIMCO – guidelines based on International Association of Classification Societies.
Conclusion
According to Lord Mustill, “the law and practice of shipping law have been so closely intertwined, there can surely be no other branch of commerce where practical people know so much of law, so much of practice”.
In the maritime world, a voyage is called an adventure because we do not know whether the ship will come back home safely after the voyage. Sea is a wonderful place to be in and sometimes can be unforgiving. Things worse can happen when ship is in stress be it a fire or explosion or a cyber piracy attack. As various parties are involved to minimize the loss and it is a matter of question whether the claim can be covered by insurance and if so by which insurance, every party needs to take due care to avoid every possible mishaps.
As shipping trade has become a global phenomenon, technology is a boon which can also result into a bane in case sufficient precautionary steps are not taken by the shipowner, port authorities and the cargo owners. In this age of internet, the maritime industry cannot be expected to be left behind and hence technology has become an integral part of the day to day operations. Starting from navigation to tracking to loading to port communication to cargo management, technology has indeed occupied an essential place in the maritime industry. The involvement of technology has also opened the doors to the outside world to infringe upon it the cyberspace and extort money from the parties involved. This is achieved mainly by targeted and untargeted attacks by the pirates to distort the communication and cut the ship off the grid. In order to prevent such attacks its imminent that the shipping industry needs to keep itself updated and aware with the latest developments in the arena. It needs to adhere every possible measure to have digital privacy and safeguard their information. Further, due diligence must be taken in order to prevent accidental leaks by the crew or the cargo owners. While the technological developments in the recent times have been phenomenal, and most of the transactions are performed online using cryptic networks, VPNs, blockchains, there is still a long way to go.
About the Author
Bodhisattwa Majumder is a Final year student at National Law University Mumbai with a keen interest in Maritime Law. He is the Co-Founder/managing editor of the Arbitration & Corporate Law Review (ACLR). He can be reached at bodhisattwa@mnlumumbai.edu.in.
[1] Gibson, William, ‘No Maps of these Territories’ Documentary 2000.
[2] Collins English Dictionary-Computer and Unabridged, Harper Collins Publisher, 2003.
[3]Dr. J.P. Mishra “An Introduction to Cyber Law”, Central Law Publications, 2nd Edition, 2014.
[4] David Satola& Henry L. Judy, Towards a Dynamic Approach to Enhancing International Cooperation and Collaboration in Cybersecurity Legal Frameworks: Reflections on the Proceedings of the Workshop on Cybersecurity Legal Issues at the 2010 United Nations Internet Governance Forum, 37 William Mitchell Law Review, 1748-1749 (2011).
[5]History of Navigation, Weems & Plath, Available at http://www.weems-plath.com/About/History-of-Navigation.html.
[6] Rishi Mondal, Enhancing safety of navigation by incorporation of additional data by automatic identification system, The Maritime Commons: Digital Repository of the World Maritime University (2018), Available at https://commons.wmu.se/cgi/viewcontent.cgi?article=1625&context=all_dissertations.
[7]Martine Safety Information Bulletin, DCO,Available at https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/MSIB/2019/MSIB_004_19.pdf.
[8]Cyberattack lands ship in hot water, Naked Securtity, Available at https://nakedsecurity.sophos.com/2019/07/11/cybersecurity-attack-lands-ship-in-hot-water/.
[9] David Rider, Maritime Meets Cyber Security, Marine Insight, Available at https://www.maritime-executive.com/blog/maritime-meets-cyber-security.
[10] Walter hannerman, Key takeaways from 3 recent cyber attacks in shipping, Duolog, Available at https://www.dualog.com/blog/key-takeaways-from-3-recent-cyber-attacks-in-shipping.
[11] Elissa Cassi, Owners can prevent cyber attacks on container shipping, Riviera, Available on https://www.rivieramm.com/opinion/opinion/owners-can-prevent-cyber-attacks-on-container-shipping-24023.
Centre for Maritime Law 