Cyber attacks: Downside of the digital revolution
Digitalisation has created immense openings for our industry. Unfortunately, it has done much the same for criminals, nasty governments and bored teenagers too
Existing IMO guidelines are good. A robust internationally agreed legal cybersecurity framework with mandatory standards would be better, while marine insurance buyers need to know what they are getting for their money
YOU don’t have to read history books or the dystopian fiction of Orwell and Koestler to know that revolutions tend to come with built-in downsides. The digital revolution on which shipping has embarked during the past decade is no exception.
The advances in navigation systems, communication networks and automated cargo management systems have truly been immense. On the white-collar side of the industry, from compliance and fleet optimisation to marine underwriting, digitalisation has been a game changer.
Unfortunately, the new avenues open to sophisticated cyber criminals targeting shipping seem every bit as extensive as the potential for those trying to turn an honest buck.
To make matters worse, governments — including unsavoury regimes with a direct self-interest in making sanctions implementation as difficult as they can — have joined the ranks of the wrong ’uns.
Threats that simply did not exist 10 years ago now pose huge risks to the safety and security of maritime operations. These include ransomware and distributed denial of service attacks, cross-site scripting, malware, data breaches and common or garden phishing.
Among the unpleasant consequences are navigation failures, loss of cargo, collisions, cargo theft, total losses and large fines where in the event of proven laxity. And all of this is before we get to reputational damage.
Things may well get worse before they get better, or not get better at all. It doesn’t require a hyperactive imagination to conjecture a cyber attack on port facilities that would screw up the entire global supply chain.
Victims already range from marquee names such as Maersk, Cosco, CMA CGM, MSC, Clarksons, DNV, the Tokyo MOU and the International Maritime Organization itself down to individual ports and software houses. Given the generalised reluctance to discuss these matters publicly, the list is undoubtedly far longer.
Shipping’s vulnerability on the cyber front remains elevated, according to a recent survey conducted by Lloyd’s List. One shipping company in five told us they had suffered an attack in the previous three years.
It should not take a rerun of the devastating NotPetya attack of 2017 to convince owners of the necessity to raise our game all round. And if not now, when?
The IMO has published comprehensive guidelines, calling on shipping companies to implement cyber security measures as part of their safety management systems. Thank you, Albert Embankment.
But given where we are right now, that probably isn’t enough. The logical next step is for governments and regulatory bodies to devise a robust legal framework for cybersecurity and to ensure universal compliance with international standards.
One obvious line of defence is marine insurance. Cyber attacks are a risk, and where there is a risk, underwriters are in the business of pricing it and covering it.
But nothing in life is simple. Insurers themselves are divided as to whether marine cyber cover is best written in the marine book, the political risks book or a bespoke cyber book.
On top of that, the lack of historical data makes it difficult for them to build the right actuarial models, which has meant a tendency towards overpricing.
Since the end of March, Lloyd’s has stipulated all standalone cyber attack policies must include an exclusion for state-backed attacks, including those mounted by security and intelligence services.
Lloyd’s contends this move will add to clarity; others believe it will have the opposite effect, leaving a situation in which insureds do not and cannot know exactly what they are buying.
First there is the difficulty of attribution; cyber attackers do not leave calling cards, and it is usually impossible definitively to establish whether a perpetrator is a secret service agent, a blackmailer or a bored teenager in a back bedroom in Wolverhampton.
Then there is the grey area of defining which entities deserve to be designated as “states”. As Orwell might have put it, some governments are more recognised than others.
Moreover, exclusion clauses are always open to interpretation, and are often challenged in the courts. Few other than lawyers will relish the prospect of yet more costly claims litigation.
Broker Marsh and insurer Munich Re have suggested an alternative wording, arguing that the attribution of cyber operations to a sovereign state should not automatically trigger exclusion. That looks to us a fair-minded compromise.
No revolution is ever perfect, but the digital revolution has so far proved smoother than most. The prospects for artificial intelligence suggest that we only at the beginning of a process that could yet prove more transformative than 1789 or 1917.
There will always be bad actors who seek to pervert such progress for their own ends. But they cannot be allowed to get in the way.