Maritime cyber policy in spotlight after Maersk attack
Cyber polices such as those outlined by Thomas at CMA (above) could take on heightened urgency. Credit: Chris Preovolos
A cyber attack against the world’s largest container ship operator could have the effect of fast-tracking US cyber policy.
IT systems were struck on 27 June at multiple sites within Maersk, the USD36 billion Danish conglomerate whose subsidiaries include Maersk Line and box terminal operator APM Terminals, which were part of an international attack hitting large companies and government organisations across Europe, Russia, and the United States.
Media reports noted that while it was unclear initially who was behind the attack, it resembled the ‘WannaCry’ attacks in May that took over computer networks and then demanded a digital ransom before giving back control.
“We continue to assess the situation,” Maersk said in a statement issued shortly after the incident occurred. “The safety of our employees, our operations, and customers’ business is our top priority. We will update when we have more information.”
One cyber-security expert predicted that even with backup systems in place, the outages will be costly for Maersk in both downtime as well as bringing systems back online.
But such a high-profile attack against a major ship operator is not only affecting supply chains but could also change how regulators proceed with policy, including potential new regulations aimed at guarding against maritime cyber attacks.
“I think the attack on Maersk is a wake-up call for both vessels and the port community,” Norma Krayem, a senior policy adviser at Holland & Knight who co-chairs the law firm’s cyber-security and privacy team, told Fairplay.
“We’ve seen cyber attacks in the maritime sector over the past few years, but for one to hit one of the largest container shipping companies in the world, it needs to bring crystal-clear focus to everyone what the risk is.”
The focus so far has been in the form of voluntary guidelines from the shipping industry and regulators in an attempt to hold off on costly and complicated new regulations. In early 2016, five associations representing cargo and passenger vessel operators jointly published cyber guidelines to help shipowners prevent catastrophes resulting from cyber incidents.
Last November, the International Maritime Organization’s Maritime Safety Committee (MSC) agreed to delay a decision on whether to make their set of guidelines mandatory.
That decision was approved earlier this month at MSC 98, when the committee also adopted a resolution encouraging flag states to address cyber risks in vessel safety management systems “no later than the first annual verification of the company’s Document of Compliance” after 1 January 2021.
US regulators have been just as hesitant to take a hard-line stance on cyber rules, in part because of the rapidly changing methods by which cyber attacks are carried out. Paul Thomas, the US Coast Guard’s Assistant Commandant for Prevention Policy, told attendees at the Connecticut Maritime Association’s annual conference in Stamford, Connecticut, in March that his agency would be rolling out cyber-security policy guidance that would focus first on high-risk shipping terminals.
That policy has yet to be published. In the meantime, the US Congress and President Donald Trump made cyber security within the maritime sector a priority.
Congress passed a trillion-dollar government spending bill signed by Trump on 5 May that includes a provision requiring the US Department of Homeland Security, along with the US Director of National Intelligence, to submit a report on cyber-security threats against US maritime shipping, including “entities conducting significant operations” at seaports.
The provision requires that the US Coast Guard provide a status report on efforts “to include cyber-security concerns in the National Response Framework, Emergency Support Functions, or both, relating to the shipping or ports of the United States”.
A week later, Trump signed an executive order directing agency chiefs to provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget within 90 days, including the amount of money requested to carry out mitigation measures.
The Maersk cyber attack is likely to place more urgency on such maritime policy being considered on every level, Krayem believes.
“This is going to expedite what the coastguard is doing, whether it’s policy, standards, or guidance, and will certainly underscore the importance and seriousness of what the federal government will expect of the private sector,” she said. “It’s not just about the commercial impact that a cyber attack has on a company like Maersk, but the larger national security and economic considerations that go with that.”
Contact John Gallagher at email@example.com and follow him on Twitter:@JohnAGallagher1