Op-Ed: The geopolitics of maritime cybersecurity

Credit: Pixabay

By Professor Basil Germond, Chair in International Security, Lancaster University 

The maritime sector, like other sectors of the economy and society, is targeted by cyber criminals seeking personal and commercial data (e.g., recent Capita data breach). But what is the specificity of the maritime sector that makes it particularly at risk and an important area for policy interventions?

Three interrelated factors are at play: 1) there are sector-specific vulnerabilities; 2) maritime operations and undersea infrastructures represent targets for criminals but also for state (or state-sponsored) actors, and 3) attacks on the maritime sector and infrastructures can have critical impacts on the functioning of states and societies.

1. Why is the maritime sector vulnerable and a potential target for state or state-sponsored actors?

Shipping operations are reliant on connectivity and automation, and thus on cyber/space-based technologies and systems, to a greater extent than operations in many (but not all) other sectors. This includes operating ships (e.g., navigation, propulsion and communication) but also the transportation business itself (e.g., cargo tracking system, ports operations). This dependence makes the sector particularly vulnerable as a target for criminals but also hostile state actors.

The reliance of the sector on cyber and automated technologies (including remote management systems for undersea cables) coupled with the fact that criminals and hostile states have access to disruptive technologies, some being relatively cheap and easy to obtain, grant the latter with asymmetrical opportunities to disrupt the global supply chain and communication networks.

In other words, the cyber-physical dimension of maritime security has larger implications than cyber criminality alone. It has a key geopolitical component. For instance, ports are part of the critical national infrastructure, so any disruption is de facto problematic. Ports constitute valuable targets for terrorists or hostile states wishing to harm national interests.

Additionally, the global cyber infrastructure is extremely dependent on undersea cables. NATO is concerned by Russia’s systematic mapping of undersea infrastructures around Europe. And threats might not be limited to kinetic attacks. Critical undersea and offshore infrastructures are also at risk of cyber-attacks. Communication cables can be sabotaged, hampered and there is a risk of espionage of communication including sensitive financial/commercial data as well as classified/defense intelligence. The fact that most undersea infrastructures are located outside the jurisdiction of sovereign states renders risks mitigation considerably more complex.

2. What is the geopolitical dimension of maritime cybersecurity?

In an era of global competition and geopolitical tensions, the risk of the maritime sector being targeted is high. The unexpected closure of the Suez Canal as a result of a maritime accident in 2021, as well as the shortage of maritime labor resulting from the COVID-19 pandemic, although limited in time, demonstrated how quickly our critical supply chain can be disrupted, exposing its vulnerability. Cyber-attacks that immobilize ships, even for a few days, would have multiplicative effects on the global economy and finance, with societal and geopolitical consequences. Disruptions resulting from attacks on undersea infrastructures will have similar effects.

Protecting the civilian maritime sector and infrastructures is key to the security and stability of the liberal world order. Indeed, the global supply chain is critical to the stability of the global maritime order, especially in the wake of rising disruptions of the rules-based international order by agents of authoritarianism. And support and leadership over the civilian maritime sector is crucial.

Since last year, the corporate maritime sector has been a key stakeholder of the Western-led sanctions against Russia contributing to their effectiveness, even at a cost. For example, all the major shipping companies but the Chinese ones have ceased operations to and from Russia. Port authorities contribute to implementing the ban on Russian owned/operated/flagged ships. This has been instrumental, although often overlooked, in isolating Russia from the global grid. This significant collective effort has come at a cost to shipping companies while declining trade with Russia and the ban on Russian ships has somewhat affected business in western ports.

3. The UK’s approach:

The UK Government emphasizes the importance of public-private partnerships (PPP), especially for information and intelligence sharing, technological innovation and co-developing relevant regulations and guidance, such as the Cyber Security Code of Practice for Ships. In other words, “the onus is on industry to protect themselves and ensure resilience to cyber threats across the supply chain”. This is an approach that fits with the specificities of the maritime domain, threats, and sector.

But it relies on smooth intelligence sharing mechanisms as well as a coordinated needs analysis for regulations, technical expertise, and operations, requiring a multi-stakeholder and highly coordinated approach. For instance, the 2022 National Strategy for Maritime Security highlights the positive role played by the National Centre for Cyber Security (NCSC) in facilitating information sharing, the reporting of cyber incidents, and early warning. Similarly, the UK Government recently emphasised the importance of adopting a multinational approach to maritime cyber security, which relies on cooperation with like-minded, maritime-oriented partners.

4. Policy recommendations

Since at least 2014, we have recommended to increase resilience via educating stakeholders throughout the maritime sector and the value chain with industry’s needs at the centre. This is a priority that has been widely endorsed across the sector and government. But what are the next steps?

a) Adopting a holistic approach to maritime cyber security: The maritime sector is critical to states’ defence and thus at risk of being targeted by state or state-sponsored hostile actors for whom profit is not the main driver. Consequently, the maritime sector needs to develop a new mindset that reflects the integration of cybersecurity and cyber defense/geopolitics. This requires a holistic approach to cyber maritime risk management that integrates economic, organizational, technical, and military considerations. Such an approach will account for, anticipate, and address the geopolitical dimensions of maritime cyber security by better contextualizing threats and solutions.

b) Harnessing the power of science: The British Council for Science and Technology advocated the need to harness the synergies between science/innovation and national security. The UK should capitalize on its dual scientific and maritime power (including its influence over the corporate maritime sector) to explore ways to foster science-security dialogues with like-minded states and within international organizations. The industry’s ability to secure their operations and systems (via readiness and resilience) depends on innovation and efficient transnational cooperation. This requires robust political commitment and international leadership, even more in a period of geopolitical uncertainties.

c) PPP as a benefit multiplier: To be successful and sustainable in the long-term, cyber-maritime PPPs should act as benefit multipliers. Governmental actors should benefit from improved maritime domain awareness (MDA), early warning and intervention capacities via close links to industry whose main added value is to contribute with information on ships movement and situational awareness. For example, a successful return on investment can be evaluated in light of allies’ ability to address maritime security threats to critical national infrastructures more efficiently as a result of joint investments and efforts by the public and private sectors towards innovation and good governance at sea.