Soft cybernetics laws make port facilities soft cyber targets


Posted on May 4, 2021 at 2:33 PM by


[By CDR Michael C. Petta]

It is widely recognized that cybersecurity vulnerabilities make the shipping system an easy target. For example, about 10 years ago, a European Union study revealed “inadequate preparation for cyber risks” in the maritime sector. In 2013, a US presidential decree announced that cyber threats continue to grow as one of the most serious security challenges for critical infrastructure, such as port facilities. A few years later, an International Maritime Organization (IMO) resolution recognized the “urgent need” to address maritime cyberthreats.

Just days after this IMO resolution, Maersk, the global shipping company, suffered a major cyberattack, leading its chairman to admit in an interview that the shipping industry had been naïve about cybersecurity and needed a “Radical improvement”.

Despite widespread recognition of these vulnerabilities, international port cybersecurity laws remain flexible, unenforceable and discretionary. The international community should take steps to toughen these laws and therefore toughen the targets.

Soft targets

The term “soft target” is used in the areas of law enforcement, force protection, national defense and industrial security. Its definition has subtle varieties depending on the source. In the United States, a Department of Homeland Security soft target security plan states that soft targets include “locations that are easily accessible to large numbers of people and have limited security or protection measures in place. , making them vulnerable to attacks ”.

Some easy targets, like a small town wastewater treatment plant, may seem obvious. Other easy targets, such as international port facilities, might be less obvious. Indeed, the infrastructure of port facilities benefits from global security measures, in particular those established in the International Code for the Security of Ships and Port Facilities (ISPS). Nevertheless, despite the advantages of the ISPS Code, cybersecurity remains the soft underbelly of port facilities.

That soft belly should be a cause for action as soft targets are easy targets. As one criminologist writes, “Terrorists usually attack where their opponents are weakest. As such, terrorists focus on soft sites. The United Nations Security Council observes the same trend, stating in a recent analysis note that soft targets “have long been the preferred targets of terrorist attacks”.

A disruption of the Marine Transportation System (MTS) due to an attack on a soft target could have far-reaching effects. The recent grounding of the container ship Never given underlines the criticality and fragility of this world trading system. It is estimated that this disruption of shipping traffic alone blocked $ 9 billion in global trade a day. The effects of a cybersecurity-induced MTS disruption would extend beyond the economy. People’s lives and livelihoods depend on the gasoline, building materials, food and heating fuel provided by MTS. The current pandemic underscores this point.

Flexible law

Port facilities remain easy targets for cyber attacks because the ISPS code, the regime implemented to protect international port facilities, contains a “soft law”. There are many academic debates on the meaning of the term soft law. Professor Dinah Shelton’s 2008 article Soft Law is recommended for those looking to further explore this area of ​​international law. For the sake of efficiency, this article takes the view that soft law is recommendable and hard law is compulsory. Or, as a more succinct military leader might say, respect for soft law is “desired but not required”.

The ISPS code was established by IMO member states to protect maritime and port infrastructure around the world. Entered into force in 2004, the ISPS Code is a comprehensive safety regime and a component of the International Convention for the Safety of Life at Sea (SOLAS). Although the ISPS code is part of a binding convention, only the first of its two segments, Part A, is mandatory. Part B is recommended.

Part A of the ISPS Code requires each facility to develop a Facility Security Plan (FSP). The FSP is the basis on which the preventive measures of an installation are based. Part A also calls on FSPs to address specific security issues, such as measures to limit the entry of weapons, control access to facilities, protect restricted areas and protect cargo. These Part A physical security obligations are clear and certain.

What is also clear in Part A is the absence of any cybersecurity requirement. It is not mandatory to develop a separate cybersecurity plan. There is no directive that requires cybersecurity to be addressed in the already mandated FSP. In fact, the only reference to cyber in the entire ISPS Code is in Part B, the Recommended Part. Specifically, there are four provisions in Part B, each dealing with security assessments, that state facilities should consider “radio and telecommunications equipment, including computer systems and networks” when making vulnerability assessment.

Being in Part B, these four provisions are discretionary. These “cyber” provisions are not only discretionary, they are also vague. Certainly, some may wonder whether the expression “radio and telecommunications equipment, including computer systems and networks” is synonymous with the term cyber. In 2015, Canada raised this specific point in MSC 95/4/2, a submission to the IMO’s Maritime Safety Committee (MSC). In its submission, Canada proposed to amend the ISPS Code to clarify the vague sentence. In MSC 95/22, the MSC decided that an amendment to the ISPS Code was not warranted at the time.

Being both vague and discretionary, the “computer systems and networks” language of the ISPS Code is an unenforceable soft law. This attenuated law adapts to an environment in which cybersecurity is only subsisting and port facilities remain vulnerable to cyber attacks. It’s time to consider a different approach.

Harden the law, harden the targets

Given the severe impacts of cyber disruption on STD, relying on unenforceable soft law may not be the right approach. The international community can do more to toughen the law, and there is a useful model in the United States.

Passed in 2018, the Maritime Security Improvement Act (MSIA), codified in 46 USC § 70103 (c) (3) (C) (v), expressly requires that FSPs “include provisions to detect, respond to and recover from risks of cybersecurity. . “It is important to note that this national law prohibits port facilities from operating in the United States without an FSP that supports such cybersecurity measures.

This US mandate is tough law, both clear and enforceable. To significantly address known cybersecurity vulnerabilities in port facilities around the world, IMO member states should collaborate and amend Part A of the ISPS Code to include a similar mandate. By toughening the law in this way, Member States can establish a coherent and uniform enforcement framework and thus start to strengthen port facilities against cyber attacks.

Commander Michael C. Petta, USCG, is Deputy Director of Maritime Operations and Professor of International Law at the Stockton Center for International Law at the US Naval War College. The views presented are those of the author and do not necessarily reflect the policy or position of the US Coast Guard, Department of Homeland Security, US Navy, Naval War College, or Department of Defense.

This article is courtesy of CIMSEC and is reproduced here in abridged form. It can be found in its original form here.

The opinions expressed here are those of the author and not necessarily those of The Maritime Executive.


Comments are closed.