Defending the Cyber Sea: Legal Challenges Ahead

VA Greiman

Boston University
Boston, Massachusetts, United States

Email: ggreiman@bu.edu

Abstract: New technologies are creating a massive concern for the shipping industry as cyberat-
tacks on board ships and in ports continue to rise. More than 90% of world trade is carried by the
shipping industry; and, as of 2018, there are more than 53,000 merchant ships sailing the cyber
seas. At the same time, these systems are very vulnerable to cyberattacks. Through empirical
research, this paper explores the global maritime cybersecurity legal landscape and advances
recommendations for policy and legal frameworks essential to ensure safety and security on the
cyber sea.

Keywords: Maritime Security, Admiralty Law, Cybersecurity, Cyberattack, Shipping Regulations

Introduction
Both the British government’s recent call for serious consequences after Iran’s seizure of a British
Tanker in the Gulf and the United States’ call for a multilateral coalition in the Hormuz Strait have
heightened continuing concerns about the safety of the world’s waters (Kirkpatrick & Castle 2019).
As highlighted in the United States’ National Plan for Maritime Domain Awareness, there are few
areas of greater strategic importance than the maritime domain (White House 2005b). Covering
more than 70% of the surface of the planet, the oceans are global pathways that sustain the United
States’ national prosperity and are vital to its national security. Distinct from other domains (such
as land, air, and space), the maritime domain provides an expansive pathway through the global
commons (White House 2005b). A maritime strategy is essential for global security (for example,
economic, physical, and social) as the maritime industry is roughly 20 years behind equivalent
sectors in terms of cybersecurity (Belmont 2016). Chertoff (2008) has highlighted that not only
governments are responsible for cybersecurity issues; individuals, organizations, and institutions
are also responsible in the way they use the Internet and operate systems based on information and
communication technology.

President Trump, in the implementation of his National Cyber Strategy, underscores the impor-
tance of improving the maritime cybersecurity domain (White House 2018). Priority actions under
the national maritime strategy include (1) clarification of the maritime cybersecurity roles and re-
sponsibilities; (2) promotion of enhanced mechanisms and standards for international coordination
and information sharing; and (3) acceleration of the development of next-generation cyber-resil-
ient maritime infrastructure (p. 10).

Journal of Information Warfare (2020) 19.3: 68-82 68

ISSN 1445-3312 Print/ISSN 1445-3347 Online
Defending the Cyber Sea: Legal Challenges Ahead

The United Nations Conference on Trade and Development (UNCTAD) describes the vast net-
work of the maritime industry as consisting of cargo ships, crude oil tanks, chemical tankers, con-
tainer ships, passenger ships, insurance companies, offshore and onshore operators, port operators,
national and international authorities, and military forces that must work together to monitor po-
tential threats, to prevent maritime cyberattacks, and to manage the impacts of attacks when they
occur (UNCTAD 2018).

Technological advances in the shipping industry, such as autonomous ships, drones, robotics, var-
ious blockchain applications, and deep level machine learning, hold considerable promise for the
supply side of shipping. However, there is still uncertainty within the maritime industry regarding
possible safety, security, and cybersecurity incidents, as well as concern about the diminishing
role of seafarers, mostly from the developing world (UNCTAD 2018). The Strategic Plan for the
International Maritime Organization (IMO) adopted in December 2017 recognizes the need to in-
tegrate new and emerging technologies into the regulatory framework for shipping (IMO 2017a).
The evolution of the Belt and Road Initiative in the South China Sea also bears major implications
for the shipping and maritime trade, as does the European Union General Data Protection Reg-
ulations (GDPR 2016), which governs cybersecurity and privacy rights in the European Union.

According to the UK Government, the shipping industry expects widespread adoption of auton-
omous container vessels over the next few years (Lloyd’s 2017). The first such vessel, the Yara
Birkeland, operated by Norway-based chemical producer Yara International ASA, is scheduled to
operate autonomously in 2020. There is also an increasing demand for cutting-edge technology for
unmanned boats and submarines, part of a growing £100 billion global industry (World Maritime
News 2018). This paper explores the existing maritime strategies, policies, standards, laws, and
regulations to ensure maritime security and seeks to identify those areas in which the law has failed
to meet the demands of a new order advancing in cyberspace.

Maritime Security Law

Maritime law, also commonly known as Admiralty law, has evolved over many centuries. There
are presently an abundance of major laws and regulations at the international level which include
treaties, customary laws, and general principles of law that seek to regulate the world’s seaports,
oceans, satellite, and communication systems. International rules governing the use of the oceans
and seas are known as the Law of the Sea. Disputes over the use of the sea are generally held at the
International Tribunal for the Law of the Sea. As of June 2020, 29 cases have been heard by the
tribunal with one of the longest decisions being rendered in the dispute between the Philippines
and China concerning certain sovereignty issues, also known as the South China Sea Arbitration.
On 12 July 2016, the tribunal ruled in favour of the Philippines. It clarified that it would not “rule
on any question of sovereignty over land territory and would not delimit any maritime boundary
between the Parties” (2016). The tribunal also ruled that China has “no historical rights” based on
the “nine-dash line” map. China has rejected the ruling, as has Taiwan (International Tribunal on
the Law of the Sea 2016).

Maritime security law has been developing for centuries, but it is still ineffective in terms of the
difficult terrains and the impact of cyberattacks on the high seas. There is minimal cooperation
between nations to combat piracy, and each country is responsible for enforcing the law in its ter-

69 Journal of Information Warfare

 Defending the Cyber Sea: Legal Challenges Ahead

ritorial waters. Pirates have a good understanding of their operational environment. They usually
elude maritime officials by crossing national sea boundaries and exploiting vulnerabilities due to
lack of information sharing and international cooperation. In dealing with maritime sovereignty,
the Malaysian Maritime Enforcement Center stated: ‘“[u]nder no circumstances would we intrude
into each other’s territory. If we chase a ship and it runs into the other side, we let the authorities
there handle it’” (qtd. in Valencia 2003). As a result of such policies, penalizing maritime criminals
is quite difficult. It requires arrest authority unlimited by national boundaries and the willingness
of authorities to enforce law in the maritime domain (Eski 2011).

According to Gilmore and Black (1975), “The fifteenth century, when global voyages started and
Venice became a maritime power, gave rise to what is known as the Law Merchant, and it is to that
law that the roots of modern shipping law can be traced back”. Since then, the law has continued
developing on local levels; in fact, there were no international conventions to cover that area of
law until the early twentieth century when international conventions were introduced to cover dif-
ferent aspects of marine activities; these include the Unification of Certain Rules of Law relating
to Bills of Lading, Brussels, 1924 [The Hague Rules] and its Visby amendment of 1968, as well as
the Safety of Life at Sea Convention [SOLAS] adopted in 1974. Also, International Organizations
concerned with the maritime industry, such as the International Maritime Organization (IMO), the
Committee Maritime International (CMI), and the United Nations Commission on International
Trade Law (UNCITRAL), now do their best to ensure that the laws governing the maritime indus-
try are kept up to date with the needs of the industry (UN 2018).

After September 11, 2001, a new law was enacted, The Maritime Transportation Security Act
(MTSA) of 2002. The Act creates a consistent security protocol for all the nations’ ports to better
identify and deter threats, but it does not address new technologies specific to cyber threats in the
maritime industry. Other countries and the EU have implemented similar laws and regulations on
enhancing ship and port-facility security.

Maritime transportation treaties

Bilateral and trilateral treaties can serve as a mechanism for countering piracy and for advanc-
ing each country’s maritime interests. For instance, in 2016 three Southeast Asian countries—the
Philippines, Indonesia, and Malaysia—reached an agreement for trilateral maritime cooperation
to launch joint sea patrols in regional waters to deal with the rising number of kidnappings and
pirate attacks (Sapiie 2016). In 2008, a treaty on maritime transport between the European Com-
munity and its member states and the government of the People’s Republic of China was signed to
improve the conditions under which maritime cargo transport operations are carried out to ensure
free access to cargoes and non-discriminatory treatment (EU 2008).

Importantly, according to the U.S. Department of Transportation Maritime Administration, the

U.S. conducts bilateral maritime agreements only in rare instances where circumstances warrant
such action and usually to ensure maritime transportation safety and equal access to each country’s
national-flag carriers. The few U.S. maritime agreements currently in effect are with Brazil, China,
Korea, and Russia (U.S. Department of Transportation Maritime Administration 2019). However,
the U.S. monitors bilateral maritime and trade agreements between other countries to ensure that
they do not impair U.S. market access. Efforts such as the Paris Call for Trust and Security in Cy-

Journal of Information Warfare 70

Defending the Cyber Sea: Legal Challenges Ahead

berspace, supported by 67 nations and numerous corporations and organizations as of 14 October

2019, are notable but lack the enforcement mechanisms needed to ensure compliance (Ministère
de l’Europe et des affaires étrangères 2018). In the current environment of accusations and counter
accusations, the prospect of a negotiation leading to a bilateral and international treaty on cyberse-
curity has been called for as a viable policy option in addressing the need for a dialogue between
the U.S. and the Russian Federation (Papp 2019).

The lack of a legal framework addressing the problems of maritime security is expected to become
more acute as the maritime sector continues to explore artificial intelligence, automation, and other
emerging technologies, with the goal of deploying vessels that can roam the world’s oceans with-
out human crews (Rundle 2019).

Liability of ship owners

Information systems have become indispensable to the competitiveness of ports, facilitating com-
munication and decision making for enhancement of the visibility, efficiency, reliability, and se-
curity in seaport operations under various conditions (Heilig & Voss 2017). Shipowners’ liability
for the dangers lurking in the high seas under general maritime law, including the doctrine of sea-
worthiness, dates back to a time in which vessels operated in near total isolation at sea (Robertson,
Friedell & Sturley 2015; Foley 1967). Under the law, a vessel and its equipment must be reason-
ably fit for their intended purpose. To avoid liability, this may require a vessel to be fitted with ade-
quate cyber defense systems. In June 2017, the International Maritime Organization (IMO) passed
a resolution that will now require flag states to ensure that cyber risks are appropriately addressed
in safety management systems (IMO Resolution 2017). The questions remain: what is appropriate
safety management, and how will it be enforced?

In June 2017, the world’s largest container shipping business (A.P. Moller Maersk) was the victim
of a cyberattack caused by the NotPetya ransomware, which forced it to halt operations at 76 port
terminals around the world, costing a reported $200-300 million (Greenberg 2018; HM Govern-
ment 2019). Zero-day ransomware WannaCry has caused world-wide catastrophe, from knocking
U.K. National Health Service hospitals offline to shutting down a Honda Motor Company in Japan
(Chen & Bridges 2017). The WannaCry Ransomware Attack, Equifax, and NotPetya provide valu-
able lessons that the maritime industry should begin to focus on in preparation for potential threats
and cyberattacks (Srinivasan, Pitcher & Goldberg 2019).

To address these global attacks, in 2017, the IMO amended two of its general security management
codes to explicitly include cybersecurity. The International Ship and Port Facility Security Code
(ISPS) and International Security Management Code (ISM) detail how port and ship operators
should conduct risk-management processes. Importantly, this is the start of a more holistic ap-
proach to maritime cybersecurity regulation. The IMO also enacted Guidelines on Maritime Cyber
Risk Management in 2017 that called for the development of guidelines that included national and
international standards, best practices, and the implementation of risk-control processes and mea-
sures as well as contingency planning (IMO 2017b).

National and International Maritime Strategies, Polices, and Frameworks

Though national cyber security strategies continue to be developed that focus on a diversity of

71 Journal of Information Warfare

 Defending the Cyber Sea: Legal Challenges Ahead

industries including telecommunications, energy, oil and gas, and transportation, by 2018 the glob-
al implementation of robust maritime cybersecurity policy was essentially non-existent (Tam &
Jones 2018). Moreover, the key findings of a 2011 study on maritime cybersecurity by the Europe-
an Network and Information Security Agency (ENISA) include (1) a low awareness and focus on
maritime cybersecurity (p. 9); (2) complexity of the maritime ICT environment (p. 10); (3) frag-
mented maritime governance context (p. 12); and (4) the absence of mechanisms in the member
states to consistently identify and/or to report cybersecurity incidents specific within the maritime
sector (p.13). As a direct consequence, the effects of a potential cyberattack targeting maritime
information and communication technology (ICT) systems could bring even more harm than in
other sectors due to the probable poor coordination of the response and due to efficiency issues.

Until relatively recently, the phrase ‘maritime cyber security’ was not recognized globally. Ac-
cording to ENISA, at present there is no common definition of ‘cybersecurity’ shared among the
various nations at the EU or at international levels. Not all nation states approach the establishment
of a national cyber strategy in the same way, and whether the disruption of a nation’s critical infra-
structure is state directed is not always clear. The growing number and intensity of cyberattacks in
the maritime realm require a closer look at national cybersecurity strategies and policies that focus
on the risks of cyberattacks at sea and in the numerous seaports across the globe. Contrasting the
maritime security strategies, frameworks, and policies of countries selected for this study reveals
a wide variety of approaches to maritime strategic planning for cybersecurity. Table 1, below,
references the priorities for maritime security established by each of the selected countries and
organizations.

Country/Organization Priorities Source

• Increased focus on maritime sector Danish Cyber and Information
• Security of Danish waters Security Strategy 2019-2022;
Denmark • Security of Danish Ships Danish Maritime Cyber Secu-
• National Coordination rity Unit 2019
• International Engagement Strategy for Maritime: New
• Environmental Protection Zealand’s International
New Zealand • Seafarer competency standards, vessel Engagement, 2018 to 2023,
and equipment standards, and safe op- January 2018; New Zealand
erating practices Defence Capability Plan 2019
• Foster International Cooperation National Maritime Security
• Specialized Maritime Security Com- Strategy 2013
mittee
Spain • Public-Private Collaboration
• Awareness Raising
• Resilience – Resist and Recover

Journal of Information Warfare 72

Defending the Cyber Sea: Legal Challenges Ahead

Country/Organization Priorities Source

United States
United Kingdom
European Network and
Information Security
Agency (ENISA)
North Atlantic Treaty
Organization (NATO)
• Promotion of enhanced mechanisms National Cyber Strategy of
for international coordination and the United States of America
information sharing 2018, The National Strategy
• Global Maritime Intelligence Integra- for Maritime Security and the
tion Development of next-generation
Eight Strategic Plans 2005
cyber-resilient maritime infrastructure
• Maritime Domain Awareness
• Secure Maritime Supply Chain
• Operational Threat Response
• Infrastructure Recovery
Maritime Commerce Security
HM Government, Maritime
• Fusion of Government Agencies 2050: Navigating the Future,
• Strategic Threat Assessment Department of Transport, Lon-
• Maritime Border Enforcement
don, January 2019;
• Strengthen Overseas Network
• Risk Management Framework
2016-2021 National Cyber
• Promotion of Good Cybersecurity
Practice for Ships Security Strategy; Code of
• Supply Chain Risk Practice Cyber Security for
• Resilience Ships 2017, UK Department
for Transport
• European Maritime Policies Analysis of Cyber Security
• National Maritime Regulatory Frame- Aspects in the Maritime Sector
works 2011, 2016 Network and
• National and International Coopera- Information Security Directive
tion Mechanisms
(NIS)
• Member Information Exchange Plat-
forms
• Deterrence and collective defense NATO Alliance Maritime
• Crisis management Strategy
• Cooperative security: outreach
through partnerships, dialogue, and
cooperation
• Maritime security

Table 1: National and international cyber maritime strategies

Maritime Cybersecurity Priorities

As shown in Table 1, there are important priorities presented by each country’s strategy, and there
are important lessons that can be learned for adoption by other countries. For example, the UK
government considers maritime cyberattacks as a significant threat, which can cost companies
millions of pounds. Under a 2018 directive, the UK government has announced that organizations
working in critical services like energy, transport, water, and health can be fined up to £17 million
if they fail to demonstrate that their cybersecurity systems are equipped against attacks (UK 2018).
In New Zealand, the recent focus has been on international engagement, where the goal is to in-
fluence international decision making and to enhance New Zealand’s reputation as a responsible
maritime partner. Moreover, “New Zealand’s involvement in international engagement provides
an opportunity to enhance efficiencies, simplify regulatory requirements and reduce costs for the
New Zealand maritime industry and the Government” (NZ 2018). Denmark, in its maritime strat-

73 Journal of Information Warfare

 Defending the Cyber Sea: Legal Challenges Ahead

egy, places high priority on security of its water and its ships and national coordination (Denmark
2019), while Spain focuses on public-private partnerships to enhance its domestic programs (Spain
2013). On the international level, Spain has entered into cooperative maritime agreements with
other countries, including the engagement of the Angolan and Spanish navies to deepen cooper-
ation; to ensure the patrol of the coasts of Guinean Gulf; and to combat piracy, illegal trade, and
smuggling, among other crimes.

The European Union maritime strategy

Weaknesses in cybersecurity governance abound in the public and private sectors across the EU
as well as at the international level. This impairs the global community’s ability to respond to and
to limit cyberattacks, which undermines a coherent EU-wide approach. The challenge is thus to
strengthen cybersecurity governance (European Court of Auditors [ECA] 2019). For companies
doing business in the European Union (EU), which covers a large part of the maritime industry,
the Network and Information Security Directive (NIS) covering network and information security
came into force in May 2018. Thus, cooperation between public authorities and the private sector
is essential for strengthening overall levels of cybersecurity.

In its 2017 assessment of the EU 2013 Cybersecurity Strategy, the European Commission (EC)
found that information exchange between private stakeholders and between public and private
sectors were “not yet optimal” due to a “lack of trusted reporting mechanisms and incentives to
share” (EC 2017). A challenge for the EC is encouraging candidate countries to adopt the same
standards as member states, for example, in such areas as cyber-related legislation or the protection
of critical infrastructure.

Since 2013, the threat landscape has rapidly evolved; so, by 2017, the cybersecurity context in
which the 2013 strategy had been created was substantially different. The “Internet of Things rev-
olution” has become a fact with fifty billion new devices expected to be connected to the Internet
by 2020 (Evans 2011).

By 2019 a substantial change was needed in the EU. Thus, the Cybersecurity Act (Regulation (EU)
2019/881 17 April 2019) was published in the Official Journal of the EU on 7 June 2019 and en-
tered into force on 27 June 2019. The Cybersecurity Act has two main objectives: (i) strengthening
the mandate of the EU cybersecurity watchdog, ENISA, to support EU Member States with tack-
ling cybersecurity threats and attacks; and (ii) establishing an EU-wide cybersecurity certification
framework (“Framework”) in which ENISA will play a key role.

In November 2019, in accordance with the Cybersecurity Act, ENISA (in collaboration with sev-
eral EU ports) issued a report for CIOs and CISOs of entities involved in the port ecosystem. The
report lists the main threats posing risks to the ports and describes key cyber-attack scenarios that
could impact them (ENISA 2019). This approach allowed the identification of security measures
that ports shall put in place to better protect themselves from cyberattack.

The U.S. national maritime strategy

In December 2004, President George W. Bush directed the Secretaries of the Department of De-
fense and Homeland Security to lead the federal effort to develop a comprehensive National Strat-

Journal of Information Warfare 74

Defending the Cyber Sea: Legal Challenges Ahead

egy for Maritime Security, to better integrate and synchronize the existing department-level strate-
gies and to ensure their effective and efficient implementation (White House 2005a).The Maritime
Commerce Security Plan is one of eight plans developed in support of the National Strategy for
Maritime Security. In addition to drawing on the expertise of federal agencies, this plan also re-
flects the insight and concerns of public and private stakeholders. In August of 2015, the Depart-
ment of Defense (DoD) published its Asia-Pacific Maritime Security Strategy, which has generat-
ed attention both among U.S. allies and partners in the region, as well as on Capitol Hill.

Local law enforcement, the United States Coast Guard, and the United States Navy all have a role
in providing maritime security in waters subject to U.S. jurisdiction (USCG 2009). Other members
of the joint force contribute to the national effort, especially air, space, and cyberspace assets. At
the intelligence level, a whole-of-government approach has been adopted (White House 2005c).
The National Maritime Intelligence-Integration Office (NMIO) serves as the principal advisor to
the Director of National Intelligence (DNI) on maritime issues and is the unified maritime voice
of the United States Intelligence Community. In December 2016, NMIO was formally designated
the National Intelligence Manager (NIM) for Maritime by the DNI. NMIO collaborates with the
Global Maritime Community of Interest (GMCOI) consisting of federal, state, territorial, tribal,
industry, and academia to provide ‘whole-of-government’ solutions to maritime information shar-
ing challenges.

Preserving national security through sea power

While the Russian navy is growing its capabilities, it is challenging NATO at sea and beyond with
the build-up of Anti-Access/Area Denial (A2/AD) networks from the High North to the Mediter-
ranean (NATO Review 2018). This is coupled with a significant increase in the size, quality, capa-
bilities, and operational activities of Russian maritime forces. Russia’s actions were in focus at the
NATO Summit in Warsaw in July 2016 when Allied leaders clearly stated that “Russians’ recent
activities and policies have reduced stability and security, increased unpredictability, and changed
the security environment” (NATO Review 2018). Russia is not alone. Other rising powers, such as
China and Iran, have boosted their maritime engagement, not only through commercial activities,
but also through the increasing reach of their maritime forces (Thiele 2018). As noted by experts
on the South China Sea, China’s maritime claims matter “because by expanding peacetime pres-
ence and control over these claimed waters, China can improve its chances of preventing other
states from threatening its vital ‘sea lines of communication’ (SLOCs) and, conversely, enable
China to disrupt others’ SLOCs in the event of a military conflict” (Martinson 2018).

Recommendations
The recommendations below are based on an analysis of the literature, government reports, coun-
try strategies, maritime laws, and regulatory regimes, as well as semi-structured interviews with
key experts in the industry. The purpose of these recommendations is twofold: first, to open the
discussion on the various gaps in the law and regulation of maritime security and, secondly, to
determine the next steps for policy makers and governments to consider while formulating new
strategies, standards, and practices that will lead to improved policy and thus more developed
maritime cyber legal systems.

Legal reform and accountability

Maritime laws date back centuries, yet little has been done to address the changing needs of a

75 Journal of Information Warfare

 Defending the Cyber Sea: Legal Challenges Ahead

fast-evolving and disruptive technological environment. Accountability for property damage and
personal injury lies within a complex system of maritime law. Recently, the U.S. government
and the maritime industry have made good progress towards addressing cybersecurity issues in
the maritime domain; however, the next steps include the development of laws and regulations
that focus specifically on the unique attributes of cybersecurity on vessels and within maritime
facilities. The National Institute of Standards and Technology (NIST) Framework (2017) and the
Baltic International and Maritime Council (BIMCO) (2016) guidelines are good starting points,
but do not go far enough to ensure actual compliance, as they are voluntary regimens that require a
commitment from the numerous companies and ship owners operating in the maritime domain. To
enhance cybersecurity, the requirements promulgated under the Maritime Transportation Security
Act (MTSA) should include cyber risk management criteria, planned response to cyber-attacks,
and mandated education programs and testing. If the MTSA cannot be amended to mandate cyber-
security protocols, then new legislation should be created to specifically require implementation of
cybersecurity programs that address cybersecurity incidents, response, and accountability.

Maritime cyber treaty frameworks

The speed at which new technologies and threats emerge far outpaces the design and implemen-
tation of EU legislation (European Court of Auditors [ECA] 2019, p. 18). New legal frameworks
are required to address the unique aspects of these new technologies in a universal way. Prospects
for the development of bilateral, trilateral, and multilateral maritime cybersecurity treaties may
seem light years away; however, these may be the most important aspects of securing the mari-
time domain. Treaties have been used effectively to encourage cooperation among member states,
to reduce conflict, and to expand world trade, but the support of the international community is
needed to combat a massive potential for economic and physical harm at sea through maritime cy-
berattacks. An international treaty on maritime cybersecurity would go a long way toward helping
countries collaborate on identifying and reducing the potential for maritime cybercrime as was
accomplished through the 2004 Cybercrime Convention. Also known as the Budapest Convention,
it was the first international treaty seeking to address Internet and computer crime by harmoniz-
ing national laws, improving investigative techniques, and increasing cooperation among nations.
Though bilateral investment treaties are currently being used in the maritime industry to promote
safety and trade development, there is a need now for expansion of these treaties to increase co-
operation among states in securing ships and ports from potential vulnerabilities in the form of
possible cyberattacks.

Whole-of-government approach
Maritime security is best achieved by blending public and private maritime security activities on
a global scale into an integrated effort that addresses all maritime threats. In the U.S., the Nation-
al Strategy for Maritime Security aligns all federal government maritime security programs and
initiatives into a comprehensive and cohesive national effort involving appropriate federal, state,
local, and private sector entities. While the plans address different aspects of maritime security,
they are mutually linked and reinforce each other (White House 2005a). One of the most import-
ant of the plans is the Global Maritime Intelligence Integration Plan (White House 2005c) which
rests upon the development of a collaborative interagency and international maritime intelligence
enterprise that supports the intelligence and information needs of the Global Maritime Community
of Interest (GMCOI). Though efforts to provide a ‘whole-of-government approach’ have advanced
over the past decade, there remains an absence of a cohesive whole in practice with greater in-

Journal of Information Warfare 76

Defending the Cyber Sea: Legal Challenges Ahead

volvement needed on the part of the private sector, the owner and operator of most of the world’s
technology, to provide a more integrated approach directly with the maritime industry.

Multi-stakeholder approach
There has been a call to action both within the United States and the European Union for a more
comprehensive, robust approach to maritime cybersecurity—a holistic approach that requires more
integration of policies, strategies, and standards at the highest levels of government. This involves
enhanced information sharing, collaboration, and mutual assistance at the international level, and
development of stronger public-private partnerships among government, the military, industry,
and the cyber community. Doing this, however, will require developing consensus on changes that
are needed in the maritime industry to combat the rising threat of cyberattacks and potential cata-
strophic loss. The 9/11 Commission in the United States is one example of a high priority approach
that ultimately resulted in the implementation of the federal government’s National Strategy for
Maritime Security (White House 2005a) and its National Plan for Maritime Domain Awareness
(White House 2005b). A multi-stakeholder-influenced governance or advisory board would afford
the opportunity to more smoothly make fundamental turns in the future in defining its goals and
priorities. Thus, several problems could be avoided, including the self-defeating morass of long
term large public initiatives that fail to address the unique dangers lurking in the maritime industry
involving control over a country’s waters, potential attacks on the navigation ability of a country’s
military, and the development of control systems to make sure that preventative measures are be-
ing used by the maritime industry at large.

Stronger partnerships and enhanced awareness

The maritime cyber threat environment of the 21st century requires broader scope and a more
comprehensive vision. Decision superiority is enabled by ensuring global maritime information
dominance through the collection, integration and dissemination of information and intelligence,
as well as the development of knowledge. This means “we must look beyond traditional surveil-
lance of ports, waterways, and oceans, and continuously adapt to new challenges and opportunities
so that preemptive or interdiction actions may be taken as early as possible” (The White House
2005b, p.2).This requires stronger partnerships and information sharing of security plans, cyber
risk, and cyber mitigation with all components of the maritime sector (including government agen-
cies, port facilities, ship owners and operators) and the technical community that supports mari-
time infrastructure.

The importance of instant and efficient feedback regarding cyberattacks is evident in the litera-
ture, government reports, and discussions within the maritime industry in general. Such feedback
is necessary to reduce the risk of repeat attacks by ensuring that lessons are immediately learned
and that preventative practices are adopted by all within the industry. The speed of response will
increase with improved data and communications, supported by a wide zone of networked auton-
omous systems and sensors (Lloyd’s Register 2015). Education, training, and feedback are critical
to address these technological advances and the required evolution of process. These can begin to
improve the current state of cyber readiness and help the maritime community (and those that sup-
port the maritime industry) achieve a better understanding of the scope and scale of cyber-related
incidents in their sector. Education, training, and feedback can also contribute to improving the
ability to detect, protect, prevent, prosecute, and recover from incidents.

77 Journal of Information Warfare

 Defending the Cyber Sea: Legal Challenges Ahead

Conclusion
This paper has reviewed the evolution of maritime law and its application to the changing environ-
ment of the cyber sea to find useful frameworks for governments in developing national strategies
and policies for maritime cybersecurity. As the emphases on maritime cyber strategies at the na-
tional level continues to grow, there remains an urgent need for transformation in government and
industry approaches from a historical focus on shippers’ liability in maritime law to a more holistic
approach that incorporates the entire multi-stakeholder community. A major rethinking of the mar-
itime domain is essential to avoid these new threats to the world’s ports, facilities, and vessels and
to foster greater multilateral cooperation and smoother sailing conditions in the cyber sea.

References
Belmont, KB 2016, Maritime cybersecurity: Cyber cases in the maritime environment, American
Association of Port Authorities (AAPA), 21 July, viewed 9 July 2020, <http://aapa.files.cmsplus.
com/SeminarPresentations/2016Seminars/2016SecurityIT/K.%20Belm ont%20-%20AAPA%20
Maritime%20Cybersecurity%20FINAL.pdf>.

Baltic and International Maritime Council (BIMCO) 2016, Guidelines on cyber security onboard
ships, Version 2.0, International Chamber of Shipping, BIMCO, CLIA, ICS, INTERCARGO, IN-
TERTANKO, OCIMF, and IUMI, Bagsvaerd, DK.

Chen, Q & Bridges, RA 2017, ‘Automated behavioral analysis of malware: A case study of Wanna-
Cry Ransomware’, Proceedings of the 16th IEEE International Conference on Machine Learning
and Applications, pp. 454-60.

Chertoff, M 2008, ‘The cybersecurity challenge’, Regulation & Governance, vol. 2, no. 4, pp.
480-4.

Denmark 2019, Danish Cyber and Information Security Strategy 2019-2022; Danish Maritime
Cyber Security Unit.

Eski, Y 2011, ‘Port of call: Towards a criminology of port security ‘, Criminology & Criminal
Justice, vol. 11, no. 5, pp. 415-31.

European Commission 2017, Assessment of the EU 2013 Cybersecurity Strategy, Commission

staff working document, 13 September, Brussels, BE.

European Court of Auditors (ECA) 2019, Challenges to effective EU cyber security policy, Brief-
ing Paper, European Union, LU.

European Network and Information Security Agency (ENISA) 2011, Analysis of cyber security
aspects in the maritime sector, European Union Agency for Cybersecurity, Athens, GR.

ENISA 2019, Port cybersecurity in the maritime sector, European Union Agency for Cybersecu-
rity, 24 November, Athens, Greece.

Journal of Information Warfare 78

Defending the Cyber Sea: Legal Challenges Ahead

European Union (EU) 2008, Agreement on maritime transport between the European community
and its Member States, of the one part, and the government of the People’s Republic of China, of
the other part, 21 February.

European Union 2016, General Data Protection Regulation (GDPR), Regulation (EU) 2016/679
of the European Parliament and of the Council of 27 April 2016 on the protection of natural per-
sons with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC, OJ 2016 L 119/1.

European Union National Information Security (NIS) 2016, Directive 2016/1148 of the European
Parliament and of the Council of 6 July 2016 concerning measures for a high common level of
security of network and information systems across the Union, OJ L 194, 19.7.2016, pp.1-30.

European Union 2019, Cybersecurity Act Regulation (EU) 2019/881 of the European Parliament
and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecuri-
ty) and on information and communications technology cybersecurity certification, and repealing
Regulation (EU) No 526/2013.

Evans, D 2011, ‘The Internet of Things, how the next evolution of the Internet is changing every-
thing’, Cisco Internet Business Solutions Group (IBSG), San Jose, CA, US.

Foley, RK 1967, ‘A survey of the maritime doctrine of seaworthiness’, 46 Oregon Law Review,
vol. 369.

Gilmore, G & Black, CL 1975, The Law of Admiralty, 2nd edn., The Foundation Press, Inc, New
York, NY, US, pp. 1-50.

Greenberg, A 2018, ‘The untold story of NotPetya, the most devastating cyberattack in history’,
Wired, 22 August, viewed June 28, 2020, <https://www.wired.com/story/notpetya-cyberattack-
ukraine-russia-code-crashed-the-world/>.

Heilig, L & Voss, S 2017, ‘Information systems in seaports: A categorization and overview’, Infor-
mation Technology and Management, vol. 18, no. 3, pp.179-201.

HM Government 2019, Maritime 2050: Navigating the future, Department for Transport, London,
UK.

International Maritime Organization (IMO) 2017a, Strategic Plan for the International Maritime
Organization, December, London, UK.

——2017b, Guidelines on Maritime Cyber Risk Management (MCRM), 5 July, London, UK.

International Maritime Organization (IMO) Resolution, 2017, Maritime cyber risk management in
safety management systems, Annex 10 Resolution, msc.428(98), 16 June, London, UK.

79 Journal of Information Warfare

 Defending the Cyber Sea: Legal Challenges Ahead

International Tribunal on the Law of the Sea (ITLOS) 2016, Philippines v. China (PCA case num-
ber 2013–19, also known as the South China Sea Arbitration Award), 12 July.

Kirkpatrick, DD & Castle, C 2019, ‘UK warns Iran of “serious consequences” for seizing oil tank-
er’, New York Times, 20 June.

Lloyd’s 2017, The top risks in shipping today, 12 September, London, UK.

Lloyd’s Register 2015, Global marine technology trends 2030, Collaborative project between
Lloyd’s, Qinetiq, and University of Southampton, London, UK.

Maritime Transportation Security Act (MTSA) 2002, Pub. L. No. 107-295, 116 Stat. 2064 (An Act
To amend the Merchant Marine Act, 1936, to establish a program to ensure greater security for
United States seaports, and for other purposes).

Martinson, RD 2018, ‘Echelon defense: The role of sea power in Chinese maritime dispute strate-
gy’, U.S. Naval War College: China Maritime Studies, no. 15, Naval War College Press, Newport,
RI, US.

Ministère de l’Europe et des affaires étrangères 2018, Paris Call for Trust and Security in Cyber-
space, France Diplomacy, 12 November, viewed 28 June 2020, <https://www.diplomatie.gouv.fr/
en/french-foreign-policy/united-nations/alliance-for-multilateralism-63158/article/paris-call-for-
trust-and-security-in-cyberspace>.

NATO Review 2018, VOSTOK 2018: Ten years of Russian strategic exercises and warfare prepa-
ration, The North Atlantic Treaty Organization, 20 December, Brussels, BE.

National Institute for Standards and Technology (NIST) 2017, Framework for Improving Critical
Infrastructure Cybersecurity, Version 1.1, 10 January.

New Zealand Strategy for Maritime: New Zealand’s International Engagement, 2018 to 2023,
January 2018.

Papp, RG 2019, ‘Kennan Cable no. 41: A cyber treaty with Russia’, The Woodrow Wilson Center
for International Scholars, 29 March, Washington, DC, US.

Robertson, DW, Friedell, SF & Sturley, MF 2015, Admiralty and maritime law in the United
States: Cases and materials, 3rd edn, Carolina Academic Press, Durham, NC, US, pp. 276-7.

Rundle, J 2019, ‘Maritime cyber rules coming in 2021 are outdated, critics say’, The Wall Street
Journal, 18 July.

Sapiie, MA 2016, ‘Indonesia to start joint sea patrols with Malaysia, Philippines’, The Jakarta
Post, 2 August.

Journal of Information Warfare 80

Defending the Cyber Sea: Legal Challenges Ahead

Spain 2013, National Maritime Security Strategy 2013, Spanish Security Council, 5 December.

Srinivasan, S, Pitcher, Q & Goldberg JS 2019, ‘Data breach at Equifax’, Harvard Business School
Case Collection, October 2017, revised April 2019, Harvard Business School Publishing, Boston,
MA, US.

Tam, K & Jones, KD 2018, ‘Maritime cybersecurity policy: The scope and impact of evolving
technology on international shipping’, Journal of Cyber Policy, vol. 3 no.2, pp. 147-64.

Thiele, RD 2018, ‘Game changer – Cyber security in the naval domain’, no. 530, The Institute for
Strategic, Political, Security and Economic Consultancy (ISPSW), Berlin, DE.

United Kingdom 2018, The Network and Information Systems Regulations 2018, no. 506, Elec-
tronic Communication.

United Nations Conference on Trade and Development (UNCTAD) 2018, Review of Maritime
Transport, United Nations, Geneva, CH.

United Nations (UN) 2018, Report of the United Nations Commission on International Trade Law
(UNCITRAL), 51st session, 25 June-13 July 2018, General Assembly 73rd session, Supplement No.
17, United Nations, Geneva, CH.

United States Coast Guard (USCG) 2009, Model Maritime Service Code, US Coast Guard Head-
quarters, Washington, DC, US.

US Department of Defense (USDoD) 2015, Asia-Pacific Maritime Security Strategy, The Penta-
gon, Washington, DC, US.

US Department of Transportation Maritime Administration (MARAD) 2019, International Agree-

ments 2019, viewed 19 October 2019, <https://www.maritime.dot.gov/economic-security/interna-
tional-agreements>.

Valencia, MJ 2003, ‘Regime building in the East China Sea’, Ocean Development and Internation-
al Law Journal, vol. 34, no. 1, pp. 189-208.

The White House 2005a, National Strategy for Maritime Security (NMS), The Executive Office of
the President, Washington, DC, US.

——2005b, National Plan to Achieve Maritime Domain Awareness for the National Strategy for
Maritime Security, The Executive Office of the President, Washington, DC, US, p. 1.

——2005c, Global Maritime Intelligence Integration Plan, The Executive Office of the President,
Washington, DC, US.

81 Journal of Information Warfare

 Defending the Cyber Sea: Legal Challenges Ahead

——2018, National Cyber Strategy for the United States of America, Executive Office of the Pres-
ident, Washington, DC, US.

World Maritime News (WMN) 2018, ‘UK’s autonomous shipping industry gets a boost,’ World
Maritime News, 8 October, Schiedam, NL.

Journal of Information Warfare 82

Authors
Pascal Ahr is a Bachelor of
Science student of Elec-
trical and Computer En-
gineering in Embedded
Systems at the University
of Kaiserslautern, Germa-
ny. He works as a research
assistant at German Re-
search Center for Artificial
Intelligence and researches in the field of
Hardware Physical Layer Security. The main
focus of his work is the Static Random-Ac-
cess Memory—Physical Unclonable Func-
tion and its usage in security applications.
Simon Duque Antón is
a Researcher and PhD
Candidate at the German
Research Center for Arti-
ficial Intelligence (DFKI)
working in the Intelligent
Networks research group.
He received his diploma
in the field of Comput-
er Science with a specialization in embed-
ded systems in 2015. His main research
interests are machine learning and its ap-
plication to the field of industrial IT-secu-
rity. He also lectures about Information Se-
curity at the University of Kaiserslautern.
Daniel Fraunholz has
been a Senior Security
Researcher at the Ger-
man Research Center for
Artificial Intelligence
(DFKI) since 2015. Born
in Stuttgart, Germany, in
1992, he received his PhD
in Information Security
in 2019. His major research interests are
network security and intrusion detection.
iv
Prof. Virginia Greiman
is an internationally recog-
nized scholar and expert in
the fields of National Cyber
Security and Cyber Law
and Regulation. She serves
as Assistant Professor at
Boston University Met-
ropolitan College and is a
member of the Boston University Law Facul-
ty. She has also held academic appointments
at Harvard University Law School and Har-
vard Kennedy School of Government. Her
teaching and research focus on megaproject
strategies and governance, cyber law and in-
ternational law, national security strategies,
cyber warfare and surveillance, global cy-
bercrime and enforcement, privacy law and
big data, and corporate innovation and com-
petitiveness. She served in the United States
Department of Justice and as an internation-
al legal consultant for the U.S. Department
of State in Eastern and Central Europe. She
has served as an advisor to numerous inter-
national and national organizations includ-
ing The United States Air Force Institute of
Technology Center for Cyberspace Research,
the United States Agency for International
Development, the National Aeronautics and
Space Administration (NASA), the World
Bank, and the United Nations Economic
and Social Council (ECOSOC). Professor
Greiman has held executive and advisory
positions with several of the world’s largest
megaprojects in the United States, Europe,
Africa, and Southeast Asia, including Bos-
ton’s $15 billion-dollar Big Dig Project, Lon-
don’s Crossrail Project, India’s Megaproject
Initiatives and Smart Cities Program, Taiwan
and Southeast Asia National Science Parks,
as well as the U.S. Nuclear Power Industry
and Development in the South China Sea.
Journal of Information Warfare
Reproduced with permission of copyright owner. Further reproduction
prohibited without permission.