Legislative Efforts in the Wake of Maritime Cyberattacks

In June the maritime industry experienced what many consider a particularly insidious form of cyber attack known as GPS Spoofing, where global positioning system data is subtly manipulated to the point of grave inaccuracy. According to the U.S. Maritime Administration, at least 20 ships in the Black Sea were affected. While at sea, these ships erroneously reported positions at an airport 32 kilometers inland. Although the event resulted in minimal fallout, recent events like this one, coupled with the ransomware attack on a global shipping giant, have triggered concern over the maritime industry’s growing susceptibility to cyber attacks.

The specter of potentially crippling attacks against shipping has caused legislators to scramble to find ways to improve cybersecurity at ports and along the supply chain, which contributes to much of the high-tech security issues onboard ships. Most notably, in May, Congress passed the Intelligence Authorization Act for Fiscal Year 2017, which requires the Department of Homeland Security to report on cybersecurity threats to U.S. maritime concerns and entities conducting operations in U.S. seaports. Later this summer, on August 1, Senators Mark Warner, Cory Gardner, Ron Wyden and Steve Daines introduced the bipartisan “Internet-of-Things” (IOT) Cybersecurity Improvement Act of 2017, S. 1691, aimed at establishing minimum security requirements for federal procurements of connected or “smart” devices.

This momentum is continuing through the fall, particularly with the introduction of HR 3101, Strengthening Cybersecurity Information Sharing and Coordination in Our Ports Act of 2017,3 which Representative Norma Torres drafted in response to the Petya ransomware attack. HR 3101 would further encourage information sharing and the broader public-private partnership that the Cybersecurity Act of 2015, passed by overwhelming margins, first promoted. 4 Specifically, the Secretary of Homeland Security would be tasked with ensuring the participation of at least one information sharing and analysis organization that represents the maritime community in the National Cybersecurity and Communications Integration Center (NCCIC). The Secretary of Homeland Security also would need to establish guidelines for voluntary reporting of maritime-related cybersecurity risks and incidents to the NCCIC. Additionally, the proposed legislation would require the Coast Guard to direct Area Maritime Security Advisory Committees to “facilitate the sharing of cybersecurity risks and incidents to address port-specific risks.”

The Cybersecurity Act of 2015 first facilitated public/private information sharing by providing limited liability protection and an information sharing “portal” through the Department of Homeland Security’s NCCIC. However, what has become increasingly apparent since then is that what is shared, and how quickly it is shared, is as important as the fact of sharing information itself. Information must be real-time and actionable if it is to be helpful. Everyone sharing the same malware may not be as helpful as people sharing novel techniques to counter the malware, for example. Indeed, too much sharing can obscure the truly important bits of information. Therefore, any legislation should find ways to incentivize or encourage high-value and timely information sharing.

HR 3101 also wisely highlights the urgent need for maritime entities to have a robust, proactive maritime cybersecurity plan that includes risk-based prevention, mitigation, response and recovery strategies. While the need for such planning should be increasingly apparent by now, for many it may not be, and congressional leadership encouraging this critical step is vital. As Representative Torres said as her bill advanced from the House Homeland Security Committee on September 7: “It was shocking to learn how little coordination there is between port landlords and tenants when it comes to addressing cyber threats and how little has been done at the federal level to mitigate these risks.”

Failure to plan equates to planning to fail, so all efforts to highlight the need for proactive, holistic, risk-based and well-practiced plans should be welcome. That said, what is needed is not just one-and-done cyber planning, but a continuous practice of planning, assessing, and re-planning, particularly as threats continue to evolve and new high-tech capabilities on ships present new vulnerabilities.

The full House has just passed Rep. Torres’ bill, but it still needs to be taken up and approved by the Senate, as well as signed by the President. In the absence of legislation, other parts of the federal government are moving forward with urgency. Following its December 2016 addition of cybersecurity to the list of “security” items that are covered by the 2002 Maritime Transportation Security Act (MTSA), the Coast Guard, on July 15, announced a request for public comment to its Navigation and Vessel Inspection Circular (NVIC) to “begin to lay out a series of policies and procedures” to mitigate the growing cybersecurity risks while ensuring the continued operational capability of the Maritime Transportation System.”

Essentially, the NVIC would clarify the existing requirements under the 2002 MTSA to incorporate an analysis of computer and cyber risks, and it would set forth guidance for addressing those risks. Additionally, this NVIC would provide guidance on incorporating cybersecurity risks into an effective Facility Security Assessment (FSA), as well as provide additional best practices for policies and procedures that could reduce cyber risk to operators of maritime facilities. 

At the same time, the International Maritime Organization (IMO), a specialized United Nations agency, has started incorporating cyber risk management into its guidelines. By 2021, some of these guidelines will require full compliance. In the meantime, in July of this year, BIMCO, a Denmark-based international shipping organization, produced its version 2.0 of “The Guidelines on Cyber Security Onboard Ships,” which are “aligned with the IMO guidelines and provide practical recommendations on maritime cyber risk management covering both cybersecurity and cyber safety.” 

Certain industries are also moving swiftly to promote cybersecurity. For example, the Oil Companies International Marine Forum (OCIMF) has, for the first time, included cybersecurity guidelines in the Third Edition of the Tanker Management and Self Assessment: A Best Practice Guide 2017 (TMSA 3). TMSA 3 requires any entity wishing to ship oil to certify that it is cyber secure and to ensure that proper cyber policies and procedures are in place to prevent, mitigate, and respond to cyber events. Those entities that choose not to certify compliance, or fail to establish the requisite policies and procedures, will lose out on significant business.

Ultimately, HR 3101 is a strong step in the right direction. With ships growing ever more reliant on technology—even to the point of transitioning to autonomous vessels—the time for cybersecurity to be front and center is now. If HR 3101 does not pass into law, it nonetheless keeps up the drumbeat for what is urgently needed. If it does continue to work its way through the legislative process, there hopefully will be opportunities to improve it, particularly by incentivizing more high-value and timely information sharing, as well as by encouraging greater proactive and continuous cybersecurity planning. 

Michael Bahar is the former Minority Staff Director and General Counsel of the U.S. House of Representatives Permanent Select Committee on Intelligence. Bahar currently serves as a partner at Eversheds Sutherland (US) where he leads the Cybersecurity and Privacy team.

Brittany Cambre, an associate with Eversheds Sutherland (US)'s Litigation Practice Group, focuses her practice on complex business litigation. She counsels clients in a wide array of issues including commercial business disputes and business torts, insurance defense, professional liability, and cybersecurity and data protection. Prior to joining Eversheds Sutherland (US), Brittany worked with the American Cancer Society’s Office of Corporation Counsel.