Cyber attacks threaten sea traffic, ports & offshore rigs

The rapid increase in cyberattacks on the maritime industry during the global pandemic has highlighted the inadequacies of the existing international legal framework and the urgent need for comprehensive and innovative international maritime cybersecurity laws.

• No cyber-specific laws govern international maritime industry
• Cybercrimes increased during pandemic
• They pose complex international legal problems for prevention and prosecution

In a study published in Marine Policy, QUT maritime security law expert Associate Professor Saiful Karim analysed the threats to maritime cybersecurity and called for a specific, international, enforceable legal regime to deal with these threats.

“Ports, ships, maritime supply chain and major offshore infrastructures including oil and gas installations are vulnerable to cyberattacks. The international maritime industry relies on cyber systems for all aspects of operation and management and may face cyberattacks from so called activists, terrorists, and transnational cybercriminals,” Dr Karim said.

“Both cybercrime and cyberterrorism create complex international legal problems for prevention and prosecution.”

Dr Karim said the International Maritime Organisation (IMO) was the main global forum for regulatory development to ensure maritime cybersecurity and it had an instrumental role to play for development of fit-for-purpose international law to combat maritime cybercrime and cyberterrorism.

“Despite adopting a non-legally binding guidelines and a quasi-legally binding resolution on cybersecurity, the IMO falls substantially short in the development of specific and binding cybersecurity regulations,” he said.

“Nevertheless, some provisions of the International Convention for the Safety of Life at Sea (SOLAS Convention), the Convention for the Suppression of Unlawful Acts against the Safety of Maritime Navigation (SUA Convention), the Convention on Facilitation of International Maritime Traffic (FAL Convention) and the related codes and protocols are relevant for ensuing cybersecurity of ships, ports and offshore infrastructures.

“For instance, the 2005 amendment of the SUA Convention, while not directly addressing cyberterrorism, is useful, such as its criminalisation of using a ship to perpetrate maritime violence.

“Despite their relevance for maritime cybersecurity, none of the IMO conventions comprehensively deal with cybersecurity.

“An urgent legal reform is needed because the legal response is far slower than fast technological innovation, use and abuse.”

Dr Karim said enforcement of international maritime cybersecurity regulations was another urgent challenge because no universal enforcement jurisdiction for maritime cybercrime and cyberterrorism existed.

“Therefore, prosecution of maritime cybercriminals and cyberterrorists is difficult,” he said.

“Two potential legal avenues for prevention of maritime cybercrime are found in the UN Convention on Law of the Sea (UNCLOS), which puts a general obligation on the flag states to take actions to safeguard their ships’ safety, and in doing so “is required to conform to generally accepted international regulations.” (UNCLOS, Article 94).

"The UNCLOS mainly refers to the IMO legal instruments as the ‘generally accepted international regulations’.

"The UNCLOS and customary international law also recognise the coastal states’ right to enact and enforce national laws for maritime safety and security, but this power is limited regarding foreign ships.

“Therefore, an international legal architecture requiring uniform maritime cybersecurity standards and deterrent punishment for perpetrators of maritime cybersecurity crimes is of paramount importance for effective action against cyberterrorism and cybercrime.”