Safety and transparency go hand in hand. Without masters being clear and open in their communication with the crew, accidents are more liable to happen, and without seafarers sharing near misses, the same mistakes will continue to be made and serious safety issues cannot be resolved. Furthermore, accident reports being shared via organisations such as the UK’s Marine Accident Investigation Branch (MAIB) and similar global agencies allow us to collectively learn as an industry and serve as a way to raise standards and develop best practices.
However, there remains a reticence in the industry to open up about some of the biggest safety and security issues it faces today. It recently came to light that in February 2017, a container vessel was hacked and lost control of its navigation system for 10 hours. This kind of cyber attack brings home the reality that ships have vulnerabilities that hackers can exploit, yet it fell to an industry source who wanted to remain anonymous to make the event known to the wider shipping community. The fact that they did not want their identity shared reveals fears of retribution for sharing such information. Yet without this whistle-blower we would be none the wiser about the attack and less alert to the risks it revealed.
Part of the reticence undoubtedly comes from companies’ fears over reputational damage and loss of earnings. This is understandable with revelations that the Maersk cyber attack led to a USD300 million loss in profits, while Clarksons’ announcement of its cyber breach led to a 2% dip in its shares. These fears, however, must be put away in order to truly combat the problem. Other industries, including the aerospace and utilities sector, have been sharing cyber-attack information internally for years without huge financial losses occurring. Instead, it helps to build awareness of and resilience to a previously unknown threat. Revealing information about an attack can alert others to specific dangers and prompt them to fix similar gaps in their cyber security.
This approach should run right through the chain, from crew reporting if they accidentally opened up a dangerous file or got drawn into a salacious digital ransom situation, to masters telling the shipowners about a potential problem in the fleet, to shipowners sharing that information with their entire fleet, onshore staff, and other shipowners. This should all be done without fear of retribution – being open and honest should be met with reward instead of punishment, as it will help to create a stronger, safer, and more resilient shipping industry. In the meantime, anonymous reporting services such as the CSO Alliance’s Maritime Cyber Crime reporting portal offers a safe space to do so.
Change is coming whether we like it or not and burying our heads in the sand is not an option. Ships will continue to become more digitally connected as the operational benefits of smart shipping outweigh the risks. Shipping must decide whether it wants to be the strongest or weakest link in the global supply chain when it comes to cyber security – and it may not be a choice for long.
Norma Krayem, senior policy adviser and co-chair of the cyber security and privacy team at international maritime law firm Holland & Knight, told Safety At Sea that if ships decided not to comply with the proposed Strengthened Cybersecurity Information Sharing and Coordination in Our Ports Act 2017