Posted: April 18th, 2024

Public-Private Partnerships for Cyber Maritime Security

Public-Private Partnerships for Cyber Maritime Security

1.2. Purpose of the Study
The purpose of this study is to examine the growing concern of cyber threats targeting the maritime sector. In recent years, there has been a steady increase in cyber incidents involving both merchant and warships. Incidents range from the hacking of a shipping company’s enterprise network to significant and widespread disruption of world maritime transportation systems. The consequences of these incidents have varied from intellectual property theft with unknown long-term economic impact, to impairment of a company’s commercial interests with the costs of damage still undetermined, and in the case of GPS interference with bridge and navigation systems, instances of damage to the environment. It is hoped that the research will serve as a reference for those with little understanding of the cyber threat to maritime, while providing insight and guidance for those already well versed in the issues. It is expected that the findings from this research will serve as guide on the nature of the cyber threats and defence, and following on, the appropriate changes to methods of regulatory compliance regarding shipping company security, and laws concerning an act of war in the Information space with certain recommendations.
1.3. Scope and Limitations
2. Second, we will identify the potential economic effects of a cyber attack on US infrastructure and how it impacts related industries. An in-depth examination of specific cyber attacks and their effects is beyond the scope of this project and it would be largely speculative as attribution can be difficult. Instead, we want to understand the opportunity cost of not having adequate cyber defense measures in place. We will initially focus on major publicized attacks against government targets in the past decade given the availability of information, however the Google-China cyber attacks and Operation Aurora serve as an interesting case study given recent news of indictment of five members of the Chinese military. These attacks have noticeably affected the US-China relationship and have implications for various industries. This is an area where industry analysis and qualitative opinion can be useful in gauging how certain cyber events have affected business in related sectors. Sectors affected by cyber attacks on government infrastructure will be more difficult to define given the wide reach of government IT systems, however focus will be placed on Defense, IT, and various technical services.
1. First, we examine the costs and benefits of cybersecurity and of employing cybersecurity experts in the IT sector as a whole. Our decision to study the IT sector rather than specific industries such as health or finance is intentional. We realize that various industries are interconnected in both the physical and virtual worlds, and that an attack aimed at one industry may have implications for another. However, the IT sector is the front line for cyber defense and it stands to reason that organizations which engage IT services are more likely to be affected by cyber threats. If the goal of the study is to prove that cybersecurity is a smart investment, we must show that there is a demand for cyber defense and potential for economic gain in the industry that provides these services. This will require a comprehensive analysis of the IT industry contextualized against the economic climate of the past several years. Additionally, this study will seek to understand how the US government’s changing cybersecurity policies have affected private sector IT spending and job markets.
The objective of this research is to analyze the economic implications of “Public-Private Partnerships for Cyber and Maritime Security” and present them from the perspectives of both industry and government. Because PPPs involve numerous stakeholders and their implications vary widely, this project scopes and limits its investigative framework.
2. The Importance of Cyber Maritime Security
The maritime sector is home to countless international companies, operating in tight financial quarters. As such, they often outsource work to third-party IT companies, which poses another risk – who has access to what and from where. A report from a former Director of British Intelligence highlighted the fact that “80% of cyber-attacks could be prevented by implementing standard security measures and raising awareness” (IFS10). These measures are not only limited to security software and training but also through the maintenance of a properly functioning security system that allows for detection and prevention of any unauthorized access to the network or changes to security data. With the risk of such attacks crippling a company, it is important to encourage both ship owners and IT companies to act now in improving security. It is far easier to implement security measures from the beginning than to deal with the cost and damage of being a victim of a cyber-attack. Cognitive security industries can also favor by offering deals specific to the maritime industry, as the technology at present is often deemed too costly to implement.
Cyber security is often seen by governments, businesses, and others as a technical issue. They resort to deploying IT professionals to look after security issues and wait for things to go wrong before acting. The Naval Dome provides the most effective firewall that can be provided, allowing maritime companies to have total protection. The shipping industry needs to act now, implementing the right way of handling security to keep businesses, crews, and our environment safe from the growing risk of cyber-attacks. Build understanding and awareness of cyber security risks. The ship owner must be made aware that an unsecured network could result in a cyber-attack, which could lead to large financial and reputational damage regardless of what ISPS code procedures have been put in place. This awareness will provide the ability to make well-informed decisions to improve cyber security and take steps towards its protection.
The importance of cyber maritime security
2.1. Understanding the Maritime Sector
The maritime sector is crucial to national and global economies and is central to maintaining world trade. The maritime sector is a complex entity with a multitude of different actors and interests including ports, shipping companies, offshore oil and gas, and fishing as well as the associated government departments and organizations. The maritime industry is a complex web of organizations and relationships. Most shipping companies do not own the ships on which their goods are transported. Many ships are ‘flag of convenience’, registered in one country, owned by a company in another, and crewed by personnel from a third state. The ships themselves are often part of a larger shipping ‘project’ where a charterer contracts the ship, or space on the ship, for a specific voyage or time period from the shipowner. The chain goes on. This diversity of ownership and transnational structure means there is no simple ‘maritime industry’, rather a collection of dynamic and evolving networks of organizations and economic activity. This complexity has implications for the management and security of the cyber environment. Globalization of industry has led to increased reliance on information systems and Information and Communication Technology (ICT) to conduct business and support operations. The shipping industry is no exception and has become heavily reliant upon automation and digital technology to coordinate and track the movement of ships and cargo. Shore-based systems control ship movement and cargo loading. Electronic charts and digital navigational aids have reduced the reliance on traditional paper-based methods and the Automatic Identification System (AIS) is an open-source tracking system used by ships worldwide to identify and locate other vessels. All of these systems are supported by computer software and hardware and an interconnected web of networks both onshore and at sea. The implementation of these technologies has brought significant increases in efficiency and safety to the industry. Digital navigation has made it easier to manage the increasing volume and density of shipping and greatly reduced the incidence of collisions and groundings. AIS has enhanced collision avoidance and safety at sea by improving situational awareness of vessel movement and has been effective in combating piracy and smuggling. Shore-side systems have improved the overall management of shipping operations and offer the potential for further efficiency gains through integration with other transport and supply chain systems. However, these technologies have also given rise to new vulnerabilities in an industry whose critical infrastructure and logistical operations are conducted at sea and often in regions with limited rule of law. The next sections of this report will explore these vulnerabilities and examine how the cyber threat is realized in the context of the maritime industry.
2.2. Cyber Threats in the Maritime Industry
As the maritime industry is increasingly incorporating digital technologies and implementing cyber systems shipboard and ashore, the industry becomes more and more exposed to cyber attacks. There are several categories of cyber threats that are particularly relevant to the maritime sector due to the unique characteristics of the industry. These include, but are not limited to, state-sponsored threats; insider threats from disgruntled employees; the increasing interconnectivity of terminal, port, and ship systems with the outside world; and the global nature of the industry.
The US Maritime Administration (MARAD) has identified several types of cyber incidents including attempts to deny access to or degrade, destroy, or manipulate information on a website or information system; attempts to access a website, information system, or data without permission; attempts to access, and in some cases alter, business information such as proprietary information of trade and manufacturing; and attempts to access or, in some cases, take control of systems controlling machinery or equipment. Cyber threats can directly impact the safety and security of persons, the marine environment, or assets critical to the operations of the maritime sector. This can have detrimental effects on commerce and the economy.
2.3. Consequences of Cyber Attacks in the Maritime Sector
A cyber attack in the maritime industry can have wide-ranging consequences. At its lowest level, a cyber attack can cause the loss of proprietary information. When information is the target, the main purpose is to gain a competitive advantage in the market. If hackers take private information about new designs or projects, they can sell that information to other companies or use it to their advantage and undermine the victim company. Information is most often stolen, having a major financial impact on a company. The estimated annual loss to U.S. companies due to the loss of proprietary information is 59 billion dollars. When hackers obtain this information, there is a low probability of them getting caught and an even lower probability of the information being recovered. An investigation may end without attributing the identity of the hackers due to an absence of solid evidence. Also, due to the lack of solid evidence, international convictions are rare. Cyber attacks can also disable engines or navigation systems, rendering the ship uncontrollable. This often results in the ship running aground or colliding with another ship. The worst-case scenario is a ship collision that causes a major oil spill. An example of a collision caused by system failure was the incident involving the American submarine USS Greenville. During a routine surfacing maneuver, the submarine shot to the surface and collided with a Japanese fishing vessel. This incident occurred because the location of the surfacing drill was changed and the crew never adjusted their unfamiliar control system. Another example involves a Singapore-registered oil tanker that veered off course and ran aground because the navigation officer was unfamiliar with the new ECDIS system. Oil spills cause significant damage to the environment and can have long-standing effects on human health. In a 2003 convention, the International Maritime Organization estimated that “oil spills account for only 12% of the oil entering the seas each year. The rest is a result of drainage from land and waste dumping.”
3. Government-Private Collaboration in Cyber Defense
In the realm of cyber defense, the effectiveness of collaboration between government and private industry has been a topic of much debate in terms of how best to utilize resources and balance the needs of both parties. One potential method of collaboration is through public-private partnerships. In the international relations literature, these partnerships have a broad definition and are generally classified as an arrangement where the state and the private sector share the risks and costs in order to achieve a common goal. In the realm of cyber defense, these partnerships have been ongoing in various forms through defense industrial based research and development, outsourcing, and more recently information sharing on cyber threats. Posen and Ross argue that such partnerships are a feasible and cost efficient way for states to achieve security as they are able to capitalize on private sector resources, technology, and expertise. Relying on the military to grow organically and expand into the technology sector to achieve capability is costly and often inefficient. With the rate of technological change, it is difficult for the state to keep up. By adopting capabilities developed in the private sector, the state can achieve a force multiplier in its security endeavors. This is especially true for small states or states faced with budget constraints and opportunity costs in security expenditure. The cost effectiveness lies in the fact that the state need not fully absorb the costs of private sector innovation and the goal is achieved through risk and burden sharing. He and Nye also note that public-private cooperation can leverage global strengths in a global security environment. As the internet and cyberspace is a globally interdependent entity, states to improve security must cooperate and share information in an interconnected manner. A top-down isolationist approach may harm international cooperation and negatively impact the state’s security posture. Global public-private partnerships can help build a cooperative security community and set norms for cybersecurity while sharing costs and risks.
3.1. Overview of Public-Private Partnerships
A public-private partnership (PPP) is a business agreement between a government and private companies to complete a project and provide a public service. The partnership features increased levels of private sector finance and expertise, which are used to improve public services and public sector finance management. In the area of cybersecurity, government and private sector collaboration is necessary (as discussed in 2.2), and a PPP in cybersecurity would involve a government and/or its relevant agencies or private sector organizations. In the delivery of a public service to protect the nation, a cybersecurity PPP aims to develop a clearer understanding of how to secure specific private sector markets that provide services which are crucial to the functionality of the public sector and the country. Cybersecurity PPPs are intended to increase situational awareness to the private sector, reduce the level of vulnerabilities to cyber threats within private sector IT systems, and effectively respond to cyber attacks on the private sector that have the potential to greatly impact nations and sap government resources. A cybersecurity PPP will seek to achieve these goals to ensure the public sector and the nation as a whole are better protected from both real and potential cyber attacks on many facets of the public service. On these PPP initiatives, the private sector is only contracted to provide services and/or resources on the delivery of a public service, so there is no transfer in ownership. It is important to note that the escalation of private sector outsourcing contracts to deliver public service initiatives has efficiency and cost-saving benefits in the long term on top of what is already achievable with a PPP.
3.2. Benefits of Collaboration in Cyber Security
The most significant benefit may be that the establishment of collaborative methods in cybersecurity between the public and private sectors during this critical time will set the stage for continued cooperation in the event of a large-scale cyber incident or an act of cyber terrorism. As an increasing number of cyber incidents have been occurring with potentially catastrophic effects, it is critical that the public and private sectors be prepared to effectively address such an incident both in terms of mitigation and establishing a clear chain of command with well-defined public sector roles. Failure to effectively meet these various challenges could result in the further loss of public trust and potentially the insourcing of critical industries to nationalize their security efforts.
By sharing information between the public and private sectors and jointly using the resources at their disposal, an environment is created wherein organizations from both sectors can align their respective business and security processes. This will also allow the private sector to gain a better understanding of the various security concerns and responsibilities that the government faces. This understanding will help to reshape the perception held by many of their government counterparts as to the seriousness with which the private sector regards security, moving them away from the current view that the private sector is generally unwilling to invest significant time and resources towards security efforts. This increased understanding will lead to the development of additional collaborative methods and will provide valuable incentives to organizations within the private sector. Such changes will ultimately lead to the identification and protection of critical assets, reduced information vulnerabilities, and the decreased probability of successful attacks against the public and private infrastructure.
3.3. Challenges and Barriers to Collaboration
Initially, it is a problem of language and understanding. In some cases, military elements of a national government may wish to collaborate with private companies on national security issues. However, the methodology and process used to implement security and defense may be very different from what the private sector is used to or will accept. Largely, this comes down to the different priorities of a government compared to that of a private company. Each party involved may be puzzled by the actions of the other, since they may seem illogical when viewed from a different perspective. This can lead to frustration on both sides and cause the partnership to fall apart. An understanding of the other party’s perspective is crucial, and it may take some time to develop this.
In most situations, the road to a solution is not always easy to navigate. When a government entity seeks to collaborate with the private sector, there may be many barriers that need to be addressed. Identifying what these barriers are is an important step to being able to effectively create and implement solutions. Many of these barriers can be very different depending on the specific location and governance of the government in question. A detailed analysis of the barriers for a specific government would require its own research project; however, a general list of some common barriers is helpful to governments and organizations as a starting point.
4. Strengthening Cyber Defenses in the Maritime Sector
The maritime sector is at increased risk for cyber attacks, and given its importance to global trade, there is a critical need to strengthen the cyber defenses of this industry. Most ownership and control of cargo and passenger vessels is by entities in the private sector, and these companies are the most knowledgeable about the cyber systems on their vessels and what cargo and systems are most critical to protect. This creates a situation where the private sector has the primary knowledge and capability to improve cyber security in the maritime environment, yet many private entities lack a clear understanding of the specific cyber threats to their sector and their business, and can be unsure about how to best apply their resources to reduce the risk of a successful cyber attack. Conversely, the public sector has a clearer understanding of the specific threats to the maritime sector, but has limited ability to directly improve cyber security on most privately owned vessels and may not have a full understanding of the most effective measures the private sector can take to reduce risk. Similar to the advice from the GAO and National Research Council to the aviation sector, the best way to address these issues is through a partnership between the public and private sectors. This will allow sharing of information on specific threats to the maritime environment, and the best methods for the private sector to mitigate these threats. It will also allow the public sector to support the private sector in improving cyber security in ways the government views as most critical.
4.1. Strategies for Effective Public-Private Partnerships
The most crucial issues, however, are the minimization of free-rider behavior and risk distribution. Free-rider behavior is a direct result of differing motives and conflicting interests and essentially refers to situations where one partner reaps the benefits of the other’s security investment without actually contributing any of its own resources. This is not an uncommon occurrence as in many cases the private sector partner cannot fully justify security spending to shareholders without there having been a serious security breach, thus it is often reluctant to make a substantial investment in security measures. An at-risk free-rider might only contribute to token measures, knowing that in case of a serious attack, it would still have the government entity to fall back upon.
Moreover, the formation of a joint committee has proven an effective tactic in other sectors as it acts as a coordinating body for the partners, providing a tangible framework through which issues can be addressed in an efficient and considered manner. The implementation of policy incentives and organizational culture change has also been cited as a valuable strategy as such tools can serve to align the interests and desired outcomes of the partnership. This can be important because the motives of public and private sector actors often differ and generally it is easier for private organizations to focus on security prevention measures that produce no immediate ROI. Policy incentives can serve to align these motives by providing regulatory measures that influence the actions of private organizations, while culture changes can be fostered through government integration within partnering corporate entities.
Strategies for the establishment and implementation of effective PPPs vary slightly depending upon the specific factor being considered, however there are some fundamental principles that generally hold true. Determining the exact type of arrangement is a key first step. In the realm of cyber security, it has been argued that an open, contractual partnership is most suitable because it provides businesses and their governmental counterparts with a clear understanding of the partnership mission, as well as the responsibility, liability, and intellectual property considerations associated with the alliance. An open arrangement often results in information sharing and mutual capability development, both of which are highly relevant for the improvement of cyber security.
4.2. Case Studies of Successful Collaborations
Canadian Marine Administration with DRDC and other Canadian Public Organisations
The Canadian marine administration has been involved in a multi-year project with Defence Research and Development Canada (DRDC) and other organisations such as Public Safety Canada and CSEC, aimed at strengthening the resilience of the marine transportation system to all hazards. Cyber security has been identified as a key area following an informed expert opinion workshop which took place on 28-29th of September, 2011 and most notably a tabletop cyber security exercise held on 5-6th of June, 2012. With observations and evidence indicating a growing reliance in the use of communication and information technologies within the marine sector, which pose vulnerabilities to cyber-attacks. And as a result, these activities have helped to identify key stakeholders, assess vulnerabilities, interdependencies, critical systems and data deterrence capacities and develop a research program to resolve issues with most notable outcomes to date, being the draft of the CSSD framework for resilience and a detailed report on cyber security threats to the marine transportation system. Both of which may be downloaded from the CSSD website.
US Department of Homeland Security (DHS) with Maersk and other port stakeholders
US port operator, Maersk and other stakeholders participated in a cyber security exercise on 24th Feb, 2010, simulating a cyber-attack on infrastructure used within the Port of Los Angeles/Long Beach. The exercise was organised by the Information Sharing and Analysis Centre (ISCA) and funded by the DHS, which involved participation from 43 companies and focussed on teamwork, communication and decision making processes during a cyber security incident. The port stakeholders formed a sector coordination committee, which Maersk took a leading role in and the results from the exercise have since helped influence decisions on Maersk’s cyber security strategy.
Asian Shipping Company (ASC) with Singapore government
The ASC has always maintained the practice of sharing cyber threat intelligence with the Infocomm Development Authority of Singapore (IDA), which benefits both parties. This collaboration came to a head during the planning phase for a new building, when the IDA offered to provide assistance to ASC in conducting a security threat and vulnerability assessment on the newly developed ICS networks, to which ASC agreed. The IDA did so by using a contractor which was well-versed in ICS networks and its subsequent findings were presented to the ASC in a detailed report, which included identified vulnerabilities and recommendations for rectification. The results from the assessment allowed ASC to undergo targeted changes to the network, in order to enhance security and IDA has pledged to continue its assistance to ASC, in cyber security related issues.
4.3. Recommendations for Future Partnerships
The most important overall lesson is that the potential for a win-win is there, but it is by no means automatic and several initiatives have failed to deliver real benefits for both sides. Recognizing the specific business and security objectives of the partner private company and how these align with the political and security objectives of the home country is an important preparatory step. Coming at this from a slightly different angle, the initiative should be driven by a clear and specific problem to be tackled; it should avoid vaguely defined partnerships for the sake of partnership. A cooperative project between a single company and a single government agency may tend to be less ambitious but easier to manage, and if successful, will provide a convincing demonstration and a platform to build upon. A hub and spoke model involving one leading company engaged on several fronts with one country could also be an efficient way to aggregate several small initiatives. Step change in security posture can be achieved through the development of a new technology or business process. A disruptive innovation of this sort can be a potent enabler for change in the maritime sector, but a research and development project carries higher risk and may fail to mature into a deployable solution. So it may be preferable to focus innovation initiatives on industry sectors that are already eager to embrace new technology. High-level trust and teamwork are cross-cutting success factors for partnerships in any sector. But it can be precarious in multi-level, multi-issue multinational initiatives, and in the maritime sector, it may be compromised by a long history of competition between friendly states. So those looking to enter into high-level security dialogue should weigh the potential benefits against the risk of diplomatic fallout from failure. A mix of military and civilian maritime activity and blurred lines between friend and foe in the threat environment add to the complexity and may call for specific confidence-building measures between the sector and a national security apparatus. Such initiatives have been rare, but when taken in a very specific context, they have yielded results. And finally, successful partnership calls for skilled managers who understand both sides, as a general shortage of such people has been a limiting factor for PPPs in the security sector.
In examining different forms of collaboration and reviewing evidence of their success, the study’s authors are able to derive several recommendations for future public-private cyber maritime security partnerships. These would help both sides to avoid common pitfalls and to fully exploit the potential synergies identified here. Causes of success can be abstracted from the case studies. These are assembled into specific and practical advice for company and government managers in the form of ten key success factors. These can be used to guide the implementation of individual joint initiatives and as criteria to help in the selection of potential partners and projects.