Posted: March 26th, 2024

The Role of Public-Private Partnerships in Enhancing Cybersecurity Resilience for Maritime Operations in the Region

The Role of Public-Private Partnerships in Enhancing Cybersecurity Resilience for Maritime Operations in the Region
1. Introduction
In recent years, maritime operations in the region have evolved into extensive and complex systems, driven by technological advancement and the pursuit of economic efficiency and security. Shipping, trade, and port operations are no longer disconnected segments but are intertwined into a sophisticated network reliant on seamless and timely information exchange. The maritime sector’s heavy reliance on technology and information systems has made it vulnerable to cyber incidents that can cause detrimental effects. The frequency of such incidents is rising and growing in sophistication, targeted at state or organizational level with the intentions of espionage, intellectual property theft, or disruption of operations. In 2013, the Port of Antwerp co-funded an academic research study due to concerns of espionage in a new container terminal automation system. Although the research provided clarity of the incident and preventative measures, these results are not shared amongst neighboring competitors or other port stakeholders due to sensitive nature. The most damaging cyber incidents yield physical consequences provided they are connected to the cyber layer of a system. An instance would be the 2007 cyber attack on Estonian government networks and internet infrastructure which paralyzed many of the e-government services and caused widespread disarray. Cyber incidents have the potential to disrupt or disable maritime operations and critical infrastructure, economically impacting nations and propagating into international disputes.
Cyber security comprises resilience and measures to protect a networked information system from impairment or theft of network services whether offline or online. Resilience is the ability of a system to prepare for and adapt to changing conditions in order to survive and continue operations in the event of a disturbance. Generally, traditional security measures in the form of antivirus software and firewalls protect from theft and online attacks but may impair network services if they block suspicious activity. This form of security has been proven inadequate against modern-day case studies. The new ISPS Code maritime security regulations state that security plans shall ensure the availability of information in the event of a security threat. This extends to cyber incidents although no specific guidelines or best practices are provided. Given the complexity of modern-day maritime operations, information system interconnectivity, and the influence from public sector coercion and international regulations, it can be said that cyber security is of utmost importance and a key point for the prosperity of the modern era.
1.1 Background of Maritime Operations
Sea trade has been in existence for thousands of years, moving large quantities of goods from one place to another, across the sea. Maritime trade involves several different activities, this could be fishing, cargo transportation, passenger travel and leisure activities like sailing. The International Maritime Organisation (IMO) has an estimated calculation that the total amount of trade is usually done via maritime resources is composed of a staggering 80%. The figure below shows that in 2014, the amount of goods transported is estimated to be over 10 billion tonnes. In order to complete these tasks, various types of vessels are used to facilitate the different types of maritime activities. The diversity of the vessel functions range from simple fishing boats, to sophisticated cargo ships and passenger liners, with the newest addition being offshore vessels which are used to facilitate the offshore activities of the oil and gas industry. All these vessels use some form of onboard electronic equipment. ECDIS (Electronic chart display and information system) is a good example, which is now mandatory on all vessels following a phase-in implementation starting in 2012 and is planned to be completed in 2018. All these technological advancements have greatly improved the safety and efficiency of maritime tasks. However, at the same time, these have led to increased dependency on automation and connectivity between different systems. This means that there is now an increased vulnerability to cyber incidents that could have detrimental impacts on the safety, environmental, economic and reputational aspects of the maritime sector. Cyber incidents can be caused by intentional malicious acts or through the use of inadequate cyber security and prevention methods which can still have the same consequences as an intentional act.
1.2 Importance of Cybersecurity Resilience
Only achieving these necessary capacities can nations hope to realize a truly effective approach to maritime security. Such porous and connected systems present a big challenge for cyber security, and an area that’s often overlooked, undervalued, and misunderstood. Conventional wisdom holds that the threat to information systems and information-dependent processes arises generally from the theft, corruption, loss and/or unavailability of knowledge, information, or data. For shipping and port operations, the computerized systems that manage cargo and monitor and administer traffic are the core of the operation. Loss of integrity or availability to those systems might have a catastrophic effect with regards to safety, economic vitality, and the health of the environment. In recent years, with growing recognition of the deep interdependence between safety and security in world shipping, attention is shifting to the threat of deliberate cyber attacks against information systems, with the intent of disrupting or disabling core functions that are linked to the safety and security of the people, the cargoes, and the protection of the marine environment. Consideration of this threat has led to a growing realization of the safety and security implications of its interdependence on an information dependent, automatic, and autonomous technologies. Only by understanding the character of the threat and the way it attacks the very systems that are its lifeblood, can the sector build effective defenses and mitigation strategies. A recent report by Denmark’s Ministry of Business and Growth articulated this well, in stating the rationale for public-private cooperation on cyber security. Cyber threats aren’t any less important than the safety and security in the physical world. But the character of the threats is different, and it’s a requirement to involve the private sector in maintaining cyber security, for they’re those owning and operating the critical information systems. Denmark has acknowledged this and is proactive in building global public-private partnerships within the cyber security field. Of course not all cyber threats are really complex or sophisticated, and it’s at the opposite end of the spectrum within the developing world, where the IMO and member states mustn’t overlook the opportunities for capacity building to enhance awareness and basic skills on cyber security.
1.3 Significance of Public-Private Partnerships
In the current complex economic environment, governments around the world are confronting decreased defense budgets and an acknowledgment that the development of future capabilities will be characteristically joint, yet they continue to struggle with institutional and cultural barriers to fully joint and combined acquisition programs. These barriers are driven by the historically national approach to defense and the resulting industrial dependencies which are often intrinsically linked to national security. The defense industrial base in many nations has a conglomeration of state-owned and privately held companies, for example BAE Systems is a publicly traded company in the UK, but is often viewed as a national champion for defense in Britain. Because of the crossover between the defense base and national economic viability, most governments are reluctant to form international partnerships for security, and many defense MNCs have a significant portion of their revenue that is linked to national defense in spite of increasing amounts of privatization in defense support services. Thus there exists a complex web between the public and private sectors and both national and international interests in defense. This is important to recognize because the U.S. is not alone in its struggle to maintain security with shrinking resources, thus lessons learned in this research can be applicable to many countries who are looking to enhance capabilities through smart partnerships in an era of fiscal austerity.
2. Understanding Cybersecurity Resilience
Cybersecurity resilience in contemporary context is the ability to prepare for, respond to, and recover from cyber-attacks. It is an approach of defending against powerful cyber-attacks, ensuring probable damage is minimized, and recovery is feasible. The concept of cyber resilience is not only limited to information assurance and security but rather focuses on the ability to absorb an attack and to continue operation or quickly recover to an effective state. It includes the ability to withstand and rapidly recover from deliberate attacks, accidents, or naturally occurring threats that may compromise the assets and operation of an enterprise. Cyber resiliency includes assured data protection, immediately available mission-critical information and functions, the ability to continue to operate in a degraded state while progressing towards full operational capability, effective reconstitution of the software, hardware, and data, and finally security for the infrastructure during all the aforementioned processes. Cybersecurity resilience shares the same goal as resilience in general: to achieve and maintain an acceptable level of operational risk within an organization, despite the presence of threats. Resilience can be considered the ability to align security with business continuity and is a systematic and measured approach to achieving an effective security posture. As such, resilience can provide an approach to security which is flexible, cost-effective, and risk-based. This is particularly important within maritime security where cost and risk management are critical factors.
2.1 Definition and Scope
In the simplest terms, resilience is the ability of a system to withstand and recover from stress or shocks. The Center for Internet Security (CIS) defines cyber security resilience as the ability to maintain an acceptable level of security despite having been exposed to a cyber security event. The resilience approach counters both the prevention and reaction approaches to cyber security by putting in place a set of measures to ensure that an organization can identify any form of security breach and then take action to minimize the damage and recover to a more trusted state. This is a proactive approach as its primary focus is to reduce the time between a security breach occurring and it being identified. This is something that currently takes on average 205 days (M-Trends 2015: A View from the Front Lines of the Security War, Mandiant). This is becoming an increasingly popular approach. The UK government had announced in 2013 that they are investing £650 million into building resilience to cyber attacks and other countries have taken similar steps. This aims to directly reduce the impact of security breaches as a study has shown that data breaches in the US public sector led to a loss of $202 per capita. This would have been significantly less if the state of cyber security resilience was higher. It is highly likely that the size and impact of cyber breaches will increase, thus making cyber security resilience a critical area. There are an array of tools and methods to measure cyber security resilience including a framework by Dasaklis, P., Kotzanikolaou, P., & Pantziou, G., 2014. As this field develops, it may be seen as a mandatory requirement for organizations. Today, it is recommended as best practice. This approach to cyber security has a close relationship with systems engineering and system security as demonstrated in figure 1. This has been highlighted by recent cyber security incidents, most notably the 2010 Stuxnet worm which was a highly targeted attack on certain industrial systems. This therapeutic aiming to cause the maximum damage from a long-term covert position. The incident demonstrated a lack of sufficient security testing and oversight of the maintenance of these SCADA systems, showing that many current IT security approaches are still insufficient for industrially focused cyber attacks. This suggests that the identification of an acceptable secure state and methods to transition to it are imperative in ensuring resilience in these systems. This shows that cyber security resilience is a concept applicable to all forms of computer systems and at some point may become the sole aim of a security strategy.
2.2 Key Components of Cybersecurity Resilience
The next component is the ability/institution to ‘prevent’, which signifies a strong desire to influence the opposite of what we are trying to prevent, showing proactivity and determination. This is expressed through the demonstrated capacity to take actions aimed at eradicating the occurrence and reoccurrence of specific threats (in our case, cyber-related) or change. This is an important component as there is no point having a strategy if it’s not going to prevent an unwanted outcome. Reaction-based learning and improvement for better future preventive action is a less effective strategy.
Next, preparedness is the state of being ready and the process to achieve readiness for a specific threat or change, usually through the development of arrangements and acquisition of the resources needed to carry out an effective response to the change. This aspect is crucial because it ensures that an organization can still protect its assets and information even when there’s a change of threat or attack towards the organization.
The key components of cybersecurity resilience, as defined by the Council of European Union, can help to guide the way. Each of the key components offers a clear understanding of the outcome in terms of the desired state of cyber resilience. Firstly, awareness is the cognitive state of knowing about and understanding various aspects of cybersecurity. This component is important because awareness will influence human behavior and ultimately how an organization or society prepares and prevents from the risk of cyber attack or threat.
2.3 Challenges in Achieving Cybersecurity Resilience
The existence of cybersecurity resilience is an elementary variable in the determination of the ability of an organization or system to continue the delivery of products and services and maintain the functionality of supporting systems when faced with a cyber event. It is a space in which the public and private sectors make essential contributions to sustain a broad range of activities to protect the safety, the prosperity, and the way of life of citizens. It means understanding totally the range of challenges that might affect the security and safety are pivotal in developing an approach to resilience. As discussed in section 1.2, the range of cyber events is very broad and so too are the challenges ranged against achieving resilience. The safety and security of citizens and the protection of property and function are as much at risk in the cyber domain as they are in the traditional domain, which means there is possible overlap with the challenges this has created potential for cascading effects into the traditional domain. This creates a significant problem for decision makers in assessing the acceptable level of risk in functioning an event and understanding whether it is more beneficial to defend against the event or prepare proactive and reactive strategies to bounce back from its consequences. A challenge exists to balance out the implementation of security measures with preserving the open and efficient characteristics of the systems and organizations that are being protected, and in some cases, there are no measures to improve the security of a particular asset or system. In general, the rapid evolution and spread of technology and the cyber domain itself often means that the challenges are always shifting and adapting, and so too must strategies to achieve resilience.
3. Public-Private Partnerships in Maritime Operations
The private sector possesses considerable knowledge and resources, particularly in technology, that would benefit the public sector in efforts to enhance cybersecurity. However, even in the wake of serious and sustained cyber attacks on critical infrastructure, the private sector is often not inclined to actively engage government on cybersecurity issues, largely due to concerns about liability, the potential negative impact on business interests (e.g. costly security mandates or loss of international customers), and a lack of faith in government’s own cybersecurity capabilities. This is particularly true in the maritime domain, where the commercial aspects of the shipping industry often take precedence over safety and security concerns. Public-private partnerships are a means to overcome these obstacles, and more effectively leverage private sector resources in addressing cybersecurity issues in the maritime domain. While the term “public-private partnership” can be quite broad and encompass many different types of interaction between the sectors, for the purposes of this paper a public-private partnership is defined as a cooperative venture between the public and private sectors, built on the expertise of each partner, that best meets the needs of the society. Public-private partnerships have been successful in improving cybersecurity resilience for critical infrastructure in other domains, and may also be relevant in the maritime domain.
3.1 Overview of Public-Private Partnerships
A public-private partnership generally denotes an arrangement between government and private sector actors, with a common goal to provide some good or service, through a division of responsibilities and sharing of resources, risks, and results. Though there are a myriad of reasons why public agencies seek to engage in partnerships with private firms, they are generally undertaken because of some form of market failure or government failure in the provision of a good or service. Commonly cited reasons for market failure include the inability to produce a good or service at competitive prices, and the inability to induce private firms to take on socially desirable projects that do not have a direct revenue stream. An example of the former would be a public contract to build a bridge when there are no private firms that offer the service at a competitive cost. An example of the latter might be a project to conduct medical research to cure a rare disease. High costs and uncertain results often deter private firms from investing resources into a socially desirable project that is not likely to yield a marketable product in the end.
Although the concept of public-private partnerships has been documented since the early 20th century, it has only been taken seriously within the past quarter century as a viable solution for service delivery. As austerity measures have forced government agencies to stretch dollars further, and a more informed consumer base has required a higher level of service, the public sector has sought alternative means to provide many of the goods and services that citizens have come to demand. Public-private partnerships have risen to the occasion and through a series of trial and error attempts have emerged as a credible means of solving some of the problems affecting the provision of public goods. While public-private partnerships are not a catch-all solution for improving service delivery with fewer resources, they provide a starting point for upcoming generations of public administrators to begin thinking structurally about improving various methods of service delivery.
3.2 Benefits of Public-Private Partnerships in Enhancing Cybersecurity Resilience
The main advantage of public-private partnerships is that they can encourage free information sharing among the partners. This is important in the cyber defense context where information on the evolving threat is key to adapting defenses. Public organizations may have access to intelligence on the nature of the threat facing the industry but be unwilling to share this with private companies due to the classified nature of the information. By forming a partnership with a specific remit, the public body can share this information with those in the private sector who have the relevant responsibility within the partnership, thus circumventing the security dilemma. A partnership can also incentivize information sharing by utilizing agreements to share specific resources or expertise tied to a precedent of information sharing from a partner. An example of this kind of approach can be seen in the UK ISAAC project whereby specific cyber threat intelligence was tied to the agreement to access said intelligence and information from the industry.
Partnerships can also be a vehicle to leverage industry-led initiatives into public sector support. This is significant in an era of austerity where support for specific security measures may be low. The US NIPP highlights that critical infrastructure protection in the post 9/11 security environment has emphasized risk management and the need for public-private sector collaboration on identifying and protecting the highest priority assets and systems. Although NIPP was criticized for industry bias, public-private collaboration led to an initiative where maritime stakeholders identified cybersecurity as a relevant threat. This culminated in a maritime industry-led effort to comply with international and ISPS code security standards by developing the US Maritime Transportation Security Act (MTSA), which requires certain security assessments and plans from vessel and port facility operators that access US waters.
3.3 Successful Examples of Public-Private Partnerships in the Maritime Industry
The culture of maritime is entrenched with a mentality of self-reliance and that cooperation with competitors is less favorable than going it alone. A recent keynote address by Deep Water Point Partner Ken Slaght emphasized that the magnitude and impact of cyber threats within the maritime industry means that companies can no longer battle to-be attacks individually. The creation of information sharing networks and collaboration with industry-wide subject matter experts is paramount. Public entities play a significant role in the provision of such experts and networks. A prime example is the recently launched European Union Maritime Information Sharing Analysis Centre (MISA). An extension of the EU SECI Centre for Policing and Customs Cooperation, MISA aims to increase information sharing and coordination in the fight against threats to the maritime sector. It provides a platform for experts to address industry needs. This type of venture is highly complementary to a P3, and the involvement of the EU or other public entities would essentially be the outsourcing of expertise and services.
Public-private partnerships exist in the maritime industry. There are many reasons for the private sector to take cybersecurity seriously. The most obvious reason is the cost of being connected. With cost savings in the shipping industry at the forefront of this initiative, the annual State of Maritime Cyber Security Report demonstrated the growing understanding of the importance of cybersecurity. It highlighted that 89% of ship owners and managers now believe that it is as important as the physical security of vessels. High-profile attacks, well-publicized regulation changes, and increased industry awareness have driven an increase in resources being dedicated to cybersecurity. This has resulted in private companies educating themselves on the risks, repercussions, and costs associated with a cyber attack. In turn, this has improved the quality of their IT systems. A well-educated customer is essential for the success of any P3. Reducing the risk of a cyber attack and subsequent operational disruption will result in cost savings and is now an integral part of any potential value proposition. As more private companies begin to understand the importance of cybersecurity, many are turning to the developing insurance market, which can provide comprehensive cover. This negates the need for self-insurance, which at present is too much of a risk. It also provides a potential new market for the insurance industry.
4. Strategies for Strengthening Public-Private Partnerships
Interviewees suggested that the best way for public and private entities to come together and share information on cyber issues would be the establishment of a neutral and central organization. This organization would facilitate information sharing and best practice advice and be governed by a board consisting of industry experts and members of relevant government bodies. Funding for this organization would come from both a collaboration of private and public entities and a government grant. An organization of this type would give equal benefits to both its private and public members. Public members would gain insight into the issues affecting the private sector and the possible economic implications. The private sector would benefit from the advice of public sector cybersecurity experts and would be able to influence government policy on new cyber threat regulations that could affect the industry.
In the maritime sector, various trusts and information sharing agreements already exist, such as the Maritime Information Sharing and Analysis Centre (MISAC) and the Regional Cooperation Agreement on Combating Piracy and Armed Robbery against Ships in Asia (ReCAAP). However, due to the sensitivities surrounding the issue of cybersecurity, these agreements focus solely on physical security issues. MISAC is, in fact, moving towards establishing a new pact specifically for cybersecurity.
Public-private partnerships that involve the sharing of information and knowledge required to improve cybersecurity have the potential to revolutionize the collective cyber resilience of an industry sector. Establishing trust and collaboration is the first critical step. Without this, the sharing of information is unlikely to occur due to the sensitivity of cyber attack data and a potential lack of trust in partners’ abilities to protect the information.
4.1 Establishing Trust and Collaboration
Trust is built through relationships and relationships are built through time spent working together. Whether in joint ventures, information sharing arrangements, or joint policy and planning work, all of which involve shared risk and shared win or lose outcomes, the more time public and private sector entities spend together in these endeavors, the more they will develop trust. This was highlighted by the effectiveness of existing public-private sector forums which helped in the development of trusted relationships and communications channels between entities from both sectors. These relationships helped in providing a better understanding of respective sector-specific cultures, constraints, and operational contexts, and sharing ideas and intelligence on possible threats to and vulnerabilities of critical infrastructure. Such an understanding is necessary in order to move from a place where the private sector mostly waits for government to tell it what to do on security, to a more proactive posture where these sectors can address security threats in shared risk and shared win or lose environments. In a similar vein, a report from New Zealand noted that gaining a better understanding of private sector motivations, decision-making processes, and mindsets is important for government entities seeking to effectively engage with the private sector on critical infrastructure security issues. This is critical as mistrust is often based on misunderstanding and stereotyping of the “other”, and likely decreases as common ground and common understanding is developed.
Cyber security threats change the national security environment and are becoming more sophisticated in nature. In order to deal with these threats, maintaining the trust and collaboration between the public and private sector is essential. Establishing such trust and sustaining the spirit of collaboration both between these sectors as well as the individual entities within them is the foundation on which effective protection of critical infrastructures.
4.2 Sharing Information and Best Practices
A possible future scenario for this level of research could be war gaming exercises, where the discussed vulnerabilities are exploited in a controlled simulation. Development of such a detailed knowledge sharing environment will ooze best practices at all levels of research and collaboration. Stepping back to the present, these best practices will be observed from the research and creation of new tools to protect or analyze the vulnerabilities of infrastructure and operations.
For establishing a successful PPP to enhance cybersecurity resilience in the maritime sphere, it is imperative to have data sharing and information exchange among public and private partners and stakeholders. A multifaceted information sharing environment must be created which engages sponsors, researchers, and participants. A start-up prototype for this could be a data sharing program specifically targeting cybersecurity-related incidents, threats, and vulnerabilities to maritime infrastructure and operations. This can branch into further research on cyber threats affecting vessel and port infrastructure and operations, providing a clear view of the type of threats faced and the possible vulnerabilities that need to be protected.
4.3 Developing Joint Response and Recovery Plans
An essential stage of PPPs in cyber security is the development of joint response and recovery plans to fight against cyber attacks on maritime operations. The dynamic and complex nature of the maritime sector, with the different types of organizations involved (public, private, local, and international), makes it difficult to grasp how an attack might come and what form it might take. Joint response and recovery plans ensure that all parties involved in a partnership understand what the other is going to do when under attack. They can also serve to assist a third party joining the partnership to understand what is expected of them and what they can expect, facilitating the easier integration of new members into the partnership. Development of these plans can be expected to form closer links between partnering organizations, as they prepare to assist one another and weather the storm together, making it less likely for a party to draw out of a partnership when trouble strikes.
The process of making these plans has many different layers and no clear start or finish. One obvious part was outlined by an interviewee from a security provider firm as he explained that their company’s attack scenarios were used as a playing board to strategize which steps to take as a partnership when under attack. These sorts of tabletop exercises have been used by various military and government bodies to simulate non-cyber related warfare and strategize the best courses of action. These and other plan development methods may benefit from the wealth of public sector security and intelligence experience in the hope to adapt and tailor them to effective cyber attack scenarios.
4.4 Investing in Cybersecurity Training and Education
The National Cybersecurity Workforce Framework provides a blueprint to secure the diverse environment of the maritime sector. This framework provides a common taxonomy and lexicon for describing jobs and workers in information security, as well as a workforce development methodology to build a strong workforce to manage cyber risk. This framework provides a guide for those at all stages of their career on skill requirements, training and development, as well as current and potential job progression. Adhering to this framework will greatly improve the job of managing cyber risk in the maritime sector, and help align efforts in doing so, making PPPs more effective as well.
Effective strategies in attaining the desired level of cybersecurity are crucial to the protection of the maritime sector against a cyber attack. These strategies are also important in gaining and maintaining the momentum necessary to manage cybersecurity as a constantly evolving risk. Investment in strategies fostering resilience through continued learning as well as creating a culture of risk management can pay large dividends in the future of cybersecurity for the maritime sector. Jointly developing public and private research and development programs fostering academic research as well as internships and work study programs for college and graduate students can help create a cadre of future maritime cybersecurity professionals. This kind of program can help educate future maritime professionals on the importance of managing cyber risk, and give them the tools to do so effectively.