Posted: February 29th, 2024

Cybersecurity and International Maritime Law: Analyzing the adequacy of existing legal frameworks to address cyber threats in the maritime domain.

Greiman, V.A., 2020. Defending the Cyber Sea: Legal Challenges Ahead. Journal of Information Warfare, 19(3), pp.68-821.
Martínez, F., Sànchez, L.E., Santos-Olmo, A., Rosado, D.G. & Fernàndez-Medina, E., 2024. Maritime cybersecurity: protecting digital seas. International Journal of Information Security, 23, pp.1429-14572.
European Union Agency for Network and Information Security, 2014. Cyber Security Aspects in the Maritime Sector

Cybersecurity and International Maritime Law: Analyzing the adequacy of existing legal frameworks to address cyber threats in the maritime domain.

2. Cyber Threats in the Maritime Domain
E. Conclusion
– Reiteration of the threat cyber attacks pose to the maritime domain.
– The need for a pre-emptive and coherent framework to ward off any cyber threat.
– Call for further examination of the laws of warfare and their applicability to cyber attacks, based on the understanding that cyber warfare is warfare in a new and undeveloped domain.
D. The Existing Legal Order and Cyber Threats to the Maritime Domain
– The UN Charter and customary jus ad bellum.
– The law of naval warfare and the 1994 San Remo Manual.
– LOAC and its reliance on the principle of distinction and proportionality.
– Martens clause: provisions for unforeseen development of technology.
C. The Corfu Channel Case Revisited
– Comparison of the nature of cyber threats to the use of force by the UK.
– Identification of the responsible state or party.
– Security Council resolutions and their effectiveness.
– Jurisdiction and the applicability of the use of force and self-defense.
B. The Nature of Cyber Threats to the Maritime Domain
– Use of the sea and the ‘chokepoint’.
– Reliance on electronic systems and global information and digital infrastructure.
– Networks and power of weapons: physical and psychological effects.
– Anonymous attacks and non-state actor involvement.
A. Introduction
– Definitions of cyber threats: cyber-attack, cyber-war, cyber-terrorism, cyber-crime.
– The cyber security triad.
– Legal issues:
– Distinction between civilian and military targets and attacks.
– Lawful countermeasures to cyber attacks.
– Consequences.
– Analysis of the risks that cyber threats pose against the maritime domain.
3. Existing Legal Frameworks
Primary to the original UNCLOS doctrine, another agreement was made in 2000 by the United Nations called the “Electronic Communication Agreement,” which aimed to update certain parts of the Convention. Full ratification has yet to happen; however, the agreement has been in place for the past 17 years. Article 6 of this agreement outlines the use of electronic means to communicate and transfer data between each country’s territory. Although it was just an agreement to update another agreement about the original agreement, it shows that states are beginning to understand the importance of electronic communication and data transfer. This can be related to the Law of the Sea as it has around the same meaning, although the original agreement did not account for information systems.
Recently, there have been many steps to address this problem, including the International Maritime Organisation’s (IMO) Assembly Resolution (A.1045(27)), adopted on 7 December 2011, on “Maritime Cyber Risk Management,” and more recently, in October 2017, the IMO’s Maritime Safety Committee (MSC) adopted Resolution MSC.428(98) on “Maritime Cyber Risk Management in Safety Management.” It was agreed that the objective is to enhance the security of cyber systems and their use in the maritime industry, which should include the protection of systems, assets, data, and personal information relating to safety or the environment, from security breaches causing the compromise, corruption, or loss of availability of data.
The general principles of international law continue to apply at sea, as well as the more specific rules set out in this Convention. Part V of the Convention provides an exhaustive and important detailed analysis of the subject. Cybersecurity has been an issue for a very long time in the maritime industry as it is important for vessels to have secure access to the internet and networks on board.
4. Adequacy of Legal Frameworks
Cyber attacks are a relatively new tool that can be used against merchant ships, and their effectiveness would be severely damaging to the shipping operations affected. The legal implications of such attacks, however, are still not fully understood. The potential for non-state actors to influence changes in international law regarding cyber attacks can also not be ignored. Development of customary international law on the matter may result from decisions made by port states after a cyber attack on a ship within their jurisdiction. Additionally, while the 1982 UNCLOS is regarded as the primary body of law for the shipping industry, the ITLOS and the ICJ will likely have cases presented before them regarding cyber attacks. To further this, the International Maritime Organisation is presently focused on increasing cyber security in the maritime sector. Development of new laws and amendments to current legislation is a real possibility.

Cybersecurity and International Maritime Law: Analyzing the adequacy of existing legal frameworks to address cyber threats in the maritime domain.

2. Current Legal Frameworks in the Maritime Domain
Whilst UNCLOS provides a useful base to work from, it is considerably lacking in provisions specifically dealing with the issue of cyber threats in the maritime domain. Even though a serious cyber incident could present a threat to ships and crew life, safety, and pose a risk to the marine environment. Measures such as the International Ship and Port Facility Security Code should be commended for taking early steps to address cyber risks by including cyber security under the requirements for ship security assessments. However, it is clear that more work is needed to move closer towards a comprehensive, internationally agreed set of rules and practices specifically focusing on this issue.
International conventions and treaties form the backbone of initiatives to counter maritime crime and provide legal backing for enforcement activities by providing an international regime aimed at cooperation between different governments and an agreed legal framework. The United Nations Convention on the Law of the Sea (UNCLOS) is a comprehensive treaty which sets out the regime of law and order in the world’s oceans and seas, establishing rules governing all uses of the oceans and their resources.
2.1. International Conventions and Treaties
As is the case with deficiencies found in specific legislation, most notably UNCLOS, there appear to be few, if any, specific cybersecurity-related guidelines within current international conventions and treaties. However, research in this area is relatively new and is currently gaining momentum. For instance, there has been recent investigative work into the relevance of the International Telecommunication Union (ITU) treaty structure in regards to securing global ICT networks and the protection of critical information infrastructures. As the maritime domain becomes more reliant on the usage of IT networks and systems, the relevance of such treaty systems may become more prevalent. Additionally, ITU involvement may impact the development of e-navigation technologies, and it is well recognized that improved e-navigation systems will ultimately increase the risk of cyber incidents without proper preventative measures in place. Although no cybersecurity-specific conventions or treaties exist, the Law of the Sea will require an in-depth analysis and the reconsideration of treaty structures if cybersecurity is to be ensured in the future. Without any changes to current conventions and treaties, it may be difficult to ensure cybersecurity in the maritime domain at a global level.
2.2. National Legislations
National legislations play a crucial role in the implementation of treaty obligations and the promotion of state security at grassroots level. The significance of national legislations being germane to the subject shall broadly focus on the legal requirements envisaged under the convention and therefore do a critical analysis if prevailing legislations in the US and UK fall in conformity with the convention requirements. Due to the binding nature of conventions and treaties, only US and UK legislations have been taken on the premise that both the states, being leading maritime nations, are parties to the convention. As regards the specific legislations adopted by civilian and military mariners in the respective states, the same have not been addressed due to their sheer magnitude. The relevancy of national legislation to present cybersecurity threat is more on the process of ascertaining if the ratifying states have clearly integrated the convention requirements. Hence, this chapter commences with a brief narration on the history of legislations in the global maritime domain.
2.3. Industry Initiatives
Phase 1 of the IMO’s cyber security development is expected to be these guidelines in January 2021. This will be mandatory for all IMO member states. However, it will only apply to ships that are subject to the ISPS code. The guidelines are a direct modification of the ISPS code, so it is likely that in the future, it will be expanded to become an independent convention to the ISPS code. Although this is also a high-level document, it is significant as it is the first time the ISPS code has been modified since its introduction. And it shows that cyber security is now a very serious issue in the maritime industry and will continue to be in the foreseeable future.
BIMCO was the first industry body to address the issue of cyber security in shipping when, in 2016, they published the “Guidelines on Cyber Security onboard ships”. These guidelines are split into two sections. The first section provides high-level information about managing security, with the second section providing the actual guidelines on how to manage it. Although the guidelines are extensive and cover a number of different areas of cyber security, they are primarily aimed at a ship’s senior management. This was a key move as most of the data breaches that have occurred in recent years have been a result of a lack of oversight and poor management of IT systems. So, by educating and providing guidance to senior management, the security of the whole vessel can be improved.
As the only way of effectively combating cyber threats is through preventative measures, a number of leading industry bodies have developed guidelines and recommendations for shipping companies. The most significant industry initiatives can be found in the guidelines of BIMCO, the International Maritime Organisation, and the International Association of Classification Societies. All of these are recommendations, not regulations, although compliance with such rules may eventually become necessary as the best practice for cyber security in the shipping industry becomes more solidified.
Since the turn of the century, the maritime industry has become more and more reliant on technology. Revolutionary changes in the way processes are conducted and vessels are operated have seen many positive developments in terms of efficiency and safety. However, this increased reliance on technology has its downfalls. The interconnectivity of computer systems and the global scale of the shipping industry make it an attractive target for cyber criminals.
3. Cyber Threats in the Maritime Domain
On the threat side, modern ships are essentially floating networks with a range of integrated systems to aid in the operation of the vessel. Information transfer is vital to the operation of the vessel, and as such, technology has been widely adopted. Global maritime communications rely heavily upon satellite systems and electronic data transfer. Advanced navigation and propulsion systems are now used in all sectors of the industry. These systems are generally highly integrated and often rely on commercial off-the-shelf computer systems for the display of data to the end user. The most advanced of these systems are capable of dynamic positioning, where the vessel is held in a fixed position or within a very confined area solely through the control of its propellers and thrusters. This is employed in ultra-deepwater drilling operations, offshore construction, and in some cruise ship operations. Any failure of these systems that resulted in the loss of position could have catastrophic consequences. In respect of automated systems for machinery and propulsion, remote maintenance and monitoring of equipment has become common as it reduces the requirements for qualified personnel in situ and brings economic savings. These systems are now moving towards remote operation, where critical machinery could be controlled by an onshore operator. The progression towards increased autonomy of vessel systems will greatly increase the threat from cyber-attacks in the future.
3.1. Types of Cyber Threats
Data theft will often target information that the company in question clearly does not want to be in the wrong hands. This highly sensitive data can be national security data or personal identification data concerning a company’s workers. By contrast to these types of data attacks, it is equally possible that leaked information can lead to damage or cause embarrassment to a company.
Another form of attack would be to manipulate information in specific systems; this form of attack can cause serious damage to operations when considering that navigational information is highly reliable on correct data, from GPS location data to up-to-date weather information. The data falsification attack can lead to various unexpected situations which could jeopardize safety. In a scenario where it was found that an error due to manipulated information was the cause of an accident, it would be difficult to identify a cyber-attack was the root of the problem. Altering data can take many forms, the simplest being access to data by malware or viruses. This may, for example, occur when a contractor supplies software or hardware to a company with data storage, retrieval, or processing specifications.
In terms of categorizing the types of threats that could be posed against vessel operations in the maritime industry, there are varying forms of cyber-attacks that could affect different parts of the system. An attack can be carried out in methods that try to disrupt equipment and operations; an example would be a denial-of-service (DoS) attack. A DoS attack can be performed by hindering network data, preventing specific network resources from being available to users. This could greatly affect the use of information provided by AIS, ECDIS, and other navigational systems, thus hindering the efficiency of monitoring vessel positions and other traffic situations.
As technology keeps evolving, so does the nature of cyber threats that are posed against firms and corporations all over the world. These threats can range between simple technical problems to a full-scale cyber-attack. In the context of the maritime industry, where the integration of IT systems and operational technologies is newly implemented, yet indispensable to support the more efficient and effective transport work. Understanding the technologies consist of interconnected systems between IT and operation technology, it is argued that the risk of facing cyber threats whilst conducting operations becomes ever more of a concern than compared to the past.
3.2. Potential Impacts on Maritime Operations
Cyber threats may potentially have a variety of impacts on maritime operations. These may include minor incidents that cause brief disruptions to itineraries, cargo operations, and port services, or major incidents that result in extended periods in port for troubleshooting and repair, damage to the company or the ship’s reputation, or the loss of proprietary data or control of the ship or its systems. The most significant potential impact is on the safety of life at sea and the protection of the marine environment – the primary goals of the international regulatory regime. Cyber incidents may result in hazardous situations with negative effects on personnel, the environment, and the assets of coastal states and the wider international community. The current increase in automation and remote control may heighten these threats.
At the present time, it is difficult to determine the likelihood or extent of such impacts as a result of the lack of reporting and information sharing on incidents of a non-traditional safety or security nature for competitive and other reasons. These factors are also likely to impact the effectiveness of any future regulation, as regulation is generally reactive and responsive to incidents or crises. However, this topic is worth further study and analysis in order to engage the industry, which remains largely unaware of the cyber threat, and convince them of the imperative of instituting preventative measures.
4. Evaluating the Adequacy of Existing Legal Frameworks
4.1.2 The SUA Convention and the 2005 Protocols
A Brief Overview of the Legal Instrument: The 2005 Protocols to the Convention for the Suppression of Unlawful Acts Against the Safety of Maritime Navigation (SUA) established a comprehensive set of measures to deal with unlawful acts against the safety of maritime navigation. Both the 2005 Protocols and the original SUA Convention include provisions specifically aimed at addressing cybersecurity.
4.1.1 SOLAS, chapter XI-2 and the ISPS Code
A Brief Overview of the Legal Instrument: The International Ship and Port Facility Security Code (ISPS Code) and the accompanying SOLAS chapter XI-2 represent a comprehensive set of measures intended to enhance the security of ships and port facilities against both terrorist and cybernetic threats.
Evaluation as to Effectiveness at Addressing Cyber Threats: The ITU’s manual judges that whilst the ISPS Code and SOLAS XI-2 do go some way to addressing cyber threats against ships and port facilities, they do not take into specific account the enhanced technologies of modern cybersecurity and therefore their measures may be seen as insufficient and outdated.
The ITU’s Maritime Cybersecurity Manual provides a comprehensive overview of existing legal instruments and conventions that it identifies as intended to address cyber threats in the maritime domain, as a means of determining the adequacy of the existing legal framework. An extract from this manual is taken where each legal instrument or convention is summarised before an evaluation is made as to the effectiveness of that instrument in addressing cyber threats.
4.1. Effectiveness in Addressing Cyber Threats
Finally, enforcement of law is a method of control in which a punishing action is taken against a party who has failed to abide by rules, and while traditional forms of enforcement such as sanctions or the use of force are well understood, measures such as diplomacy and conflict mediation can also be forms of enforcement used to prevent an undesired action from taking place.
Customary and treaty-based law is developed in a bottom-up approach in that it is created by and for the states and entities it pertains to, and it is these parties that must consent to accept a rule of law that will disadvantage them for the greater good of it becoming an effective control. This means that there will always be some parties that seek to avoid the law and its establishment of control by creating rules that will be in their own self-interest and that there is no uniform global interest in many issues.
Control on a global scale is known as hegemony and is the highest level of control in that it grants the controlling entity the ability to exercise power over others and to do so without fearing interference from those others. This is significant as it has a direct correlation with establishing or denying control through one entity’s ability to act without interference from others and set the standard for global behavior in a particular issue. Hegemony is rarely achieved in international law.
A bridge to the existing framework’s ability to combat cyber threats is in the capability for it. An essential quality for existing law in effectively combating cyber threats is the ability for it to establish control that will deny the adversary the ability to partake in an act that is considered illegal. Control is a concept in international law that can be defined through a variety of legal methods, which restrict an actor’s freedom of choice in a given scenario. This can range from physical occupation of an area to preventing access to resources or benefits to engaging in a particular act. Without control, a law is merely a statement of a desired norm or principle and lacks the ability to ensure security for its addressed issue.
In general, effects of state practice are more easily observed in the creation of new customary law, but these can produce changes in treaty law as states may draft new agreements in attempts to formalize or change the direction of existing practices. Regardless, a treaty must be ratified by the parties involved to enter into force. From this, we can see that the nature of international law makes effective changes difficult to produce and slow to materialize. This is significant due to the fact that the technology driving the expansion of the interconnectivity of shipping systems may be constantly changing and evolving into new forms that could present new threats. Customary law may have no relevance to new practices, and treaty-based law may not be able to adapt rapidly enough to reform or create new agreements to effectively combat emerging threats.
Existing legal frameworks serve as the primary means of addressing cyber threats in the maritime sector, and as such, their ability to effectively do so is critical. When exploring their effectiveness, an understanding of how international law works is required. International law is created through a process of state practice, which is seen as evidence of customary law, as well as by the codification of state practice through treaties or international agreements. Customary international law and the law embodied in treaties and agreements are legally equal, but given the current nature of treaty-based law, it is more limited in what can be assessed since it is largely undeveloped or non-existent in some areas.
4.2. Compliance and Enforcement Challenges
Within the existing legal frameworks, are the aspirational words and clauses relating to cyber security and (re-)assurances of the commitment of (member) states to UNCLOS obligations sufficient to contain and discourage the threat of cyber attacks in the maritime domain? This is highly questionable. Even if one were to assume commitment and active representation in treaty negotiations, the majority of cyber attacks will be launched by non-state actors without any chain of attribution leading to a responsible state entity. Compliance with existing law and agreed international norms is not a viable strategy for deterring such attacks even where the will to comply is present. The low-risk/high-reward nature of cyber attacks creates a situation where it is rational for entities to breach their international obligations but with no genuine prospect of sanction or retaliation. Indeed, the possible unlawful nature of a cyber attack could act as an incentive for certain actors as it provides plausible deniability and no formal definable act of aggression. The example of the Estonia/Russia cyber war in 2007 has shown that even a publicly acknowledged state-to-state attack might not elicit much of a response. The lack of any real enforcement of the existing laws concerning cyber and any sort of cyber-specific treaty or regime means that in effect, maritime cyber attackers in the current day can be reasonably certain of impunity.
4.3. Potential Areas for Improvement
As the uniformity and coverage of legislation remains a key concern, more can also be done to foster cooperation between States in addressing threats to the maritime industry and developing legislation which is compatible and complementary on an international scale. This may involve the sharing of information and tactical cyber-security intelligence between States, or joint projects between international bodies and private industry on the development of new security protocols and practices. An example in the military sphere is the NATO Smart Defence initiative, and parallel strategies employed in the civilian sector may serve to strengthen the collective ability of States to deter and detect cyber threats against the industry.
To pre-empt such incidences and avoid the shortcomings discussed in section 4.1, what is required is a proactive approach which involves assessing the extent of risk to the maritime industry and where appropriate, developing new protocols to address the identified threats. This process may seek to leverage existing IMO Conventions and traditional security practices, and indeed recent amendments to the ISPS Code to make them more relevant in the context of cyber-security, however it may also necessitate the creation of entirely new legislation. This approach reflects the tack taken by the US in setting out the CGA.
So where to next? Paralleling with the nature of cyber threats and the constantly evolving technology and tactics used by malicious actors, the means by which to improve legal frameworks, specifically in the maritime law context, is a dynamic and ongoing process. It is not unusual for the effectiveness of law to only be truly realised in the event of dispute, and the case law that derives from instances of maritime cyber-attack or dispute involving resultant damage will in itself be a powerful catalyst for the development of focused legislation.

Order | Check Discount