Soft Cyber Laws Make Port Facilities Soft Cyber Targets
[By CDR Michael C. Petta]
There is widespread recognition that cybersecurity vulnerabilities make the maritime transportation system a soft target. For example, about 10 years ago, a European Union study found “inadequate preparedness regarding cyber risks” in the maritime sector. In 2013, a U.S. Presidential Executive Order announced that cyber threats continue to grow as one of the most serious security challenges for critical infrastructure, such as port facilities. A few years later, an International Maritime Organization (IMO) resolution acknowledged the “urgent need” to address maritime cyber threats.
Just a few days after that IMO resolution, Maersk, the global shipping company, suffered a major cyberattack, leading its chairman to admit in an interview that the maritime industry had been naïve with cybersecurity and needs “radical improvement.”
Despite the widespread recognition of these vulnerabilities, international port cybersecurity laws remain soft—unenforceable and discretionary. The international community should take steps to harden these laws and therefore harden the targets.
The term “soft target” is used in law enforcement, force protection, national defense, and industrial security. Its definition has subtle varieties depending on the source. In the United States, a Department of Homeland Security soft target security plan states that soft targets include “locations that are easily accessible to large numbers of people and that have limited security or protective measures in place making them vulnerable to attack.”
Some soft targets, like a small town’s water treatment plant, might seem obvious. Other soft targets, such as international port facilities, might be less obvious. This is because port facility infrastructure benefits from global security measures, particularly those established in the International Ship and Port Facility Security (ISPS) Code. Nevertheless, despite the ISPS Code’s benefits, cybersecurity remains the soft underbelly of port facilities.
This soft underbelly should be cause for action because soft targets are easy targets. As one criminologist writes, “terrorists generally attack where their opponents are weakest. As such, terrorists focus on soft sites.” The United Nations Security Council observes the same trend, stating in a recent analytical brief that soft targets “have long been preferred targets of terrorist attacks.”
A disruption to the maritime transportation system (MTS) due to an attack on a soft target could have far-reaching effects. The recent grounding of the container ship Ever Given underscores the criticality and fragility of this global trade system. This single disruption to vessel traffic is estimated to have held up $9 billion in global trade per day. The effects of a cyber-induced MTS disruption would go beyond economics. People’s lives and livelihoods depend on the gasoline, building materials, food, and heating fuel the MTS delivers. The ongoing pandemic underscores this point.
Port facilities remain soft targets for cyberattacks because the ISPS Code, the regime implemented to protect international port facilities, contains “soft law.” Much scholarly debate exists on the meaning of the term soft law. Professor Dinah Shelton’s 2008 article Soft Law is recommended to those looking to more fully explore this area of international law. For efficiency’s sake, this article adopts the view that soft law is recommendatory and hard law is mandatory. Or, as a more succinct military leader might say, compliance with soft law is “desired but not required.”
The ISPS Code was established by member states of the IMO to protect shipping and port infrastructure around the world. Put into effect in 2004, the ISPS Code is a comprehensive security regime and a component of the International Convention for the Safety of Life at Sea (SOLAS). Although the ISPS Code is part of a binding convention, only the first of its two segments, Part A, is mandatory. Part B is recommendatory.
Part A of the ISPS Code mandates that each facility develops a Facility Security Plan (FSP). The FSP is the foundation upon which a facility’s preventative measures are built. Part A also directs FSPs to address particular security matters, such as measures to limit the entry of weapons, control facility access, protect restricted areas, and safeguard cargo. These physical security obligations in Part A are clear and certain.
What is also clear in Part A is its lack of any cybersecurity requirement. There is no mandate that a separate Cybersecurity Plan be developed. There is no directive that requires cybersecurity to be addressed in the already mandated FSP. In fact, the only reference to cyber in the whole ISPS Code is in Part B, the recommendatory portion. Specifically, there are four Part B provisions, each dealing with security assessments, that state facilities should consider “radio and telecommunications equipment, including computer systems and networks” when assessing vulnerabilities.
Being in Part B, these four provisions are discretionary. These “cyber” provisions are not only discretionary, they are also vague. Certainly, some may question whether the phrase “radio and telecommunications equipment, including computer systems and networks” is synonymous with the term cyber. In 2015, Canada raised this exact point in MSC 95/4/2, a submission to the IMO’s Maritime Safety Committee (MSC). In its submission, Canada proposed amending the ISPS Code to clarify the vague phrase. In MSC 95/22, the MSC decided that an amendment to the ISPS Code was not warranted at the time.
Being both vague and discretionary, the ISPS Code’s “computer systems and networks” language is unenforceable soft law. This attenuated law accommodates an environment in which cybersecurity merely subsists and port facilities remain vulnerable to cyberattacks. It is time to consider a different approach.
Harden the Law, Harden the Targets
Considering the serious impacts of a cyber disruption to the MTS, relying on unenforceable soft law may not be the right approach. The international community can do more to harden the law, and there is a useful model in the Unites States.
Enacted in 2018, the Maritime Security Improvement Act (MSIA), codified at 46 U.S.C. § 70103(c)(3)(C)(v), expressly requires FSPs to “include provisions for detecting, responding to, and recovering from cybersecurity risks.” Importantly, this domestic law prohibits port facilities from operating in the United States without an FSP that addresses such cybersecurity measures.
This U.S. mandate is a hard law, both clear and enforceable. To meaningfully address known cybersecurity vulnerabilities across the world’s port facilities, the member states of the IMO should collaborate and amend Part A of the ISPS Code to include a similar mandate. By hardening the law in this way, member states can establish a consistent, uniform enforcement framework and thus, begin to harden port facilities against cyberattacks.
Commander Michael C. Petta, USCG, serves as Associate Director for Maritime Operations and professor of international law in the Stockton Center for International Law at the U.S. Naval War College. The views presented are those of the author and do not necessarily reflect the policy or position of the U.S. Coast Guard, the Department of Homeland Security, the U.S. Navy, the Naval War College, or the Department of Defense.
This article appears courtesy of CIMSEC and is reproduced here in an abbreviated form. It may be found in its original form here.
The opinions expressed herein are the author's and not necessarily those of The Maritime Executive.