SAFETY4SEA: Your organization has been shortlisted for the 2018 SAFETY4SEA Awards in the ‘Initiative’ category alongside a number of other distinguished nominees. What is the background and the key drivers behind this nomination/shortlisting?
Mark Sutcliffe: The digital revolution has brought about a significant level of change in the way the maritime market works over a very short period. Huge benefits have been achieved in efficiency and cost savings, but also unfortunately new threats to the maritime community have emerged along with digitalization. Cyber-attacks are cheaper to perpetrate than piracy, theft or kidnapping, and they bring in greater rewards with little risk. The maritime community is not immune, neither is it as prepared to deal with immensely well-funded and resourced international criminals and even some State actors. Our industry needed one worldwide point to report cyber crime to, and so we sat down with Airbus, who have over 600 employees in their cyber division, to work on a solution - we crafted the Maritime Cyber Alliance (MCA).
S4S: How has your initiative influenced the industry’s landscape? What are the key areas of attention?
M.S.: We note US Department of Homeland Security and US Coast Guard policy letter dated 14 December 2016 gives guidance for reporting cyber security incidents on maritime transportation in the US. And even though the EU and some Asian Flags also have reporting requirements and places to report incidents, shipping operates worldwide and many Flags do not have their own incident reporting mechanisms. CIRM, the equipment manufacturers association, are drafting a code of practice to report and share information on cyber vulnerabilities. We are encouraging the same process throughout the whole maritime industry. We have received our first cybercrime reports direct from ships, so a proof of concept, which recognitions from shortlisting in your awards will help boost.
Finally, the interactive nature of the platform will come to the fore as we build functionality, listening to member needs to deliver a range of new features: sharing ideas through cyber chatter among members, creating groups for developing best practice as well as news, reviews and cyber lessons learned shared in the community. This builds an effective support tool for the hard pressed Company Information Security Officers, which can be enhanced with more features that they collectively need. For example, an online conference facility and cyber threat alerts by text and email.
S4S: Do you have any new projects on the pipeline and/or plans, related with your safety performance that you would like to share with the industry?
M.S.: We are working on a PFSO Alliance which will deliver security process efficiencies between Port PFSOs and Ship Owners’ CSOs and their crews, so that we work as one on the issue of reporting and combatting crime in ports, anchorages and at sea. The Company Information Security Officers (CISO)of Ports, Ship Owners and the wider maritime supply chain will be served through the Maritime Cyber Alliance, with a focus on encouraging the reporting of all cyber crime, sharing the lessons learned and helping to shape best practice. All the communities are based on one technology, with shared management and intelligence team: CSOs in CSO Alliance, PFSOs in PFSO Alliance, CISOs in the Maritime Cyber Alliance.
S4S: If you could change one thing about the shipping industry, what would it be and why?
M.S.: The shipping industry has a culture of not wanting to share their crime incidents for fear of ruining company reputations and/or not wanting to give a competitive edge to its competitors, hence the culture of keeping it in house. This needs to change to prioritise the safety of all seafarers.
Early reporting enables alerts to be sent out so steps can be taken to reduce the propagation rate of malware or secure networks.
We therefore encourage anonymous reporting. We split the reported information to servers in different countries using an anonymizing reporting centre. This enables heavily encrypted data of the crime report and the identity of the reporter to be split and distributed between 3 servers in different legal entities in 3 different jurisdictions and with different legal and privacy systems. The original data, including the ID of the reporter, is then destroyed after the data is split.
We have as inception partners leading Flag State (Marshall Islands), Class (DNVGL), P&I (North P&I), War Risk (DNK) and Hull Insurance (Norwegian Hull Club) and we are talking to other industry supporters as we mobilise the industry behind CSO Alliance, which has been trading for five years, and includes the new Maritime Cyber Alliance.
If we all report physical and cyber crime in real time we can get ahead of the highly organised and well resourced Maritime and Cyber Criminals. It is within our grasp, it is our focus and we believe by providing the leadership, sharing and supporting this crime reporting culture change we can make a tangible difference.
S4S: What is your key message for enhancing the safety culture ashore and onboard?
M.S.: Even for the Flags that currently require reporting of incidents, the end result to date has been very poor, and the real volume of reported incidents remains unknown. There are many reasons for this: victims fear for company reputation, the possible risk of Insurance premium increases, ships considered un-seaworthy and thus insurance claims refused, possible reprisals for the individual reporting the event or simply because it might cause administrative delays and a reporting burden on already overworked crew.
It is recognized by all that there is a lack of data on cybercrime available, for ship owners and operators, ports, insurers, flag states and classification societies, to be able to assess the level of threats and risks, mitigate attacks, improve overall safety, and be able to take remedial action. This will significantly improve safety ashore and at sea as we rapidly develop, update and share best practice. To be effective in combatting crime, timely and verified information needs to be available in a single worldwide platform. In short, 'Security though Community’.
You may cast your vote for CSO Alliance at 2018 SAFETY4SEA Awards dedicated webpage till 7th of September 2018!
The views presented hereabove are only those of the author and not necessarily those of SAFETY4SEA and are for information sharing and discussion purposes only.