This research paper explores how to develop a Geopolitical Strategy in Maritime Cyber Security. The purpose is to give indications to shipowners whether national cyber security strategies can present a risk for their business in a context of geopolitical instability.
The paper was written by Aude Chocard during her internship with BIMCO’s Regulatory Department. Her work was supervised by BIMCO's Chief Safety & Security Officer Jakob Larsen.
The paper elaborates on the following key findings:
Digitalisation is transforming the shipping industry on a global level. Modern ships have become interconnected, and maritime stakeholders use complex technologies that involve multiple third parties from all around the world. From then on, external vendors are in control of IT systems used on board and on shore. A shipping company will rely on their services, which creates dependencies with the vendors.
Therefore, those IT systems can present geopolitical cyber vulnerabilities. Existing cyber security weaknesses because of systems that are not adequately secure, are more likely to be exploited in a tense geopolitical context. Cyber security threats arise when hackers have the capability but also the intent to intentionally harm the company's business, whether the company is targeted or indirectly affected through its suppliers.
This framework will give an overview of the status of international relations in the maritime sector and help to assess cyber geopolitical risks. Considering the technological competition between China and the US, it is essential to consider their national strategies, resources and allies. Companies from distinct countries that operate together can imply rivalries and opposite requirements at a higher level. There is a possibility that governments and proxy groups take advantage of commercial relations in their own interests and leverage data from critical digital elements. Following their own jurisdictions on software, cloud storage or AI, States could also threaten to suspend the provision of digital services to achieve geopolitical ambitions. Dependencies and hostile intents increase the likelihood of a cyber geopolitical event will occur.
To anticipate cyber-attacks and geopolitical conflicts, a shipping company should establish its profile based on commercial and geographical characteristics but also by identifying the jurisdictions they follow. Then, the company needs to check compliance with its vendors, diversify the suppliers to avoid dependencies, and identify the people responsible for maintaining its systems. Assessing the risk also goes through a risk acceptance profile to determine the extent to which a risk is acceptable and if cyber security policies are considered as sufficient.
Contact Us
