The United States Coast Guard (USCG) recently published its Cyber Strategy in response to what it perceives is one of the most serious threats to US economic and national security interests. Certainly, the USCG is not alone in this cause. Acting on calls from various maritime sectors, the International Maritime Organization has also recognized the threat to global maritime safety and commerce and is expected to review industry recommended guidelines at MSC 96 in May 2016.
The USCG Cyber Strategy may, however, be a major catalyst in forging a new standard of care. Relying heavily on its core operating concept of “Prevention and Response,” the USCG Cyber Strategy emanates from, and perhaps plugs holes in, the Maritime Transportation Security Act of 2002 (MTSA) enacted following 9/11. MTSA grants the USCG broad jurisdiction and authority over any “incident resulting in a significant loss of life, environmental damage, transportation system disruption, or economic disruption in a articular area.” The USCG’s position is that MTSA provides it with the authority to develop and implement a Cyber Strategy – in effect directing the formulation of best practices or a new standard of care for an organisation in managing cyber risks.
Together with MTSA, the USCG’s Cyber Strategy looks and feels similar to the “Prevention and Response” functions associated with the Oil Pollution Act of 1990 (OPA ‘90). For example, the Strategy obligates the USCG to collaborate with industry on cyber issues using Area Maritime Security Committees to provide recommendations for Area Maritime Security Plans (AMSP) and the National Maritime Transportation Plan (MTSP). OPA ‘90 established Harbor Safety Committees to help develop Area Contingency Plans and the National Contingency Plan. USCG officials charged with implementing the Strategy propose an organisation undertaking a “risk based assessment” in tandem with “performance standards” – terms all too familiar to those who recall OPA ‘90 rulemakings. USCG implementers also suggest that “exercises” might serve as a means to identify procedures necessary to respond to a cyber event for inclusion into an existing security, natural disaster, or environmental response plan.
They suggest that organizations designate responsible individuals and a team of specialists to assess cyber vulnerabilities, and if necessary to respond to an incident. OPA ‘90 also involves requirements for drills and exercises, the implementation of Vessel (and Facility) Response Plans, and the designation of Qualified Individuals (which led to the invention of Spill Management Teams (SMTs) and Oil Spill Response Organizations (OSROs)).
While similarities to OPA ‘90 may exist, there are, at least for now, significant differences. First, the Cyber Strategy is just that, a strategy. It does not have the force of law – yet. The USCG, however, may soon formulate a Navigation and Vessel Inspection Circular (NVIC) offering “guidance” as to how cyber risk management fits into MTSA. Noncompliance with a NVIC is not a violation of law itself, but is often viewed as conduct below the accepted or expected standard of care. The Third Circuit recently opined that the lack of firewalls and other cyber security measures may be an unfair business practice by a hotel chain in violation of the Federal Trade Commission Act (FTCA) siding with the Federal Trade Commission even though the FTCA does not specifically require such measures. The Court acknowledged the agency’s interpretation of its authority under that statute. Thus, while MTSA itself is rather generic and does not specifically address cyber threats, non-compliance with a cyber-focused NVIC, could serve as a basis for imposing civil or perhaps even criminal penalties, in addition to the liabilities or losses incurred from the underlying event.
At this juncture, it is clear that the USCG views cyber risk “prevention” and “response” as operational responsibilities of a shipping company’s Management; not responsibility of its IT Department. Shipping companies will be expected to establish a reasonably viable cyber risk management program; one that includes continuous assessment, coordinated planning, investment, benchmarking, training, and possibly risk transference (e.g. cyberinsurance). Just as OPA ‘90 received focused attention on “prevention” and “response,” commercial maritime interests would now be best served to:
assess and mitigate their potential cyber vulnerabilities related to network access and data protection (prevention); and
consider and plan how to respond to a cyber event which might precipitate or run concurrent with a safety, security or environmental incident (response).
Whilst at present there is no requirement to adopt the suggested approach it is likely that the US authorities will, in the foreseeable future, require cyber risks and security to be managed on ships trading to the US. Given the interconnected nature of modern technology this means that shipping company systems that interface with a vessel will need to be secure.
The proposed strategy at least has the virtue of following the structure of OPA 90, which is well understood by ship owners. It may also be of use to those Members who are concerned about cyber risks by providing them with a ready-made framework for managing these risks.
Article contributors: Destinee Finnin (Clyde & Co), Joshua Quaye (Clyde & Co) and Max Bobys (HudsonAnalytix)
First published by North P&I Club online and in Signals