On 7 November 2017 LKA’s Erik Klinkhamer and David van Bemmel attended a very interesting on topic, yet diverse seminar hosted by VHT in Bremen. Theme of the seminar was Cyber risks in shipping, a nowadays much discussed topic in transportation but still seemingly lightly taken subject in transport law. The seminar – and developments in the market – give food for thought.
Here’s the news: cyber hacks WILL be among the casualty causes in the nearby future and WILL potentially affect the seaworthiness and cargoworthiness of vessels.
First of all. Unmanned vessels are beyond the drawing boards; they shall sail the seas within the coming years. The Norwegian shipping IT firm Kongsberg Maritime has developed an actual test plan. Rolls-Royce is like-wise investing in autonomous shipping and has set its sights on national implementation of robotic shipping before planning to accommodate long-range vessels. These are just two examples of the supercool and hands-on utilization of technology in bids to raise efficiency in logistics with the added side effects to lower costs and provide for cleaner transport.
Although the vessel of the future is probably rather more sexy than the present bunker fueled and live manned vessels at sea as you read, the cyber threat has been recognized to potentially affect the lesser sexy sort as well.
Maritime organizations and stakeholders have implemented a number of schemes in order to raise awareness and to push interests to adapt risk management frameworks. IMO’s Maritime Safety Committee’s last on topic resolution was adopted on 16 June 2017. This resolution serves to include adequate cyber risk management to the ISM Code as per 1 January 2021, which adequate rules are laid down in IMO’s 5 July 2017 Guidelines on Maritime Cyber Risk Management. Stakeholders such as BIMCO, INTERTANKO and IUMI have issued their own Guidelines on cyber security onboard ships next to raising awareness in blogs, newsletters and hosting seminars.
‘Alteration of Risk’
The threats are real: in 2015 Kaspersky (an anti-virus and cyber security provider) branded the maritime sector as ‘easy meat’, identifying threats in relation to freight rate influencing, container theft and smuggling. During VHT’s seminar a representative of the German Naval forces mentioned investigations after GPS influencing. Both parties hold piracy of both manned and future unmanned vessel as real threats.
Whereas many of the abovementioned initiatives seek to alleviate cyber threats, real initiatives towards handling casualties as a result of cybercrime are not apparent as of yet. And this is exactly the point: when do ‘we’ come to realize that only parallel initiatives to undertake to tackle lack of knowledge and legal certainty can create the safety net necessary to deal with the problem?
We shall have to look for answers rather sooner than later. Just opening one standard work on carrier’s liability brings up many issues that are all mere examples but very apt to difference in argumentation and as of yet insufficiently outlined in a legal context. To name a few issues:
- in 2008 it was argued that the period to exercise due diligence ought to cover the vessel’s voyage itself. IMO’s Guidelines’ implementation into the ISM Code should have that effect. The ISM Code regards ship operators first and foremost. And even though the abovementioned 16 June 2017 Resolution broadens the regarded parties, the Resolution aims at the organizations at stake and not primarily at cyber targeted vessels. In a legal spectrum where the carriers are hardly ever owners/operators, I fail to see how the carrier can safeguard the cyber security of a vessel against its contractual counterparty. This WILL be a problem in jurisdictions where seaworthiness of the vessel is an absolute warranty re cargo interests.
Yes, yes, arguments are abundant, but an answer there is not;
- the concept of what is seaworthiness itself ought to be revised. Whereas the most simplified concept of seaworthiness is that the ‘boat shall float’ (alright, there’s a bit more to that..), it is unthinkable that a vessel than can be made fully inanimate can be considered to be seaworthy. Or it’d be a legal tragedy.
I am aware that vessel systems can still be operated manually. But one does wonder about ‘leaks’ aboard vessels in view of cyber threats;
- does not the concept of cargoworthiness relate to the above revision of the concept of seaworthiness? I imagine e.g. affected stability systems, affected pump systems and the earlier mentioned GPS hacks bring the two concept back together. Semantics, yes, but also real threats to legal positions;
and, an interesting one
- should liability of interests for cyber affected vessels be exonerated in the relevant conventions? Can it be? Or are we facing such substantial and unforeseeable expansion and alteration of risk that there is no real undertaking that would prevent a cyber risk from affecting a vessel? What we know of cyber security now, is that every security can be hacked.
Catch all clause? Doubt the effectiveness. Piracy, terrorism? That’ll be a forgotten argument soon. Act of Cyber?!
The problem is apparent in both the Hague-Visby Rules and the not yet implemented Rotterdam Rules. I feel – at least in my jurisdiction – that the rather slow legislative process in the Netherlands ought to have provided chances to at least discuss amendments or supplements to exoneration grounds.
And, outside of the scope of the abovementioned book:
- how do we look at limitation of liability? Do cyber risks alter the ancient maxim that one only ought to loose that what he has trusted to the sea?
I feel that the adoption of the 1996 protocol to the LLMC (Convention on limitation of liability for maritime claims, London 1976) in 2012 could have been a great kick-off event to at least start research after the breadth of art. 4 LLMC on barring limitation of liability as a result of personal act or omission of anyone of the limitation entitled parties.
It is not a case whether or not cyber risks shall affect us, but rather when and where they shall occur. And there’s a constant risk alteration at stake. In the midst of a tech revolution no one can truly identify the risk potential, which makes it near impossible to estimate both the real threat and threats involved for the legal actors.
Next to adaptations to the ISM Code, we need adaptations to legal carrier-shipper frameworks that both provide a certain – high – duty of care for the cyber security of the vessel itself towards cargo interests, but also protects carriage interests when a vessel is directly targeted.
As a Rotterdam advocaat I am not afraid to admit it. I do not mind a good Lawyer’s Paradise now and then. But Paradise should not be built on a minefield. Or be overgrown by thick bush. This is why we need to be agile: we as a professional group need to study the phenomenon, learn from it, adapt our ideas to it and embrace it as a more and more common phenomenon within the ‘ordinary’ range of risks to legal actors. The market needs that knowledge and legal certainty.
Whereas my firm and I cannot yet provide the legal certainty, I understand the above criticism imposes some responsibilities on the criticaster. I have therefore sought and found the adequate advisors with non-commercial research and professional IT backgrounds that are willing to discuss with us on topic and are available to assist for advisory purposes.
Best contact your preferred Dutch lawyer to discuss, contest or rebut!
 N.J. Margetson, The System of liability of articles III and IV of the Hague (Visby) Rules, Zutphen: Uitgeverij Paris 2008