COVID-19 digitization in maritime: understanding cyber risks

WMU Journal of Maritime Affairs (2021) 20:193–214 https://doi.org/10.1007/s13437-021-00235-1 ARTICLE COVID-19 digitization in maritime: understanding cyber risks Kristen Kuhn1 · Salih Bicakci2 · Siraj Ahmed Shaikh1,3 Received: 2 December 2020 / Accepted: 8 April 2021 / Published online: 22 June 2021 © World Maritime University 2021 Abstract Digitization is reshaping the maritime industry which is under increasing pressure to transform. Technology is more common as it offers improvements and carves out early adapters as more competitive. COVID-19 hastens digitization and creates new digital opportunity structures which increase cyber risks. Cyber attacks, which can cripple critical systems and services at significant cost, motivate stakeholders to engage with these risks. This paper reviews current events and introduces an exercise where participants at a NATO Centre of Excellency were shown scenarios involving maritime cyber incidents and evaluated on cyber risk perception. Our findings lend insight on how to assess group cyber risk perception—and how this impacts response. They highlight the need to plan for cyberspace operations and ground cyber risks as a intricate governing factor in maritime. Keywords Cyber risk perception · Decision-making · Maritime security 1 Introduction In October 2020, the International Maritime Organisation (IMO) tweeted: “The interruption of service was caused by a cyber attack against our IT systems” International Maritime Organisation (2020). This attack had serious implications, coming at a time when the IMO was under intense scrutiny, working to bring attention to the global  Kristen Kuhn Salih Bicakci 1 Systems Security Group, Institute for Future Transport and Cities, Coventry University, Coventry, UK 2 Department of International Relations, Kadir Has University, Istanbul, Turkey 3 Security, Risks Management and Conflict, Research Group, Universidad Nebrija, Madrid, Spain 194 K. Kuhn et al. crew crisis,and—-ironically—asking its members to enforce IMO 2021, a resolution requiring ship owners to invest in cybersecurity (Konrad 2020). The IMO was the second major shipping organization to be hit by a cyber attack that week, and the fifth high-profile attack in 2020 (Twining 2020a). It came 3 days after shipping giant CMA CGM reported a ransomware attack (Shen and Baker 2020). The logistics company Toll Group was also hit by two distinct ransomware attacks, in January and in May 2020 (Reynolds 2020). Mediterranean Shipping Company (MSC) suffered a malware attack at its Geneva headquarters in April (Twining 2020b). Lallie et al. (2020) suggests the surge in attacks this year is a result of the mass disruption worldwide caused by the pandemic, while Pandey et al. (2020) points to increased reliance on digital services due to COVID-19. The global COVID-19 lockdown of 2020 disrupted the world economy. It led to a rapid uptake of digital communications and trade that will have a lasting impact, and which comes with an increase in cyber risk. This is no more vivid than in the maritime sector, where the global shipping industry relies heavily (and increasingly) on technologies that do not ship vulnerability free. Understanding maritime cyber risk is a challenge because it is a complex and evolving risk that affects trade, geopolitics, and security. We explore cyber risk and, in particular, why cyber risk perception is a key factor but also a difficult one to grasp. This is done using a game-based method, which includes a structured, scenario-driven exercise through which we asses participant response to three hypothetical cyber incidents. We draw insights on cyberawareness and implications for practice from a pre-exercise survey, scored exercise responses and post-exercise discussion. In June 2020, The North Atlantic Treaty Organization (NATO) issued a statement (North Atlantic Treaty Organization 2020) condemning cyber attacks inflicted amidst the ongoing global health pandemic. NATO, an intergovernmental military alliance that extends to the maritime domain, must address COVID-19 and its cybersecurity significance. Yet, some argue its members lack a shared situational awareness on cyber threats (Lété and Pernik 2017) which may hinder collective response. This has much to do with risk perception. In this context, our research is motivated by the question: How can cyber risk perception be assessed effectively? Further, does work experience and cybersecurity expertise affect incident response? To address these questions we developed a cybersecurity decision-making exercise which was conducted at a March 2020 NATO training course at The Centre of Excellence Defence against Terrorism (COE-DAT). Using scenarios that range over maritime cyber incidents, we examine the cyber risk perception of 68 participants from 29 states. This group had significant military/ public sector experience and varied cybersecurity expertise. Effective assessment of cyber risk perception was done by calibrating risk in a group setting. Results indicate that as incident impact rose, group response favored private sector responsibility and visibility, but not urgency or directness. From this, we explore collective risk perception—tendencies which characterize NATO security culture. We then discuss implications for practice and interpret findings in the context of COVID-19. Our approach demonstrates collective risk perception is a key aspect of proactive decision-making, and can be not only measured, but improved significantly through iterative learning. The effects of COVID-19 on maritime cyber risks 195 1.1 Our contribution This exercise is a capacity building tool for maritime organizations, trialled successfully in small setting. It fosters preparing for secure use of cyberspace in the maritime environment. Further, it addresses a key disconnect in crisis response, by sharpening technological skills and decision-making, when “NATO table-top exercises at the political strategic level are not sufficiently linked to the technical cyber level” (Lété and Pernik 2017). We offer insights into how such exercises can build capacity and the need for joint response. While the exercise was delivered during at a training course at COE-DAT as a tool to raise awareness, it also led to insights on how to assess the cyber risk perception of a group—and how these perceptions impact the nature of response. The findings presented in this paper were processed from a pre-exercise survey, scored exercises responses, and a post-exercise discussion. The rest of this paper is organized as follows: Section 2 investigates COVID-19 and its implications for maritime cybersecurity, and explores maritime cyber risk. Section 3 introduces NATO as a case study and presents The Center of Excellence Defence against Terrorism (COE-DAT). Section 4 details our methodology which includes the development of a structured, scenario-driven exercise through which we explore cyber risk perc (...truncated)