hat could be worse than being a captain out on the open sea worrying about pirates?
Being a captain having to worry about pirates waiting around the next bend—or pirates far away, but about to launch a cyberattack! Former journalist David Rider, based in the U.K., knows about both. In 2009, he helped set up a maritime security company, and he began writing and editing articles on piracy. That evolved into intelligence analysis, which in turn led to cyber and information security. This is his main focus now, though he did help the authorities capture a dozen pirates last year by passing along a tip from an old source in Somalia, along with key information he dug up on the pirates. The lessons he has for lawyers everywhere are the importance of the EU’s General Data Protection Regulation (GDPR), which takes effect on May 25, and the value of alliances—within industries and with the government—in mitigating cyber risks. He says that those alliances are “where the U.K. is currently ahead of the game.”
Legal BlackBook: What is the CSO Alliance, and how and when did you get involved?
David Rider: CSO Alliance was created in 2013 by two men in the shipping industry. One was a chief security officer who had enjoyed meeting up with his peer group at events and conferences, and realized how valuable this was. There was no real forum for CSOs to meet and swap ideas and best practices. As a result, the CSO Alliance was born. I joined them later that year as intelligence consultant and content editor for the website. The site itself is a very secure online platform for crime reporting, with group areas for members to discuss topics relevant to their specific sector with other CSOs in that same area. My job is to maintain the site’s content and ensure that all crime reports are verified. We want to make sure that we don’t conflate problems and that we present only the best information available.
LBB: And that has led to a second alliance, hasn't it?
DR: The Maritime Cyber Alliance is a joint project between Airbus, CSO Alliance and our technology partner, Wididi. The venture with Airbus is a natural affiliation between transport industries that have much in common. The platform is still in its pilot stage at present, but offers an anonymous cyber crime reporting system and specific Airbus tools, such as the ORION malware checker. We’re also running an e-learning GDPR Awareness Course, in partnership with Templar Executives, a U.K. infosec specialist. Our hope is that we can educate the shipping industry and offer a clear guide to GDPR. My job is to keep the site’s content up to date and make sure that new incident alerts are sent out when needed. We’ve already had one anonymous report from a vessel at sea, which was effectively paralyzed for several hours following a malware infection. We’ve also received reports from ship brokers regarding attempted email fraud and reports from P&I clubs [protection and indemnity mutual insurance associations] regarding fraud attempts against their members.
LBB: The EU’s Network and Information Systems (NIS) Directive is going to take effect in May. Very briefly, what is it, and is there any comparably robust regulation in the U.S. or elsewhere?
DR: I’m not sure of any legislative parallels in the U.S. Essentially, the NIS Directive is a huge, daunting piece of legislation that aims to mitigate risk management and incident reporting across two types of business: critical infrastructure (which has a very wide definition here) and digital service providers, an almost deliberately vague term that encompasses everything from online marketplaces to search engines. Hopefully, the legislation will work as planned and ensure that companies report incidents in a much more timely manner than we’ve seen in recent months and years. Then incidents such as NotPetya won’t happen on the same scale, because more companies will be made aware of it sooner.
LBB: What is the importance of alliances? Do they really mitigate cyber risks?
DR: The CSO Alliance motto is “security through community,” and we believe that it works. It’s interesting to see it in action. We’ve held workshops around the world over the last couple of years, and when you see two or three people all realize that they’ve been subjected to the same attack vector or crime, and then you offer a simple solution, such as timely information sharing, the light bulbs above heads all go on. In the cyber field, it absolutely works. Making members aware of any given threat or malicious campaign means that we simply reduce the risk of it spreading and causing more damage. You only need to look at the costs that [container shipping company] Maersk absorbed last year to get an idea of how useful and valuable that is.
LBB: What about regulations? In addition to the NIS Directive, the GDPR will also take effect in May. Do they really make us safer?
DR: If you know anything at all about data protection, then you know you’ll never be truly safe, short of never going online and throwing away your cellphone. We’ve all left digital footprints behind us. GDPR will hopefully go some way to closing a few doors and loopholes. However, anyone watching the news in the last month will appreciate what a massive task that is, as well as just how much metadata we all leave behind us. GDPR is also a massive hoop to jump through. If you don’t think it applies to you or your company, check again. And then again. The fines for noncompliance are eye-watering, and GDPR affects so many different business types, it’s simply not worth sticking your head in the sand. Anyone with a marketing mailing list will need to take a long, hard look at whether they’re going to be affected.
LBB: You wrote an article in which you conjured up a captain’s worst nightmare: You’re at sea, and all of a sudden you’re not in control of your own vessel. You’re being steered into port—and into the waiting arms of a band of pirates. Has a cyberattack like this ever happened?
DR: That’s a very interesting question. I’ve seen no conclusive report to that effect, although a cellphone network provider suggested in a report that it had happened a couple of years ago. I did an awful lot of digging, given my involvement in counterpiracy, and came up blank. I’d have to ask why pirates would do it, when they’re perfectly capable of taking a vessel themselves at sea, and just what sort of logistics they’d require to secure a port and transport for any cargo they wanted to steal. It’s a curious claim. However, we recently received a report from a vessel that was hit by a malware attack at sea as a result of poor bring-your-own-device (BYOD) security. The vessel lost all navigational control and had to drop anchor to reboot its systems. The estimated financial loss of that delay was $40,000. Who needs pirates?!
LBB: What have been the cyber events that have gotten the attention of your industry?
DR: Without a doubt, the biggest was the Maersk incident. I think the shipping industry as a whole had been happy to regard cybersecurity as someone else’s problem—until that happened. Then the industry began to appreciate just how many other systems and knock-on effects there were. And the cost to mitigate it, as much as $300 million, should be enough to make most boardrooms break out into a sweat.
LBB: Are there special vulnerabilities that set your industry apart from others?
DR: I think it’s the same as other, non-high tech sectors. Legacy systems and outdated, underpatched software is an issue, certainly, but awareness training is the key. Shipping is an incredibly time-sensitive industry, where the smallest delay can have a huge financial impact. Seeing terminals and ports close because of NotPetya last year had a sobering effect, I think.
LBB: What steps does your alliance advise companies to take to protect themselves?
DR: Patch. Train. Patch again. The main problems are older computer operating systems and a lack of investment from companies that didn’t realize what risks they were taking. That’s changing now, as GDPR and NIS heave into view, and companies appreciate that they can’t afford to cut corners. Key to everything, though, is staff training and awareness. So much cyber crime comes via the head office, from CEO fraud, phishing and malware. Having good systems in place to check those—both physical and software—means that firms are far more resilient.
LBB: Let’s talk about the lawyers. What role do in-house lawyers at maritime companies play in this area?
DR: Lawyers are going to be absolutely crucial in the coming months as the new legislation comes into force. There’s still a huge knowledge gap, which can really only be filled by skilled lawyers who have grasped the magnitude of the issues facing commercial operators. I think we’ve traditionally seen a situation where CISOs [chief information security officers] and CSOs have made the board aware of a threat, but it’s only when counsel agree that it’s taken seriously. I think a lot of lawyers are going to be kept very busy this summer.
LBB: Do you think they’re playing active roles at their companies? Are their companies using them effectively?
DR: That’s hard for me to say. The lawyers I know in the infosec space are very diligent, but there’s an element of “we told you so” as well. They’ve warned about the dangers for a long time, and now those dangers are more apparent. A company lawyer is often only listened to when things go badly wrong, I suspect. Now, the tide is turning, and their advice is being taken on board by the management teams.
LBB: Are there lawyers involved in this work at the Alliance?
DR: We don’t have in-house counsel at the Alliance, but we do have access to the excellent legal team at Airbus, who work hand in hand with Airbus Cyber to deliver solutions. So far, we haven’t had to trouble them!
LBB: What are the big legal issues in cybersecurity right now?
DR: It’s definitely the impact of GDPR, simply because it asks so many questions about how personal data is used, stored and given out.
LBB: What do you see in your crystal ball as far as legal issues are concerned?
DR: Well, once the current legislation is in place, I expect we’ll see cases challenging data use and compliance. I’d advise lawyers to keep a very close eye on the current investigations into Facebook, Cambridge Analytica and associated companies. Using personal data for areas other than those agreed to by the user is going to become an even bigger minefield in the coming months.
LBB: What can lawyers from other countries and industries learn from the experience of the U.K.’s maritime industry?
DR: I think the main thing would be that keeping the C-Suite and the board informed of the latest major incidents and possible ramifications for their business is key. Where the U.K. is currently ahead of the game is in linking government and the security agencies together with industry. We’re seeing some good initiatives emerge from the recently formed National Cyber Security Centre, set up by GCHQ [Government Communications Headquarters, the British intelligence and security agency]. They’re working with industry to ensure resilience where needed, and they have worked with the U.K.’s Department of Transport, which covers the maritime sector, to reinforce best practices. Lawyers elsewhere can do similar things with law enforcement agencies in their sectors, making sure that company policies are aligned with the government and best practices so that all these risks are reduced.