Seminar by Zaid HamzahCEO, Asia Law Exchange www.asialaw.exchange

Associate Director, Cyber Defence Academy www.cyberdefence.academy

Email: zaid@alxlaw.comMobile: +65-93705982 (whatsapp preferred)

24 June 20191

Outline1 Overview

Hacking demo (by www.antihack.me)2 Changing Strategic Context3 Nature of Autonomous Shipping

▪ Automation▪ Big data analytics & AI

4 Cybersecurity Challenges5 International law on cyber conflicts6 Q&A

2

Video by Massterly

https://www.youtube.com/watch?v=EF_wc1OmooE

3

Issues: National Security (risk-based) Perspectives

1. What is the role of international law when nation states carry out cyber attacks in maritime conflicts?

2. Are existing norms adequate to deal with potential cyber military conflicts at sea involving nation states?

3. What kind of regulatory framework needs to evolve at the national jurisdiction pecific levels to help create a trusted and resilient international regime that can prevent maritime cyber conflicts?

4. How should international maritime law evolve to deal with increasing geo-strategic cyber risks?

5. How can regional organisations, such as ASEAN, and international bodies, like IMO, ITU prepare for the future of autonomous shipping?

4

Other Legal Issues (not for today…..)

•UNCLOS & other International Maritime Law

Note

Seaworthiness and Cyberthreats• Issue: Is a vessel ridden with viruses seaworthy?• Legal liability for spoofing or jamming•Downstream liability

5

Source: https://www.rolls-royce.com/6

IMO: 4 degrees of autonomy:Degree one: Ship with automated processes and decision support:

Seafarers are on board to operate and control shipboard systems and

functions. Some operations may be automated and at times be

unsupervised but with seafarers on board ready to take control.

Degree two: Remotely controlled ship with seafarers on board:

The ship is controlled and operated from another location. Seafarers are

available on board to take control and to operate the shipboard systems

and functions.

Degree three: Remotely controlled ship without seafarers on board:

The ship is controlled and operated from another location. There are no

seafarers on board.

Degree four: Fully autonomous ship: The operating system of the ship is

able to make decisions and determine actions by itself. 7

8

9

Rolls-Royce teams up with Google on AI-driven ship awareness

10

Big Data & Predictive AnalyticsArtificial Intelligence• Machine Learning• Deep Learning

Source: https://www.rolls-royce.com/

11

12

https://www.oneseaecosystem.net/one-sea-autonomous-maritime-ecosystem-introduced-roadmaps-autonomous-shipping/

Photo credit: Rolls Royce

Cybersecurity13

Cybercrime, Cyberterrorism

& CyberwarInternational law

National Law

International Relations & Diplomacy

14

Perpetrators

1. Criminal organizations

2. Pirates

3. Terrorists

4. Rival commercial entities

5. Nation states & other political actors

6. Insiders (corrupt employees, rogue employees)

7. Hacktivists

15

Systems at risk1. Systems on board vessel (communication, navigation,

loading)

2. Navigation data in the cloud

3. Systems at ports

4. Computer systems of maritime entities (on shore)

5. Laptops (work & personal)

6. Smart phones

7. USB keys

16

Motivations

1. Political motivations

2. Financial crime gains

3. Hacktivism to push an agenda

4. Employee grouses

17

Cyber Attacks in Maritime Scenario

1. E-Navigation• GPS, AIS, ECDIS

2. Spoofing • False information sent

3. Jamming• Block GPS signals

18

19

Cyber war &

International Law

20

Cyber Defence & Cyber Offensive Postures

Types of International Law

2 basic types of international law:

a) “Treaty Law”: formal agreements among states to be legally bound

b) “Customary International Law”: general & consistent practice followed out of a sense of obligation

Cyber Attacks and Cyber Warfare

1. Well-established body of international law regulating armed

response to physical/kinetic military attacks against states

2. Also a well established body of law regulating kinetic military

attacks once conflict is underway

3. To what extent, if any, do those rules apply to cyber attacks?

– May a state respond to cyber-attacks with military force?

– Must cyber-attacks comply with rules of distinction,

proportionality, etc.?

23

Challenges

1. Attribution

2. Burden of proof

3. Digital evidence 1. Fragile

4. Legal basis under international law

24

Cyber Readiness

1. Understand cyber threats

2. Assess risks of cyber threats

3. Reduce/Mitigate the risks1. Cybersecurity Audit

2. Penetration Testing

3. Physical Security Assessments

4. Develop contingency plans to respond to cybersecurity incidents

KEY REQUIREMENT

1. Establish Governance, Risk & Compliance Framework• Be secure, vigilant & resilient

• Balance people, process & technology

2. Readiness Program esp stress testing

25

Q & A

26