Africa can’t risk a major maritime cyber attack

First published by ISS Today

Cyber attacks against African maritime infrastructure threaten the continent’s recovery from Covid-19 and its long-term development and security aspirations. According to maritime cyber defence company Naval Dome, 310 incidents affecting maritime industries were recorded worldwide in 2019, a huge jump from 120 in 2018 and 50 in 2017. No data is available yet for this year, but the figure is expected to reach 500 incidents in 2020.

The spectre of attacks that might disrupt and disable critical maritime infrastructure exists against a backdrop of rapid digitalisation as ports and shipping companies increasingly rely on new information and communication technologies. While this improves efficiency, it also exposes them to cyber threats.

About 90% of Africa’s trade is seaborne, making the continent dependent on well run ports and shipping, and effective protection of its maritime resources. Digitalisation will make African infrastructure a high-risk target and the impact of cyber attacks could be severe.

A recent Institute for Security Studies (ISS) report examines how cyber security is fast becoming an integral part of Africa’s maritime security needs. This new area must receive greater attention and collective action from African states, the ISS argues.

Cyber security is not the work of one country alone, which gives the African Union (AU) a leading role in facilitating maritime security capabilities in its member states. The AU made a positive start in 2014 when it adopted the Convention on Cyber Security and Personal Data Protection (the Malabo Convention). The continental body also included cyber security as a flagship project in its Agenda 2063 plan.

These efforts won’t however be enough to protect Africa from the kinds of maritime cyber attacks recently reported in other parts of the world. A notable incident occurred on 30 September when the information technology systems of the International Maritime Organisation (IMO) were targeted. The IMO’s website was shut down for two days but fortunately, no severe damage was reported.

The attack is highly symbolic, as it comes mere months before an important IMO resolution enters into force on 1 January 2021. The MSC.428(98) resolution is the first attempt to create minimal international standards for states and the shipping industry around maritime cyber security. The resolution emphasises standardisation and a holistic and collective approach.

According to the 2019 maritime cyber security survey conducted by Safety at Sea and international shipping association BIMCO (the Baltic and International Maritime Council), most incidents involve phishing and malware, not a targeted hacker attack. These incidents most often affected information technology system function or caused corporate data or financial losses, but didn’t disrupt the vessel control systems.

The nature of the maritime cyber environment gives rise to some troubling scenarios. There are concerns that hackers may work with criminals or pirates to mislead a radar display or undermine a ship’s navigational system to hijack the vessel. These have so far proven to be worst-case hypotheticals.

A recent study by Cambridge University’s Centre for Risk Studies suggests that a coordinated cyber attack on Asia-Pacific ports, if it were to occur, could cause over US$110-billion in damages. The widespread reverberations of such an incident would seriously disrupt international trade. The report emphasises that the global economic system remains largely unprepared for such events, which are likely to increase in probability.

A similar incident actually occurred in 2017, with global repercussions. Maersk, the world’s largest container ship and supply vessel operator, suffered approximately US$300-million in damages. It had to halt operations at 17 of its 76 terminals worldwide. The global scope of the impact – much of it collateral – is reinforced by the fact that Maersk was not the intended target of the cyber attack.

A similar incident targeting or collaterally affecting African ports would be devastating, especially as the continent struggles with Covid-19 and related socio-economic recovery policies. As Africa undergoes a digital transition, a major disruptive maritime cyber attack is arguably becoming just a matter of time.

The interconnected nature of economies and infrastructure means states cannot pursue cyber security in isolation. The Southern African Development Community, the Economic Community of West African States and the Common Market for Eastern and Southern Africa have policies that define the scope, nature and parameters of cyber-related risks. African states should pursue a collective approach through these regional economic communities.

African countries also need to catch up with global awareness and mitigation efforts. Only eight states have ratified the Malabo Convention since 2014 and many lack the legislation to provide cyber security. The AU’s role in raising awareness is central. Maritime cyber security should also be integrated into the African Peace and Security Architecture roadmap, and be included in the review process of the 2050 Africa’s Integrated Maritime Strategy.

African states have the advantage of being able to prepare for the inevitable. This is no grounds for complacency though, as the failure to prepare and plan can seriously undermine Africa’s development aspirations. DM

Denys Reva is a Research Officer, Peace Operations and Peacebuilding, ISS Pretoria.