By: Malach Goldberg
With an estimated 80% of the world’s goods being transported by ship, valued at more than fourteen trillion U.S. dollars as of 2019, the global maritime shipping industry is a crucial component of the global economy. One of the world’s oldest industries, maritime shipping has historically been slow to adapt to new technology, but recent years have seen massive technological advances. However, technological innovation has outpaced enacted legislation and could jeopardize maritime national security. One major area of concern is Maritime Autonomous Surface Ships (MASS), which are vessels that have minimal or no human intervention. Recently, the United States of America has amended its regulations through Executive Order 14116, to safeguard conventional vessels and the water facilities of the United States, but did not directly address MASS. Rather, the Executive Order laid the groundwork to respond to unspecified cyber incidents and how Captains of the Port should act in response. Similarly, the United States Coast Guard is proposing updates to its regulations that would establish minimum cybersecurity requirements for U.S.-flagged vessels. While there are references to the liabilities of autonomous maritime vessel technology, there are not specifics of how the cyber threats faced by MASS can be disrupted. On an international level, United Nation’s (U.N.’s) International Maritime Organization (IMO) is responsible for drafting regulatory frameworks with global input, however the U.N. lacks enforcement powers. The national security threats posed by this gap in governance are immense as interactions between MASS and conventional ships remain unregulated, creating potential dangers for all parties involved.
The heightened risk that MASS face stems directly from their underlying purpose—to automate the industry by removing the need for human crews onboard to navigate the ships safely from port to port. As autonomous shipping relies heavily on information technology systems to maintain a communication link from ship to shore, potential cyber-attacks look to exploit that link by any means available. These concerns are not unique to MASS as autonomous road vehicles share many similar concerns. The United States House of Representatives introduced H.R.3711 – SELF DRIVE Act in 2021, which requires manufacturers to develop written cybersecurity plans before offering vehicles for sale and requires certifications by the Department of Transportation. Since this bill lived and died in the 117th Congress, a hearing was held by the Energy and Commerce Committee in July 2023 to introduce a new draft of the SELF DRIVE Act to the 118th Congress. Additionally, the Department of Commerce’s Bureau of Industry and Security (BIS) published an advance notice of proposed rulemaking (ANPRM) which looks to regulate production of information and communications technology and services that are subject to jurisdiction of foreign governments, including the autonomous capabilities of connected vehicles. The BIS ANPRM focused on the novel national security threats that may be posed by foreign government influence during the development and manufacturing process of connected vehicles.
While the SELF DRIVE Act can be used as inspiration for what MASS legislation could include, there is a need for stronger oversight components given the economic impact and scope of MASS. While regulations do not specifically cover the use of MASS, current regulations for conventional ships can be applied, to an extent. The Convention on the International Regulation for Preventing Collisions at Sea, 1972 (COLREGs) and the International Convention for the Safety of Life at Sea (SOLAS), 1974 are IMO conventions that regulate the safe operation of conventional ships. While there are notable differences in the operation of MASS compared to conventional ships, clauses that regulate the carriage of cargo and traffic separation in harbors still apply.
In September 2022, the IMO established a Joint Working Group (JWG), comprised of the legal, facilitation, and maritime safety committees. The JWG has met three times since its founding, with the third session having taken place in May 2024. During that session, a road map was finalized with the adoption of stronger regulation— a mandatory MASS code—projected to be finalized in July 2030, with an entry into force taking place in January 2032. In addition to creating a road map for implementation, the JWG reached a consensus on several key principles regarding MASS. At the core of these principles is having a human master responsible for a MASS with the ability to intervene if necessary, regardless of the degree of autonomy. Noticeably absent from the core principles were specific guidelines addressing MASS’ heightened susceptibility to cyber-attacks compared to conventional ships. While nations such as France have begun discussions of cybersecurity protocols aboard MASS, a robust risk analysis with global input is needed before a mandatory code for MASS is implemented.
Notably, the JWG failed to consider how MASS vulnerabilities could be exploited by terrorists and pirates. While MASS would likely decrease human loss by limiting the availability of kidnapping and hostage victims, hijackings could increase. This increase stems from having no human presence onboard and the technological vulnerabilities of maintaining a remote connection. Depending on the pirates’ or terrorists’ motivation, hijacking a MASS could lead to economic catastrophe. For example, terrorists wanting to cause economic havoc could utilize a MASS that they have taken control of to block major shipping routes, causing an effect similar to when the Ever Given got stuck in the Suez Canal. To put that scenario in context, the blocking of the Suez Canal cost the global economy approximately $416 million per hour it was stuck. Similarly, the Dali cargo ship closed the Port of Baltimore after crashing into the support pillar of the Francis Scott Key Bridge, resulting in its collapse and a notable impact on the U.S. economy. While this incident was believed to be caused by electrical malfunctions aboard the conventional ship, terrorists could wreak similar havoc by hijacking technology aboard MASS.
While MASS are still in the development and testing phases, it is crucial for enforceable laws to be in place to govern their operation before they are put into major use. Since the flag state of a vessel is primarily responsible for enforcing compliance with rules and regulations of the sea under IMO conventions, there must be a global consensus on what it will take to secure the seas in regards to MASS. For example, the IMO could impose that the flag state of each vessel is in continuous communication with MASS flying their flag. That is why the IMO will need to address these national security concerns when drafting the mandatory code in the early 2030s to mitigate cybersecurity risks and keep the seas safe. The IMO will therefore need to draft national security-focused legislation that ensures MASS are an asset to global trade, rather than a liability.
Comments