CSO Alliance: Shipping industry needs culture change on crime reporting
26/07/18 https://safety4sea.com/cm-cso-alliance-shipping-industry-needs-culture-c...
While the voting procedure for the 2018 SAFETY4SEA Awards is open, Mark Sutcliffe Managing Director of CSO Alliance explains the motivation behind this project which has been shortlisted for the Initiative’ category alongside a number of other distinguished nominees. As explained, the CSO Alliance aims to encourage anonymous reporting of any physical and cyber crime concerning maritime industry in real time; in this context, CSO Alliance cooperates with industry stakeholders to jointly mobilize the industry towards a cultural change on crime reporting. Mr. Sutcliffe notes that the reporting of incidents has been very poor so far due to many reasons. By enabling 'Security though Community’, there is room for improvement in safety ashore; thus CSO Alliance provides a platform for data reporting and sharing.
SAFETY4SEA: Your organization has been shortlisted for the 2018 SAFETY4SEA Awards in the ‘Initiative’ category alongside a number of other distinguished nominees. What is the background and the key drivers behind this nomination/shortlisting?
Mark Sutcliffe: The digital revolution has brought about a significant level of change in the way the maritime market works over a very short period. Huge benefits have been achieved in efficiency and cost savings, but also unfortunately new threats to the maritime community have emerged along with digitalization. Cyber-attacks are cheaper to perpetrate than piracy, theft or kidnapping, and they bring in greater rewards with little risk. The maritime community is not immune, neither is it prepared to deal with immensely well-funded and resourced international criminals and even some State actors. Our industry needs one point to report cyber crime and so we sat down with Airbus, who have over 600 employees in their cyber division to work on a solution - we crafted the Maritime Cyber Alliance (MCA).
S4S: How has your initiative influenced industry’s landscape? What are the key areas of attention?
M.S.: We note that the recently published US Department of Homeland Security and US Coast Guard policy letter dated 14 December 2016 gives guidance for reporting cybersecurity incidents on maritime transportation in the US. And even though the EU and some Asian Flags also have reporting requirements and places to report incidents, shipping operates worldwide and many Flags do not have their own incident reporting mechanisms. CIRM the equipment manufacturers have draft documentation to report all crime to MCA and we are rolling this out through industry, we have received our first cyber crimes direct from ships, so a proof of concept, which recognitions from shortlisting in your awards will help boost.
Finally it is the interactive nature of the platform as we build functionality listening to member needs as we deliver a range of features: Sharing ideas through cyber chatter, creating groups for developing best practice as well as news, reviews and cyber lesson learned shared in the community. This builds an effective support tool for the hard pressed Company Information Security Officers, which can be enhanced with more features that they collectively need, for example on line conference facility and cyber alerts by text and email.
S4S: Do you have any new projects on the pipeline and/or plans, related with your safety performance that you would like to share with the industry?
M.S.: We are working on a PFSO Alliance which will deliver security process efficiencies between Port PFSOs and Ship Owners’ CSOs and their crews, so that we work as one in the issue of reporting and combatting crime.We have plans which we prefer to keep off the market at the moment for a Superyacht Alliance targeted at the 6500 yachts of 24m+ who require a carefully blended delivery security (CSOA) cyber (MCA) ports and marinas (PFSOA) and finally an anonymous safety incident reporting portal as many safety incidents go unreported. We will then operate four key communities based on one technology and management and intelligence team in one world: CSOs - CSO Alliance; PFSOs - PFSO Alliance; CISOs - Maritime Cyber Alliance; Yacht Captains - Superyacht Alliance.
S4S: If you could change one thing about the shipping industry, what would it be and why?
M.S.: The shipping industry has a culture of not wanting to share their crime incidents in fear of ruining company reputation and/or not wanting to give a competitive edge to its competitors, hence the culture of keeping it in house. This needs to change to encourage the safety of all seafarers.
We therefore encourage anonymous reporting. We split the reported information to servers in different countries using an anonymizing reporting Centre. This enables heavily encrypted data of the crime report and the identity of the reporter to be split and distributed between 3 servers in different legal entities in 3 different jurisdictions and with different legal and privacy systems. The original data including ID of who reported the incident is then destroyed on receipt, but after the data is split.
We have leading Flag (Marhsall Island), Class (DNVGL), P&I (North P&I), War Risk (DNK) and Hull Insurance (Norwegian Hull Club) and we are talking to other industry supporters as we mobilise the industry behind CSO Alliance and which has been trading for five years, and the new Maritime Cyber Alliance.
If we all report physical and cyber crime in real time we can get ahead of the highly organised and well resourced Maritime and Cyber Criminals, it is within our grasp, it is our focus and we beleive with leadership , sharing and support form you this crime reporting culture change
S4S: What is your key message for enhancing safety culture ashore and onboard?
M.S.: Even for the Flags that currently require reporting of incidents, the end result to date has been very poor, and the real volume of reported incidents remains woefully unknown. There are many reasons for this: victims fear for company reputation, the possible risk of Insurance premium increases, ships considered un-seaworthy and thus insurance claims refused, possible reprisals for the individual reporting the event or simply because it might cause administrative delays and a reporting burden on already overworked crew.
It is recognized by all that there is a lack of data on cybercrime available, for ship owners and operators, ports, insurers, flag states and classification societies, to be able to assess the level of threats and risks, mitigate attacks, improve overall safety, and be able to take remedial action. This will significantly improve safety ashore and at sea as we rapidly develop, update and share best practice. To be effective in combatting crime, timely and verified information needs to be available in a single worldwide platform. In short, 'Security though Community’.