Maritime cybersecurity: All at sea

Nate Jones, prompted by Cyberspace Solarium’s op-ed gives a comprehensive overview of cybersecurity concerns in the maritime sector. There is certainly a lot to be concerned about. The U.S. Government’s December 2020 National Maritime Cybersecurity Strategy is a 36-page document. After the appendices, intro, and summaries are removed, it comes down to just eight pages of content. The Atlantic Council, however, has provided a report that fills in this gap.

The maritime sector should not be the only thing we are concerned with. Sultan Meghji cites the alarming state of industrial security as demonstrated by a Rockwell Automation ICS system that identified a vulnerability that is “10 of 10”.

Sometimes software rot can serve a useful purpose. Maury Shenk tells us about decay in Russia’s SORM – a site-blocking system that may be buckling under the weight of the Ukraine invasion. Three New York Times reporters should know better than to tell me a bogus SORM story. Aaron Krolik, Paul Mozur, and Adam Satariano should all be ashamed for making a lengthy story alleging that Nokia sold Russia’s telecom equipment that allows wiretaps. Nokia couldn’t do any other because wiretap capabilities are required by Western governments. Russian companies carried out SORM and other abuses. These three or three Russian companies are what I think they were after poring over a lot of leaked documents. Reporters couldn’t believe there wasn’t one.

Nate and me note that Treasury has begun listing companies it considers to be part of an international sanctions evasion network, creating a new list of secondary targets. We also puzzle over the surprising pushback on proposals to impose  sanctions on Kaspersky, If the WSJ is correct, and the reason is fear of cyberattacks if the Russian firm is sanctioned, isn’t that reason enough to sanction them out of Western networks?

Sultan and Maury reminded us that cryptocurrency regulation is extremely popular with many, including Senator Elizabeth Warren (EU Parliament) and others. Although Sultan doubts that widespread regulation will ever be possible, he is not averse to the idea. Sultan is more optimistic about Apple’s potential to disrupt the whole fintech industry by embracing financial services with passion. It’s nearly impossible for financial service companies to have a friendly relationship with the government. Apple might need to change what it has been doing in America for the past decade.

Nate and me explore the complexity of Brian Krebs’s story about hackers who exploited the system that online services use to provide subscribers information to police in times of emergency.

Ubiquiti has filed a defamation case against Krebs. Krebs relied upon a whistleblower who was later revealed to be the perp and Krebs failed to correct it when it became obvious. My sympathies are with Krebs on this one, at least until Ubiquiti fills in a serious gap in its complaint – the lack of any allegation that the company told Krebs that he’d been misled and asked for a retraction. Without this, it is difficult to claim that Krebs was negligent, let alone malicious, in reporting claims made by an allegedly well-informed insider.

Maury closes the episode by bringing us up-to-speed on the U.K. (still in its early stages) online harms bill. He also explains why Britain allowed the Chinese affiliate to purchase the largest U.K. chip foundry. Sultan discovers many interesting insights from a CNN article about the Great Conti leak.

Finally, I have my concerns about Mark Unkenholz’s indictment for leaking classified information. I had the pleasure of knowing him while he was in government. The prosecutors will have to prove that Unkenholz made something other than the standard disclosures. It is impossible to do commercial outreach like Unkenholz did without coming across tech companies with no security clearances, but lots of capability that are highly valued by the intelligence agency. Either you give these companies’ uncoordinated executives enough classified information to help you understand your needs or you don’t get any assistance. Prosecutors can’t simply say that someone gave classified information to them without a clearance. They should put him in prison.

Get the full 401 episode (mp3)

The Cyberlaw Podcast can be subscribed via iTunes, Google Play Spotify Pocket Casts and Google Play. The Cyberlaw Podcast invites your feedback. Make sure you engage @stewartbakerFollow us on Twitter. Send your questions, comments, and suggestions for topics or interviewees to You will receive a Cyberlaw Podcast mug if you suggest a guest!