Global AI Governance

The IMO has recently completed a regulatory scoping exercise to identify legal barriers and gaps hindering the safe development of remote-controlled, autonomous or semi-autonomous surface ships.³ The issuance of a circular precluding the operation of autonomous ships in international waters pending the entry into force of an international regulatory framework was considered but did not receive sufficient support.⁴ Instead, member states and international organizations were invited to submit proposals for interim guidelines for autonomous shipping trials,⁵ and a year later, in June 2019, such interim guidelines were adopted.

The IMO’s Media Centre provides an overview of its activities related to autonomous shipping on a dedicated page, including a list of the main treaties considered in the regulatory scoping exercise.

An example of a relevant provision is Regulation 19 of the widely ratified International Convention for the Safety of Life at Sea (SOLAS):⁶

Regulation 19 Use of the automatic pilot

(a)

In areas of high traffic density, in conditions of restricted visibility and in all other hazardous navigational situations where the automatic pilot is used, it shall be possible to establish human control of the ship’s steering immediately.

(b)

In circumstances as above, it shall be possible for the officer of the watch to have available without delay the services of a qualified helmsman who shall be ready at all times to take over steering control.

(c)

The change-over from automatic to manual steering and vice versa shall be made by or under the supervision of a responsible officer.

Pending the widespread commercial deployment of autonomous ships, perhaps the largest robotics-related threat to global security from civilian vessels is as a means of transport for terrorist drone swarms carrying explosives or biological, chemical, or radioactive (‘dirty’) bombs, given that many large cities are situated along coasts or rivers.

In this context it is worth mentioning that the international maritime security regime was considerably strengthened after the 9/11 terrorist attacks.

A series of amendments to the annex of SOLAS were adopted at a diplomatic conference on maritime security in 2002 including a new chapter XI-2 ‘Special Measures to Enhance Maritime Security’,⁷ which refers to the International Ship and Port Facility Security Code adopted at the same conference.⁸

Similar to the aviation domain, the 1988 Convention for the Suppression of Unlawful Acts against the Safety of Maritime Navigation was overhauled to criminalize additional terrorist acts as well as the transport on board a ship of certain dangerous materials, such as biological, chemical or nuclear weapons or their precursor materials (art 3bis), or of a fugitive of a treaty crime (art 3ter), and introduced detailed cooperation and enforcement mechanisms, including ship-boarding and inspection procedures (art 8bis).⁹ Note, however, that while the original convention has 166 parties representing 95% of gross tonnage of the world’s merchant fleet, the 2005 amending protocol has only reached 52 contracting parties to date constituting approx. 40% of world tonnage.¹⁰

In 2017 the IMO issued recommendatory guidelines on maritime cyber risk management¹¹ complementary to its existing safety and security management regime. The definition of maritime cyber risk is set out in Annex para. 1.1:

For the purpose of these Guidelines, maritime cyber risk refers to a measure of the extent to which a technology asset is threatened by a potential circumstance or event, which may result in shipping-related operational, safety or security failures as a consequence of information or systems being corrupted, lost or compromised.

Examples of maritime shipping systems at risk are given in para. 2.1.1:

Vulnerable systems could include, but are not limited to:

.1

Bridge systems;

.2

Cargo handling and management systems;

.3

Propulsion and machinery management and power control systems;

.4

Access control systems;

.5

Passenger servicing and management systems;

.6

Passenger facing public networks;

.7

Administrative and crew welfare systems; and

.8

Communication systems.

The Guidelines are limited to high-level recommendations due to the wide variety of circumstances:

Recognizing that no two organizations in the shipping industry are the same, these Guidelines are expressed in broad terms in order to have a widespread application. Ships with limited cyber-related systems may find a simple application of these Guidelines to be sufficient; however, ships with complex cyber-related systems may require a greater level of care and should seek additional resources through reputable industry and Government partners.

The main elements of cyber risk management outlined in the Guidelines are the following:

3.5 These Guidelines present the functional elements that support effective cyber risk management. These functional elements are not sequential – all should be concurrent and continuous in practice and should be incorporated appropriately in a risk management framework:

.1 Identify:

Define personnel roles and responsibilities for cyber risk management and identify the systems, assets, data and capabilities that, when disrupted, pose risks to ship operations.

.2 Protect:

Implement risk control processes and measures, and contingency planning to protect against a cyber-event and ensure continuity of shipping operations.

.3 Detect:

Develop and implement activities necessary to detect a cyber-event in a timely manner.

.4 Respond:

Develop and implement activities and plans to provide resilience and to restore systems necessary for shipping operations or services impaired due to a cyber-event.

.5 Recover:

Identify measures to back-up and restore cyber systems necessary for shipping operations impacted by a cyber-event.

As for best practices for implementation of cyber risk management, three examples of relevant standards/guidelines are provided:

For detailed guidance on cyber risk management, users of these Guidelines should also refer to Member Governments’ and Flag Administrations’ requirements, as well as relevant international and industry standards and best practices.

4.2 Additional guidance and standards may include, but are not limited to:¹

.1

The Guidelines on Cyber Security Onboard Ships produced and supported by BIMCO, CLIA, ICS, INTERCARGO, INTERTANKO, OCIMF and IUMI.

.2

ISO/IEC 27001 standard on Information technology – Security techniques – Information security management systems – Requirements. Published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

.3

United States National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (the NIST Framework).

Care is taken to avoid explicit endorsement of these three external standards:

.¹ The additional guidance and standards are listed as a non-exhaustive reference to further detailed information for users of these Guidelines. The referenced guidance and standards have not been issued by the Organization and their use remains at the discretion of individual users of these Guidelines.

The information security management system of the IMO itself is certified to ISO/IEC 27001 according to its privacy policy.