Historically, maritime fraud has generally been a low-tech business built more on simple deception, or failing that, brute force. But that is all changing as Matt Miller writes, the game is changing fast and cyber crime represents the dark side of the highly computerized supply chain. It was the stuff of a blockbuster film. It was also the shipping world’s worst nightmare: Drug smugglers hacked into computers at the port of Antwerp. They gained control of security codes, enabling their drivers to heist whole containers, where millions of dollars of drugs were hidden among bananas and timber. The elaborate scheme lasted two years. It unraveled in 2013, only after a legitimate driver unwittingly drove off the port with one of the containers. The smugglers attacked the truck, AK-47s blazing. Think of maritime fraud and decidedly low-tech images usually come to mind: Cargo pilfered, bills of lading forged, bunker fuel diverted, ships hijacked or purposely sunk. As Christian Ott, vice president head of claims for the Danish marine insurer Skuld wrote in a white paper on the subject: “Fraud in commerce is as ancient as commerce itself.” However, maritime security experts warn that the game is changing and fast. Cyber fraud looms large. Just as technology has transformed transport and logistics, its dark side threatens ships, shippers and their agents. “The system has become extremely efficient. And all these technologies save money,” says Capt. David Moskoff, a professor of marine transportation at the United States Merchant Marine Academy (USMMA). “The problem is that every time you make one of these [technological] breakthroughs, you open up a new window of vulnerability.” What’s more, the experts say, the growing use of intermediaries in shipping presents further challenges. “An email is started with the manifest. Then it goes to freight forwarders, to brokers, to three truck lines,” says Laura Hains, a Tampa-based maritime security specialist who heads Hammerhead Security Solutions LLC and former US Customs and Border Protection supervisor. “Now, everything is electronic. That opens a lot more doors. [But] the more technology, the more possibility of those doors being broken into.” Just how much damage cybercrime has already been inflicted on the industry is impossible to determine. Cyber security firms such as Kaspersky Lab say they don’t track the sector specifically. Many crimes go unreported or undetected. “A lot more money is being lost than people realize,” says Moskoff, [speaking for himself and not in any official or governmental capacity]. “Due to the competitive nature of business, a lot of this may not be getting publicized.” A study last year by the Center for Strategic and International Studies estimated cybercrimes cost the global economy a staggering $400 billion annually. We tend to think of these crimes in terms of hacked credit cards, stolen bank accounts or pilfered identities. But as the Antwerp incident dramatically demonstrated, cybercriminals can target the delivery system of goods as well. “This kind of surreptitious entry relates to the global supply chain,” says James Giermanski, a specialist on container security and a former FBI agent. Warns David Dickman, a lawyer with Venable LLP specializing in marine safety and port security: “A lot of entities, including the Federal government, are not prepared for what’s going on.” In the most frightening scenario imaginable, terrorists target American ports. This has the potential of bringing the nation’s commerce to its knees. “If something were to happen to two of our ports, say Los Angeles and Savannah, within six weeks, this country would be in havoc,” says Hains. In fact, there have been cyber attacks on, for example, two oilrigs that successfully disrupted production. So far, though, the “bad guys” appear far more interested in assaulting the supply chain through cyberspace to make money. “It seems like all of the sudden, we’re seeing it all over the place, with shippers, buyers, freight forwarders,” says Andy Robins, vice president customer service for WCA, the network of almost 6,000 independent freight forwarders. That fraud can take many forms. One of the most common is a modern variation on an old scam: Forged or tampered documents. Fraudsters can hack into documents generated and moved electronically, change instructions, and then weasel payments out of shippers and their agents. According to Robins, the sums involved aren’t large enough – in the neighborhood of $20,000 to $30,000 a hit – to trigger particular concern among harried clerks moving funds “all over the place,” often under intense pressure to keep goods flowing. Robins describes a hacker who has successfully convinced freight forwarders through what appears to be legitimate correspondence that money be remitted to a different bank account than originally detailed. Because the new bank is in London, the request didn’t raise alarm bells with accountants, until the money went missing. WCA has documented six hacks by the same fraudster, resulting in a total loss of $150,000. The dangers of cyber fraud are amplified with complex transportation routes, transshipments and numerous intermediaries. “In a global supply chain, there are so many players with independent input,” says Giermanski. Not only can all these players compromise overall security, he explains, but they can increase the possibility that counterparties just don’t know everyone they’re dealing with. This opens up the possibility of bogus agents electronically inserting themselves into the chain. Mistrust can be amplified to the point where even claims of cyber attacks are dismissed as excuses not to pay. “We tell our members, if there’s an issue, pick up the telephone and talk to the boss,” Robins says. Security can be extraordinarily lax. Hains cites a recent inspection she did on a shipping agent. Not only did the person entrusted with a protected password give that information to a colleague, the colleague posted the password on the side of her computer. Addressing cyber security means spending money and that can be a hard sell, especially in today’s hyper-competitive environment, with profits razor thin. “If you have to build another cost into billing because of cyber security, it’s going to eat into that small profit margin and you’re not going to do it,” says Hains. Shippers and freight forwarders also are often unaware of all the risks unless they themselves have been attacked. Those that are scammed are often too embarrassed to speak out. Some don’t address the issue because they just don’t have a good handle on what’s going on. Others rely on the security protocols of their counterparties for protection. “It really comes down to how much risk you think there is versus the cost,” says Dickman. According to Giermanski, some major corporations are beginning to investigate better cyber security systems and press for their implementation. However, there’s almost a fatalistic sense of helplessness among smaller freight forwarding operations. Dickman cites the recent major data breaches at Target, Sony and Anthem Health. “If those kind of major entities are having problems, how can two or three person operations deal with the same kinds of issues?” he asks. “To do even a basic cyber vulnerability study entails costs and expenditures.” Moskoff is particularly concerned about the vulnerabilities of relying on GPS technology for tracking cargo. While GPS has proved invaluable for knowing everything from a container’s position in a yard or ship, to temperature and humidity, it also opens up the possibility that criminals can “jam” or “spoof” the signal, aiding in cargo theft or diversion. Moskoff cites two incidents last summer in which thieves hijacked trucks carrying high-value cargo. The hijackers carried GPS jamming devices in an attempt to thwart tracking of the stolen trailers. In one of these cases, the thieves stole more than $2 million worth of pharmaceuticals, including potent painkillers that could have been easily sold on the street. Police thwarted the theft because the trailer had a sophisticated, multi-layered GPS system including a hidden device the thieves failed to detect. Containers, themselves, are notoriously vulnerable to attack and the GPS tracking system does little to stop thieves. “There are, we think, at least five ways to open a container without disturbing the seal,” said Pottengal Mukundan, Director, International Maritime Bureau, in a speech last year. Authorities have yet to dictate through more secure procedures. “Right now there is no government-approved container security system,” Giermanski says. There are no security standards and pretty much everything is voluntary. “The only requirement is you lock [container] doors.” The Antwerp incident graphically demonstrated not only the dangers of cyber attacks, but also the resourcefulness and persistence of the perpetrators. The drug smuggling ring began by sending malware to shipping companies. That was discovered and IT technicians built a computer firewall to prevent further attacks. The drug smugglers then broke into the shipping offices, installing devices on the computers that monitored keystrokes and grabbed images from computer screens. They also planted sophisticated hardware inside hard drive cases and power strips. That enabled them to remotely control the computers, just like in the movies.