I. Introduction
Piracy has been a longstanding threat to maritime trade, evolving from physical attacks on merchant vessels to sophisticated cyberattacks on shipping infrastructure. The Indian Ocean, historically a critical maritime corridor, has witnessed both traditional piracy and its digital counterpart. While naval efforts have mitigated physical threats, cyber piracy remains an emerging challenge with far-reaching implications.
Modern maritime operations rely on digital technology, making them vulnerable to cyberattacks. From hacking into Automated Identification Systems[i] (AIS) to GPS spoofing and ransomware attacks on shipping companies, cyber piracy disrupts trade and compromises security. The Indian Ocean region, home to major maritime players such as India, Sri Lanka, and Indonesia, is particularly susceptible. Cybercriminals—often state-backed or linked to criminal syndicates—exploit digital vulnerabilities for economic gain or geopolitical leverage. Given the region’s importance to global commerce, securing its digital infrastructure is as crucial as protecting its physical waters.
II. Legal Challenges in Addressing Maritime Cyber Piracy
International maritime law primarily deals with physical piracy. The United Nations Convention on the Law of the Sea (UNCLOS) defines piracy under Article 101[ii] as “any illegal acts of violence or detention committed for private ends on the high seas.” This definition, however, does not encompass cyberattacks, making it difficult to prosecute digital piracy under existing legal frameworks. The International Maritime Organization (IMO) has taken steps to address cybersecurity threats through various guidelines. IMO Resolution MSC.428(98) (2017)[iii] mandates shipowners to incorporate cybersecurity risk management into safety management systems. The International Ship and Port Facility Security (ISPS) Code (2004)[iv] provides security protocols but lacks specificity on cyber threats. The Budapest Convention on Cybercrime (2001)[v] provides a broad legal framework for prosecuting cybercriminals but lacks maritime-specific provisions. Without clear international legal instruments addressing cyber piracy, prosecution remains difficult, leaving digital vulnerabilities in maritime trade exposed.
India has recognized the cyber threat to its maritime sector and has initiated several legal mechanisms to address it. The Information Technology Act, 2000 (IT Act) is the primary cyber law in India, which penalizes hacking under Section 66[vi], identity theft under Section 66C[vii], and cyber terrorism under Section 66F[viii]. However, it does not have specific provisions related to maritime cyber piracy. The Bharatiya Nyaya Sanhita (BNS) 2023 under Section 61[ix] and Section 316[x] discuss about criminal conspiracy and cheating which can be applied on cyber piracy cases.
The Admiralty (Jurisdiction and Settlement of Maritime Claims) Act, 2017[xi] primarily deals with physical maritime disputes but could potentially be extended to cover digital maritime breaches through judicial interpretation. The National Cyber Security Policy, 2013[xii] provides a framework for cybersecurity but lacks maritime-specific provisions. There is currently no direct legal provision in Indian law that criminalizes cyber piracy in the maritime domain, creating a gap that could be exploited by attackers.
While there are no landmark cases directly addressing maritime cyber piracy, some precedents in related cybercrime cases in India offer insights. The case of Shreya Singhal v. Union of India (2015)[xiii] struck down Section 66A of the IT Act, clarifying that laws on cyber threats need to be precise and narrowly defined. Anvar P.V. v. P.K. Basheer (2014)[xiv] established the importance of electronic evidence, which could be relevant for prosecuting cyber pirates. Sony Sambandam v. State of Tamil Nadu (2020)[xv] highlighted liability in cyber fraud cases, potentially relevant for shipping companies seeking damages.
III. Analysis of the Situation: Strengthening Cybersecurity in the Indian Ocean
The complexity of cyber threats in the maritime industry has grown with the adoption of smart shipping and automated logistics. Some of the most concerning cyber threats include GPS spoofing[xvi], AIS manipulation, ransomware attacks, and cyberattacks on ports. Ships rely on GPS and AIS for navigation, and cyber pirates can manipulate these systems, leading vessels off-course or disguising pirate vessels as legitimate ones. In 2019, Iranian tankers were suspected of using AIS spoofing to evade U.S. sanctions. Ransomware attacks on shipping companies have also demonstrated the financial risks involved. In 2017, Maersk, the world’s largest shipping company, was hit by the NotPetya[xvii] ransomware, disrupting operations and causing losses of $300 million. Indian ports have not been immune either. In 2021[xviii], Jawaharlal Nehru Port Trust (JNPT) faced a cyberattack that disrupted cargo handling. Given the economic impact of such incidents, cyber piracy is not just a technical issue but a national security concern. A disrupted maritime supply chain can affect energy imports, trade, and even military logistics.
The Indian Ocean region is particularly susceptible to these threats due to its high volume of trade and strategic importance. It is critical for countries, especially India, to recognize that cyber piracy is more than just a criminal issue; it is a real geopolitical menace. The rise of state-sponsored cyber warfare has added another dimension to this threat. For instance, cyberattacks on maritime networks could be used as a tool of economic coercion or as a prelude to military action. While major naval powers such as the United States and China have invested heavily in cyber defence for their maritime infrastructure, Indian Ocean nations must urgently develop similar capabilities. This necessitates drafting better laws that directly address maritime cyber piracy. Amending existing laws, such as the IT Act and the Admiralty Act, to include provisions on cyber threats at sea would be a significant step forward. Regional cooperation among Indian Ocean Rim Association (IORA) member states could also lead to a more coordinated approach to cybersecurity, including intelligence sharing and joint cyber patrols.
India and other Indian Ocean nations must update their legal frameworks to address cyber piracy effectively. Some proposed reforms include amending the IT Act to introduce specific provisions for maritime cyber piracy, with penalties proportionate to the economic and security damage caused. Indian courts should recognize cyber piracy as part of maritime law, allowing affected parties to seek redress under the Admiralty Jurisdiction. Regional legal cooperation should also be established through organizations like IORA and BIMSTEC to handle cross-border cyber piracy cases. Cybersecurity in maritime infrastructure must be enhanced through AI-based threat detection, blockchain for cargo tracking, and ethical hacking audits. International collaboration is also essential. India, through its Indo-Pacific strategy, has been increasing maritime cooperation. The QUAD’s Indo-Pacific Cybersecurity Initiative can help in intelligence sharing on maritime cyber threats. The Information Fusion Centre – Indian Ocean Region (IFC-IOR), based in Gurugram, can be expanded to focus more on cyber threats. Joint naval exercises such as MILAN and Malabar should incorporate cybersecurity training to prepare for potential digital threats in maritime operations.
IV. Conclusion
The shift from traditional piracy to cyber piracy presents new challenges for maritime security in the Indian Ocean. While existing laws and frameworks provide some protection, there is an urgent need for more robust legal provisions, regional cooperation, and advanced technological measures. As trade and geopolitics become increasingly digitized, securing maritime cyber infrastructure is no longer an option—it is a necessity. The Indian Ocean, a historical theatre of naval dominance, must now also become a leader in cybersecurity, ensuring that the region remains both economically vibrant and digitally secure.
Ultimately, the fight against cyber piracy is not just about protecting ships and ports—it is about securing the global economy. The Indian Ocean must transition from being a vulnerable digital battleground to a leader in maritime cybersecurity. Only then can it maintain its status as a thriving hub of global commerce in the digital age.
Endnotes:
[i] Global Fishing Watch. “What is AIS?” Global Fishing Watch. Last modified September 22, 2020. https://globalfishingwatch.org/faqs/what-is-ais/.
[ii] United Nations. United Nations Convention on the Law of the Sea. Article 101. December 10, 1982. https://www.un.org/depts/los/convention_agreements/texts/unclos/unclos_e.pdf.
[iii] International Maritime Organization. Resolution MSC.428(98). May 15, 2017. https://wwwcdn.imo.org/localresources/en/OurWork/Security/Documents/Resolution%20MSC.428(98).pdf.
[iv] International Maritime Organization. “SOLAS XI-2 ISPS Code.” International Maritime Organization. Accessed February 3, 2025. https://www.imo.org/en/OurWork/Security/Pages/SOLAS-XI-2%20ISPS%20Code.aspx.
[v] Council of Europe. “The Budapest Convention.” Council of Europe. Accessed February 3, 2025. https://www.coe.int/en/web/cybercrime/the-budapest-convention.
[vi] Government of India. Information Technology Act, 2000. Section 66. Last updated December 2020. https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf.
[vii] Government of India. Information Technology Act, 2000. Section 66C. Last updated December 2020. https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf.
[viii] Government of India. Information Technology Act, 2000. Section 66F. Last updated December 2020. https://www.indiacode.nic.in/bitstream/123456789/13116/1/it_act_2000_updated.pdf.
[ix] Ministry of Home Affairs, Government of India. The Indian Penal Code, 1860. Section 61. Last modified April 1, 2024. https://www.mha.gov.in/sites/default/files/250883_english_01042024.pdf.
[x] Ministry of Home Affairs, Government of India. The Indian Penal Code, 1860. Section 316. Last modified April 1, 2024. https://www.mha.gov.in/sites/default/files/250883_english_01042024.pdf.
[xi] Government of India. The Admiralty (Jurisdiction and Settlement of Maritime Claims) Act, 2017. Act No. 2 of 2017. Last updated 2017. https://www.indiacode.nic.in/bitstream/123456789/2631/1/A2017-2.pdf.
[xii] Ministry of Electronics and Information Technology, Government of India. National Cyber Security Policy, 2013. July 2013. https://www.meity.gov.in/writereaddata/files/downloads/National_cyber_security_policy-2013%281%29.pdf.
[xiii] Shreya Singhal v. Union of India, (2015) 5 SCC 1 (India).
[xiv] Anvar P.V. v. P.K. Basheer, (2014) 10 SCC 473 (India).
[xv] Sony Sambandam v. State of Tamil Nadu, (2020) 9 SCC 461 (India).
[xvi] U.S. Department of Justice. “Justice Department Announces Terrorism and Sanctions Evasion Charges and Seizures Linked to International Cybercriminal Activity.” Last modified January 15, 2021. https://www.justice.gov/opa/pr/justice-department-announces-terrorism-and-sanctions-evasion-charges-and-seizures-linked.
[xvii] “Throwback Attack: How NotPetya Accidentally Took Down Global Shipping Giant Maersk.” Last modified July 13, 2017. https://www.controleng.com/throwback-attack-how-notpetya-accidentally-took-down-global-shipping-giant-maersk/.
[xviii] “Cyberattack Prompts System Outage at JNPT Container Terminal.” Last modified November 23, 2020. https://www.porttechnology.org/news/cyberattack-prompts-system-outage-at-jnpt-container-terminal/.
