Competitive intelligence definitions

Competitive intelligence stands as a linchpin in contemporary business strategy, intricately interwoven with the dynamic and multifaceted macro business environment. Its roots can be traced back to military intelligence practices, where it initially served as a strategic tool for gaining advantage (Franco et al., 2011, pp. 1–3; Greene, 1966, pp. 1–25). Over time, CI has evolved into a legal framework extensively utilised by businesses to gather, process, and analyse qualitative data pertaining to specific industries and their competitive dynamics (Carvalho, 2021). This systematic approach enables organisations to glean profound insights into competitor behaviours, customer preferences, and broader market trends, facilitating astute decision-making processes crucial for sustaining competitiveness and achieving strategic goals (Dabrowski, 2018, pp. 1–8).

Initially, scholarly discourse surrounding CI has produced a plethora of definitions, reflecting its multifaceted nature and strategic significance within organisational contexts. Sawka (1996) defines CI as the acquisition of knowledge and foresight regarding the external operational environment, underscoring its pivotal role in shaping decision-making processes and furnishing a comprehensive understanding of the business landscape. Calof (1997) elaborates on this, characterising CI as the timely dissemination of fact-based data pivotal for decision-making and strategy development. This encompasses a multifaceted approach encompassing industry analysis, competitive assessment, and benchmarking practices. Prescott (1999) extends this conceptualisation, portraying CI as an iterative process geared towards developing actionable insights into competitive dynamics and non-market forces, aiming to confer sustainable competitive advantages to organisations.

Moreover, Leibowitz (2006) underscores CI as a meticulously structured programme designed to capture, manage, and analyse intelligence, thereby enhancing the efficacy of strategic decision-making processes. McGonagle and Vella (2002) adopt a data-centric perspective, positing CI as the strategic utilisation of publicly sourced data to glean insights into competitor behaviours and prevailing market conditions. Dishman and Pearson (2003) accentuate CI as a proactive endeavour aimed at amassing information and intelligence to pre-empt competitors in the cut-throat business environment. Bose (2008) portrays CI as an ongoing process of vigilantly monitoring the competitive landscape to inform strategic and operational manoeuvres effectively. In addition, within this academic tapestry, Strauss and Du Toit (2010) frame CI as an evolutionary assessment of business environment opportunities and developments, each carrying strategic implications for corporate decision-making endeavours. Pellissier and Nenzhelele (2013) contribute by conceptualising CI as a holistic process that synthesises actionable intelligence through meticulous data collection, processing, and analysis, both internally and externally. Bouthillier and Jin (2005) accentuate the value-added proposition of CI, emphasising its role in collecting, analysing, and disseminating intelligence within a legal framework conducive to strategic advantage.

Subsequently, the absence of a universally recognised definition of CI persists; its profound impact on organisational resilience and strategic acumen remains unequivocal, in both academic discourse and practical application. Additionally, contributions from various scholars, such as Boncella (2003), Calof (1997), and Ettore (1995), underscore the ethical and legal dimensions of CI, highlighting its role as a legitimate means of acquiring and leveraging CI for strategic decision-making purposes. This amalgamation of perspectives underscores the multifaceted nature of CI, illuminating its pivotal role in navigating the complexities of the contemporary business landscape and achieving sustainable competitive advantage (Markovich et al., 2022, pp. 8–14; Strauss and Du Toit, 2010, pp. 4–8).

Competitive intelligence process

Competitive intelligence operates as a multifaceted framework designed to equip decision-makers with actionable insights essential for navigating the complexities of contemporary business environments (Prescott, 1999, pp. 1–14). CI projects serve as invaluable assets in preserving organisational leadership amidst evolving landscapes by proactively identifying and managing emerging challenges and uncertainties through informed intelligence acquisition (Aguilar, 1967, pp. 18–35; Barnea, 2021, pp. 1–10; Cloutier, 2013, pp. 1–16; Du Toit, 2015, pp. 1–6; Miller, 2001, pp. 1–14; Stack, 1998, pp. 1–10; Zha and Chen, 2009, pp. 1–5;). This process of disseminating intelligence and knowledge to executive stakeholders underscores the pivotal role of CI in shaping strategic business outcomes (Boyd and Fulk, 1996, pp. 12–17; Cottrill, 1998, pp. 2–5; García-Madurga and Esteban-Navarro, 2020, pp. 2–16; Pranjic, 2011, pp. 2–15; Tahmasebifard, 2018, pp. 2–12). However, the integration of CI into organisational decision-making processes is often challenged by the reluctance of decision-makers to acknowledge the value of CI products, relying instead on personal knowledge and experiences (Dabrowski, 2018, pp. 1–8; Gaidelys and Meidute, 2012, pp. 1–6). Addressing the demand for CI expertise within corporations necessitates a collaborative approach, wherein CI practitioners and decision-makers actively engage in a bidirectional exchange of intelligence (Miller, 2001, pp. 1–14). This symbiotic relationship hinges on management’s willingness to gain insights into the business environment and CI practitioners’ capacity to operate within a standardised framework (Ghoshal and Westney, 1991, pp. 1–15; Sewdass, 2012, pp. 1–12; Tahmasebifard, 2018, pp. 2–12). Thus, CI should be conceptualised not merely as a discrete department but also as a strategic management tool integrated across organisational functions (Ruhli and Sachs, 1997, pp. 1–9; Viviers et al., 2005, pp. 2–11).

Furthermore, CI collected from a broad spectrum of the business’ external environment encompasses a range of scanning activities tailored to uncover specific market characteristics and trends (Abraham, 2012, pp. 57–85; Babbar and Rai, 1993, pp. 1–10; Cloutier, 2013, pp. 1–16; Hedin, 2004, pp. 1–9). Gelb and Zinkhan (1985) characterise CI as a blend of defensive and offensive intelligence aimed at deciphering competitors’ plans, strategies, weaknesses, and opportunities. At the heart of the CI process lie raw data and information collected for the organisation (Pirttimäki, 2007, pp. 15–23; Wright, 2010, pp. 3–6), which are transformed into actionable insights through rigorous analysis and utilisation of CI analysts’ expertise (Boyd and Fulk, 1996, pp. 12–17; Cottrill, 1998, pp. 2–5; Kump et al., 2018, pp. 2–16; Sliton, 1998, p. 17; Tahmasebifard, 2018, pp. 2–12).

Moreover, CI is not solely about data collection but also about enhancing organisational value through proactive intelligence analysis that informs strategic decision-making (Auster and Choo, 1994, pp. 1–12; David, 2013, pp. 19–22; Johns and Van Doren, 2010, pp. 3–6; Johnson et al., 2009, pp. 131–162; Prescott, 2001, pp. 2–14). This dynamic process involves generating intelligence products ranging from real-time alerts to strategic insights, thereby empowering organisations to anticipate market shifts and formulate informed strategies (García-Madurga and Esteban-Navarro, 2020, pp. 2–16; Porter, 1991, pp. 1–21; Seng Yap et al., 2013, pp. 3–9). Additionally, the effectiveness of CI hinges not solely on resource allocation but also on the cultivation of a culture of intelligence analysis within the organisation, fostering knowledge-sharing and continuity irrespective of resource availability (Babbar and Rai, 1993, pp. 1–10; Frates and Sharp, 2005, pp. 2–10; Gaspareniene et al., 2013, pp. 1–5; Miller, 2005, pp. 1–3; Peddie, 1992, pp. 1–4; Pranjic, 2011, pp. 2–15; TejAdidam et al., 2009, pp. 3–15; Viviers et al., 2005, pp. 2–11).

Ultimately, the success of CI processes relies on decision-makers’ recognition of its value proposition and their commitment to integrating intelligence into strategic decision-making processes (Miller, 2001, pp. 1–14). By leveraging CI insights, organisations gain a competitive edge in swiftly adapting to market dynamics and making informed decisions that drive sustainable growth (Cottrill, 1998, pp. 2–5; Du Plessis and Gulwa, 2016, pp. 1–6; Kars-Unluoglu and Kevill, 2021, pp. 2–5; Tahmasebifard, 2018, pp. 2–12). The ongoing refinement of the CI process ensures that decision-makers are equipped with timely and relevant intelligence, enabling them to navigate the complexities of the business landscape with confidence and foresight (Fahey and Herring, 2007, pp. 2–8; Heppes and Du Toit, 2009, pp. 3–10; Sapkauskiene and Leitoniene, 2010, pp. 1–8). In essence, CI serves as a strategic imperative for organisations seeking to sustain a competitive advantage in an increasingly dynamic and uncertain business environment.

Conceptual foundations

Counterintelligence operates on dual fronts, encompassing both defensive and offensive dimensions, with the overarching goal of safeguarding sensitive information and thwarting hostile activities perpetrated by adversaries (Barnea, 2017, pp. 715–726; Kanellopoulos, 2022, pp. 2–6; Prunckun, 2019, pp. 163–206; Wettering, 2000, pp. 265–300). In the realm of cybersecurity, counterintelligence assumes heightened importance, particularly due to the asymmetric nature of cyber warfare (Duvenage and Solms, 2014, pp. 5–6). On the defensive front, counterintelligence entails the implementation of robust security measures to fortify organisational defences against cyber threats (Kanellopoulos, 2023, pp. 1–6). This includes measures such as access controls, encryption protocols, and network monitoring systems aimed at detecting and mitigating potential intrusions. By proactively identifying vulnerabilities and deploying defensive countermeasures, organisations can mitigate the risk of data breaches, espionage, and other malicious activities aimed at compromising their assets (Duvenage et al., 2017, pp. 6–8).

However, defensive measures alone are insufficient to contend with the evolving threat landscape of cyber warfare. As adversaries employ increasingly sophisticated tactics to exploit vulnerabilities and infiltrate networks, a proactive approach is imperative (Sangher et al., 2023, pp. 1–6; Sigholm and Bang, 2013, pp. 1–6). This is where the offensive dimension of counterintelligence comes into play. Offensive counterintelligence involves pre-emptive actions aimed at disrupting adversaries’ operations, gathering intelligence on their activities, and neutralising their capabilities. This may include the infiltration of adversary networks, disinformation campaigns, and offensive cyber operations designed to degrade their infrastructure and disrupt their strategic objectives (Duvenage et al., 2018, pp. 2–14).

In the context of cyber operations, offensive counterintelligence serves as a force multiplier, enabling organisations to turn the tables on adversaries and proactively defend their interests. By gathering intelligence on potential threats and adversaries’ tactics, techniques, and procedures (TTPs), organisations can anticipate and pre-emptively counter malicious activities before they escalate into full-blown cyberattacks (Duvenage and Solms, 2014, pp. 7–15; Duvenage et al., 2018, pp. 2–14; Svilicic et al., 2019, pp. 2–12). Moreover, offensive counterintelligence allows organisations to disrupt adversaries’ command and control structures, degrade their capabilities, and undermine their ability to execute coordinated cyber operations effectively (Sigholm and Bang, 2013, pp. 1–6).

For instance, real-world examples highlight the significance of OCCI in thwarting cyber threats. The Stuxnet malware, discovered in 2010, represents a paradigmatic case of offensive cyber operations deployed for counterintelligence purposes (Kaminska et al., 2021, pp. 1–14). Jointly orchestrated by American and Israeli intelligence agencies, Stuxnet targeted Iran’s nuclear enrichment facilities, sabotaging centrifuge equipment through sophisticated cyberattacks, showcasing how offensive cyber capabilities can disrupt adversaries’ critical infrastructure (Pöyhönen and Lehto, 2022, pp. 1–9).

Moreover, OCCI incorporates elements of psychological warfare and strategic deception. Disseminating carefully crafted disinformation can sow confusion and mistrust among potential threat actors, disrupting their operations. For example, a financial institution might strategically leak false information about advanced security protocols to deter cybercriminals from targeting their systems, creating a perceived risk-reward imbalance (Cybersecurity and Infrastructure Security Agency (CISA), 2021, pp. 3–14; Kaminska et al., 2021, pp. 1–14).

Additionally, the asymmetric nature of cyber warfare further underscores the importance of offensive counterintelligence. Unlike traditional warfare, where adversaries may possess comparable military capabilities, cyber warfare often pits technologically advanced actors against less equipped opponents (Jaquire and Solms, 2017, pp. 1–9). In such scenarios, offensive counterintelligence becomes a critical tool for levelling the playing field and deterring adversaries from targeting vulnerable assets (Duvenage et al., 2018, pp. 2–14).

Discussion on therelationship between CI and OCCI

The interplay between OCCI and CI signifies a critical nexus within the realm of cybersecurity strategy, offering organisations a potent amalgamation to fortify their cyber resilience. CI serves as a foundational element, providing organisations with a comprehensive understanding of their competitive landscape, encompassing the strategies, capabilities, and vulnerabilities of rival entities (Markovich et al., 2022, pp. 8–14; Strauss and Du Toit, 2010, pp. 4–8). Fundamentally, the CI process entails the meticulous gathering of information and intelligence concerning the business environment, thereby forming the informational bedrock for OCCI endeavours. By leveraging insights gleaned from CI, OCCI operations can be intricately tailored to anticipate and counter emergent cyber threats effectively (Duvenage et al., 2018, pp. 2–14).

To illustrate, consider a scenario where a leading technology firm invests substantially in CI efforts to ascertain the market strategies and technological advancements of its industry peers. Through its CI initiatives, the firm uncovers indications that a competitor is clandestinely engaging in cyber espionage activities, aiming to pilfer proprietary research and development data. Armed with this intelligence, the firm’s OCCI team springs into action, implementing proactive measures to fortify its digital infrastructure and actively monitor for potential intrusions. Consequently, when the adversary launches a cyberattack targeting the firm’s intellectual property, the OCCI defences swiftly thwart the incursion, preserving the integrity of the organisation’s sensitive assets.

Moreover, the symbiotic relationship between CI and OCCI extends beyond mere defensive measures, fostering strategic advantages within competitive landscapes. By integrating CI insights into OCCI frameworks, organisations can gain a nuanced understanding of adversary tactics and methodologies, thereby pre-emptively adapting their business strategies to mitigate risks and capitalise on emerging opportunities. For instance, consider a global pharmaceutical company confronted with escalating cyber-espionage campaigns aimed at stealing proprietary drug formulas. Utilising CI, the company identifies specific threats posed by these cyberattacks and assesses their potential impact on ongoing research and product development initiatives. Armed with this intelligence, the company strategically adjusts its product development timelines, accelerating critical projects while reinforcing cybersecurity measures to safeguard its research pipeline. In response to these identified threats, the pharmaceutical company implements proactive measures, including enhanced monitoring of digital communications, robust encryption protocols, and advanced threat detection technologies. These efforts not only bolster the company’s defensive capabilities against cyber threats but also enable proactive engagement with regulatory bodies to ensure compliance with data protection regulations. Subsequently, the integration of CI into OCCI frameworks allows the pharmaceutical company to more effectively anticipate competitive moves in the market. By understanding the tactics and methodologies employed by adversaries attempting to compromise their intellectual property, the company can pre-emptively adjust its market strategies. For example, insights gained from OCCI may inform decisions to expand partnerships with secure research facilities or to prioritise patent filings for new drug discoveries ahead of schedule.

Furthermore, OCCI operations can reciprocate by bolstering CI endeavours, providing valuable insights into the modus operandi of adversaries and elucidating emerging trends within the competitive landscape (García-Madurga and Esteban-Navarro, 2020, pp. 2–16; Porter, 1991, pp. 1–21; Seng Yap et al., 2013, pp. 3–9). For example, a financial institution integrates OCCI findings into its CI analyses, uncovering indications of a coordinated cyberattack campaign orchestrated by a rival bank seeking to undermine customer confidence. Armed with this intelligence, the institution proactively fortifies its cybersecurity defences and enhances its customer outreach initiatives, thereby pre-empting reputational damage and consolidating its market position.

Cyber intrusions: The cases of the Automatic Identification System (AIS) manipulation and ethernet-based cyberattacks

Cyber intrusions in maritime systems, particularly the manipulation of AIS, pose significant threats to global shipping and navigation. AIS, a system designed to enhance maritime situational awareness by transmitting vessel location and identification information, is increasingly targeted by cybercriminals (Androjna et al., 2021). AIS manipulation, also known as spoofing, involves transmitting false positional data to disguise a vessel’s true location. This tactic is frequently employed for illicit activities, such as sanctions evasion and smuggling. The case of the Malaysian-flagged tanker Shanaye Queen exemplifies the dangers of AIS spoofing. In July 2023, the vessel appeared to make an impossible rapid diversion, only to later be revealed as part of a sophisticated deception to mask its loading of the US-sanctioned cargo from Iran. Such incidents expose the vulnerabilities in maritime cybersecurity, as traditional AIS systems are easily tampered with, leading to erroneous navigational data (Lloyd’s List Intelligence, 2023).

Furthermore, ethernet-based cyberattacks present an additional layer of risk to shipping operations. Modern ships are equipped with numerous interconnected systems that rely on ethernet networks for communication and control, including navigation, engine management, and cargo-handling systems. These networks, if inadequately secured, provide an entry point for cybercriminals to launch attacks that can disrupt critical operations. For instance, malware introduced into a ship’s ethernet network can corrupt navigational data, disable crucial systems, or even hijack control of the vessel, posing severe risks to safety and security (Shinde and Mehta, 2023).

Ransomware attacks: disrupting maritime operations

Ransomware attacks represent an enduring and formidable menace to the shipping industry, precipitating disruptive operational upheavals and profound financial repercussions. These pernicious cyber assaults entail the encryption of critical systems and data by malevolent actors, who subsequently extort ransom payments in exchange for restoring access (Schwarz et al., 2021, pp. 1–8). Notable among these incidents is the infamous 2017 NotPetya ransomware attack, which targeted Maersk, a preeminent entity within the global shipping landscape (Greenberg, 2018). This assault inflicted devastating blows upon Maersk’s IT infrastructure, resulting in widespread operational disruptions across its extensive network of ports and supply chains. The reverberations of this attack extended far beyond Maersk’s internal operations, reverberating across its ecosystem of partners, customers, and stakeholders reliant on its services (Estay, 2020, pp. 29–42). Port terminals grappled with protracted delays in cargo handling, vessels encountered scheduling disruptions, and supply chains grappled with acute logistical bottlenecks. Moreover, the financial toll exacted by the attack was staggering, with Maersk reporting colossal losses totalling hundreds of millions of dollars. This seminal event served as a poignant reminder of the susceptibility of maritime organisations to ransomware incursions and galvanised the industry to fortify its cybersecurity defences (CISA, 2021, pp. 3–14).

Data breaches: compromising confidentiality and integrity

The escalation of data breaches within the maritime sector presents a profound and pressing cybersecurity challenge, imperilling the confidentiality and integrity of mission-critical information essential for the industry’s functioning (Ball, 2021, pp. 10–18). Of particular concern are the deleterious effects stemming from the compromise of sensitive data, encompassing cargo manifests and vessel schedules, pivotal for the seamless and secure facilitation of goods’ movement (Grammenos, 2010, pp. 659–679). A notable exemplar accentuating the gravity of this threat is the 2015 breach of the US Office of Personnel Management (OPM), attributed to hackers purportedly affiliated with China (Finklea et al., 2015, pp. 1–10). While the primary target of this breach was not the shipping industry per se, its repercussions resonated across sectors, elucidating the pervasive menace of cyber espionage and data exfiltration. The breach laid bare millions of confidential records, including background investigation files of government personnel, precipitating apprehensions regarding the susceptibility of digital infrastructures to sophisticated cyber penetrations. Although the motivations driving the OPM breach may diverge from those underpinning attacks on maritime infrastructure, such as espionage or geopolitical stratagem, the fundamental cybersecurity susceptibilities underscore the interconnectedness of cyber threats spanning heterogeneous domains. Consequently, the incident serves as a poignant reminder of the imperative for maritime entities to bolster their cybersecurity resilience vis-à-vis evolving cyber adversaries.

Supply chain disruptions: impeding global trade

The interconnectedness inherent in global supply chains renders the shipping industry profoundly susceptible to supply chain disruptions orchestrated through cyber means (Alcaide and Llave, 2020, pp. 1–7). The 2017 NotPetya ransomware attack, in addition to its direct impact on Maersk, stands as a stark exemplar of the extensive repercussions of such disruptions (Estay, 2020, pp. 29–42). This incident vividly illustrated the ripple effect that cyberattacks can induce across the broader supply chain ecosystem, precipitating cascading disruptions and substantial financial losses. In the aftermath of the NotPetya attack, myriad companies reliant on Maersk’s logistic services encountered severe disruptions to their operations. From manufacturing plants grappling with procuring essential components to retailers contending with delays in merchandise receipt, the reverberations resonated throughout the global economy.

Moreover, the maritime industry’s dependence on interconnected networks for communication, navigation, and cargo tracking amplifies the potential impact of supply chain disruptions (Akpan et al., 2022, pp. 1–10). Any disruption to these pivotal systems can precipitate cascading effects, resulting in vessel schedule delays, port congestion, and disruptions to cargo movements.

Insider threats: exploiting human vulnerabilities

Within the multifaceted and intricate realm of the shipping industry, insider threats present a formidable challenge, exploiting human vulnerabilities to compromise cybersecurity (Catrantzos, 2023, pp. 32–40). Employees across various roles, from seafarers responsible for vessel operations to administrative personnel overseeing logistics and security protocols, play pivotal roles in maritime operations but can inadvertently or intentionally compromise security (Cho and Lee, 2016, pp. 1–8). The unique nature of the maritime environment, characterised by remote locations, complex supply chains, and diverse workforce dynamics, magnifies the risk posed by insider threats (Kanellopoulos, 2024, pp. 3–9).

Social engineering tactics, such as phishing scams and pretexting, exploit human trust to gain unauthorised access to sensitive systems and information (Gelles, 2021, pp. 669–680). These tactics prey on individuals’ innate desire to be helpful or their lack of awareness regarding cybersecurity’s best practices (Stouder and Gallagher, 2013, pp. 2–10). For instance, a malicious actor posing as an IT technician may contact an unsuspecting employee and request their login credentials under the guise of performing urgent system maintenance or troubleshooting. In their attempt to be cooperative and helpful, the employee may unwittingly divulge sensitive information, such as login credentials or access codes, which the attacker can then exploit to gain unauthorised access to critical systems and data. Consequently, this could lead to data breaches, unauthorised access, or other security incidents, potentially compromising the integrity and confidentiality of sensitive information (Kanellopoulos, 2022, 2024, pp. 3–9).

Furthermore, infiltration by malicious insiders poses a significant risk to maritime cybersecurity (Guitton and Fréchette, 2023, pp. 2–10). In some cases, individuals may be deliberately placed within organisations by external threat actors, acting as moles to facilitate cyberattacks or espionage. Alternatively, disgruntled employees with insider knowledge and access to a shipping company’s network may act independently to sabotage operations or steal sensitive data for personal gain or vendetta. These insiders may exploit their privileged access to critical systems or information to carry out malicious activities, such as stealing sensitive data, sabotaging operations, or assisting external adversaries in compromising cybersecurity defences (Kanellopoulos, 2024, pp. 3–9). For instance, a disgruntled employee with access to a shipping company’s network may intentionally leak sensitive information to competitors, compromising the company’s competitive advantage and reputation. Similarly, they may plant malware within the organisation’s systems to disrupt operations, causing financial losses and reputational damage.

Integrating threat intelligence for offensive operations

At the heart of an effective OCCI strategy lies the integration of comprehensive threat intelligence. Derived from diverse CI channels, threat intelligence provides critical insights into the TTPs employed by adversaries. This intelligence transcends the mere monitoring of an organisation’s network, extending to a broader cyber sphere that includes adversarial forums, communication channels, and clandestine operations (Duvenage and Solms, 2014, pp. 7–15). Through meticulous analysis of this intelligence, organisations can uncover the underlying motives and strategies of adversaries, facilitating informed decision-making and proactive offensive measures.

In the context of the 2017 NotPetya ransomware attack on Maersk, the company could have significantly benefitted from integrating threat intelligence into its offensive operations. For instance, Maersk could have employed advanced systems, such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS), to monitor and analyse incoming traffic for signs of ransomware activity. These systems, by detecting and preventing unauthorised access, also gather valuable intelligence on adversaries’ behaviours and capabilities (BIMCO et al., 2021, pp. 3–22). Additionally, deploying honey-client applications could have enabled Maersk to actively engage with the cyber threat landscape, luring adversaries into interacting with decoy systems, thereby revealing their tactics and tools. This proactive engagement would have allowed Maersk to identify and isolate threats more swiftly, mitigating the impact of attacks such as NotPetya.

Offensive configurations and deception strategies

One of the core components of OCCI is the strategic configuration of systems and networks to deceive and exploit adversaries. This involves setting up honeynets and other deceptive infrastructures that present false information to adversarial reconnaissance tools. For Maersk, deploying a honeynet could have diverted ransomware actors away from critical systems, channelling them into controlled environments where their actions could be monitored and analysed (Pawelski, 2023, pp. 1–7). By feeding adversaries misleading data, Maersk could manipulate their understanding of the network, causing them to make strategic errors that could be exploited.

Moreover, Maersk could have utilised honey-client applications to engage actively with adversarial tools and scripts. For example, if Maersk had deployed honey-clients that mimicked vulnerable systems, they could have attracted ransomware actors to reveal their methods and tools. This intelligence would have been invaluable for crafting targeted countermeasures against the specific tools and techniques used by the attackers, thereby enhancing Maersk’s ability to pre-empt and neutralise threats.

Recruitment and utilisation of virtual agents

A sophisticated OCCI strategy often involves the recruitment and handling of virtual agents within underground forums and adversarial networks. These agents operate under true or false flags, collecting intelligence and engaging in activities that further the organisation’s objectives. For Maersk, deploying virtual agents could have involved infiltrating cybercriminal forums to gather real-time insights into adversarial plans and operations (Mraković and Vojinović, 2019, pp. 2–7). These agents could have also spread disinformation to confuse and mislead adversaries, thereby disrupting their operational effectiveness.

For instance, virtual agents could have posed as insiders within forums used by North Korean cyber actors, gathering intelligence about planned attacks and techniques. By obtaining such insights, Maersk could have pre-emptively bolstered its defences against specific threats. Additionally, these virtual agents could have influenced discussions to sow mistrust among adversaries, undermining their cohesion and operational planning. This approach has been effective in various contexts, such as countering North Korean cyber operations by proactively disrupting their communication and planning.

Cyber espionage and strategic exploitation

Cyber espionage is a critical element of OCCI, characterised by its focus on actively targeting and exploiting adversarial networks. Unlike defensive measures that protect an organisation’s own systems, cyber espionage involves penetrating and gathering intelligence from adversaries’ networks. For Maersk, employing cyber espionage tactics could have included monitoring North Korean cyber actors to uncover their strategic plans and operational capabilities (BIMCO et al., 2021, pp. 23–25). This proactive approach would have enabled Maersk to develop targeted operations to disrupt and neutralise adversarial activities.

Effective cyber espionage requires a deep understanding of the adversarial landscape, achieved through continuous monitoring and analysis of CI. For example, Maersk could have employed advanced data mining techniques to extract valuable insights from adversarial communications, identifying patterns and correlations that reveal their intents and capabilities. This intelligence-driven approach ensures that offensive operations are precise and impactful, maximising their effectiveness in neutralising threats.

Crew management and recruitment

In the domain of crew management and recruitment within the shipping industry, utilising CI for OCCI objectives is crucial to uphold operational efficacy and safeguard security measures. Crew management is a pivotal facet of maritime endeavours, where adept personnel play a fundamental role in ensuring the seamless functioning and safety of vessels (Griffioen et al., 2021, pp. 1–6). However, the recruitment process is vulnerable to cyber threats, such as those posed by Russian intelligence agencies, such as the Federal Security Service (FSB) and Sluzhba Vneshney Razvedki or Foreign Intelligence Service (SVR), which may exploit sensitive personnel data or weaknesses within recruitment platforms to infiltrate organisational networks (Kanellopoulos, 2024, pp. 3–9).

Through CI integration, Maersk could proactively address these challenges and fortify its operational resilience. For instance, by analysing competitor job postings and recruitment strategies, Maersk could identify potential vulnerabilities in their processes that adversaries might exploit. Additionally, continuous surveillance of industry trends and threat intelligence feeds would enable Maersk to anticipate and counteract cyber threats targeting crew management systems and recruitment platforms. In the event of a cyberattack on a competitor’s recruitment platform, Maersk could use the insights gained to implement pre-emptive measures, mitigating the risk of similar exploitation within their systems.

Moreover, Maersk could utilise CI to counter industrial espionage by Russian state actors in the shipping industry. By monitoring and analysing the recruitment practices of competitors, Maersk could identify attempts by adversarial intelligence agencies to place operatives within the company. Implementing thorough background checks and leveraging CI to detect anomalous behaviours or affiliations would enhance Maersk’s ability to safeguard against such threats.

Technology and infrastructure enhancement

The utilisation of CI guides organisations in making informed decisions regarding technology investments and infrastructure improvements. By leveraging nuanced insights derived from CI, organisations gain a comprehensive understanding of emerging cyber threats and technological advancements within the maritime sector (Morrow, 2021, pp. 2–10). This knowledge empowers them to strategically employ offensive counterintelligence tactics, such as disrupting competitors’ technology infrastructure or exploiting vulnerabilities in their digital systems.

For Maersk, this could have meant investing in advanced cybersecurity technologies and improving digital resilience based on CI insights. For example, understanding the specific techniques used by ransomware groups, Maersk could have enhanced its endpoint security and incident response capabilities. This strategic alignment underscores the company’s proficiency in navigating the dynamic landscape of cyber threats while showcasing its commitment to maintaining a competitive edge in the industry (ABS Group, 2021, pp. 2–9).

Legal and ethical considerations

As organisations venture into the domain of OCCI strategies, they encounter a plethora of ethical and regulatory complexities that necessitate careful deliberation and adherence (VristRonn, 2016, pp. 2–22). Fundamental among these complexities is the obligation to uphold privacy rights and maintain rigorous data protection standards. Given that offensive cyber operations often entail the gathering and analysis of sensitive information, organisations are obligated to abide by ethical guidelines and legal frameworks to prevent unwarranted intrusions into individuals’ privacy (Duvenage and Solms, 2014, pp. 14–15).

Transparency emerges as a crucial component in fostering trust and ensuring accountability. Stakeholders must be informed about the nature and extent of offensive cyber activities undertaken by organisations. This openness not only builds trust but also ensures that actions taken are scrutinised and held accountable. Additionally, organisations face the challenge of navigating regulatory constraints imposed by different jurisdictions, each governed by distinct laws governing cybersecurity practices and offensive operations. Compliance with these regulations demands a meticulous approach to ensure that offensive cyber activities remain within legal and ethical boundaries (Prunckun, 2019, pp. 207–218).

In grappling with these ethical considerations and regulatory hurdles, organisations must strike a delicate balance between fulfilling their cybersecurity objectives and respecting core rights and principles. Neglecting to address these considerations adequately not only exposes organisations to legal consequences but also poses risks to their reputation and undermines stakeholder’s trust. Therefore, a proactive approach that integrates ethical considerations into offensive cyber strategies is imperative to mitigate risks and uphold ethical standards in the pursuit of cybersecurity goals.

This entails implementing robust mechanisms for ethical review and oversight to ensure that offensive cyber activities are conducted with due regard for ethical principles and legal requirements. Such mechanisms might include independent ethics committees, regular audits, and comprehensive reporting procedures. Moreover, organisations must prioritise ongoing education and training programmes to cultivate a culture of ethical awareness and responsibility among personnel involved in offensive cyber operations. This includes training on legal frameworks, ethical decision-making, and the potential consequences of cyber activities.

By embracing ethical considerations as integral components of offensive cyber strategies, organisations can navigate the intricate landscape of cybersecurity with integrity and accountability. This approach not only protects the organisation from legal and reputational risks but also promotes a sustainable and responsible practice of offensive cyber operations, aligning cybersecurity efforts with broader ethical standards and societal expectations.