In October 2020, allied defense ministers received a confidential report on a pressing challenge that often receives less attention than it is due: the vulnerability of transatlantic undersea cables. Sometimes described as the “world’s information super-highways,” undersea cables carry over 95 percent of international data. In comparison with satellites, subsea cables provide high capacity, cost-effective, and reliable connections that are critical for our daily lives. There are approximately more than 400 active cables worldwide covering 1.3 million kilometers (half a million miles).
After the October meeting of allied defense ministers, and in the months since, Secretary General Jens Stoltenberg of the North Atlantic Treaty Organization (NATO) underscored the need for the alliance to monitor and protect this critical infrastructure. However, despite the proliferation of public statements underlining the importance of protecting them, collective action to enhance their security has so far been lacking. A number of measures could be taken by allies to effectively protect subsea cables harnessing the full potential of their bilateral cooperations, NATO, and the European Union, in close coordination with the private sector.
Critical Communications Infrastructure
The Euro-Atlantic area is the oldest undersea cable route and carries traffic between the two biggest economic hubs with dozens of cables, the majority of which are between the United States, the United Kingdom, and France. Europe relies heavily on these cables as a majority of its data is stored in data centers located in the United States. Other major routes are those connecting Europe to Asia (through the Mediterranean Sea and the Suez Canal) as well as Asia with the United States (through the Pacific Ocean). From a more forward-looking perspective, Europe to Asia Arctic routes are increasingly explored as they offer dramatically shorter routes. Nonetheless, these polar cables still face significant technical challenges and are not credible alternative routes yet.
The planning, production, deployment, and maintenance of subsea cables are almost entirely in the hands of the private sector. Currently, the four largest suppliers are Alcatel Submarine Networks (France), SubCom (United States), NEC (Japan), and newcomer Huawei Marine Networks (China), whose market share has progressively risen to 10 percent. If network operators have traditionally been the main investors in undersea cables, content providers (Google, Amazon, Microsoft, Facebook) are also expanding their investments in this sector to ensure the interconnection of their data centers.
This global network of undersea cables provides the high-bandwidth connections needed for a wide range of activities vital for our modern society, from financial transactions to global communications or international scientific cooperation. In the financial sector alone, undersea cables carry some $10 trillion of financial transfers daily. Reliance on submarine cables will continue to increase as demand for data is expected to grow: driven by a shift toward cloud services and the spread of 5G networks, bandwidth demand will almost double every two years in the near future.
Submarine cables are also critical for transatlantic security as governments rely heavily on this infrastructure for their own communications. Diplomatic cables and military orders largely pass through these privately owned cables as military operated, and classified cables remain marginal. Undersea cable breaks between Egypt and Italy in 2008 led U.S. drone flights in Iraq to decrease sharply from hundreds to tens a day. This reliance on subsea cables to project and sustain power will increase in the future as the military applications of 5G are many in terms of intelligence, command and control, or unmanned and autonomous vehicles.
The Nature of the Threat
Undersea cables have two types of vulnerabilities: physical and digital. However, it should be noted that the most common threat today—responsible for roughly 150 to 200 subsea cable faults every year—is accidental physical damage from commercial fishing and shipping, or even from underwater earthquakes. Industry actors have the prime responsibility for accounting for and mitigating these incidents. Of greater concern are more malicious threats. Regarding physical challenges, the two primary concerns are that the cables might be destroyed or tapped—by either a non-state actor, as per some recent isolated incidents of piracy, or, more likely, by a state adversary like Russia.
Indeed, in recent years, Russian attention to transatlantic undersea cables, particularly in the North Atlantic Ocean, has increased commensurately with NATO’s perception of undersea cables’ importance and vulnerability. Moscow has two primary means by which it could directly threaten the cables: submarines and surface vessels that can deploy autonomous or manned submersibles. An example of the former was the Losharik spy submarine, which—before a tragic fire in 2019 decommissioned it—likely had the deep-sea capability necessary to map or destroy undersea cables. While the Losharik is being repaired, the Russian Navy has other such submarines and is developing unmanned undersea drones, such as the nuclear-powered Poseidon. As for surface ships, the most famous is the Yantar, which is ostensibly a research vessel but is understood to act as a spy ship that could deploy underwater submersibles to attack and destroy sections of cables.
There are several conceivable objectives severing a cable might achieve: cutting off military or government communications in the early stages of a conflict, eliminating internet access for a targeted population, sabotaging an economic competitor, or causing economic disruption for geopolitical purposes. Actors could also pursue several or all of these objectives simultaneously.
More difficult and subtle than destroying the cables is tapping them to record, copy, and steal data, which would be later collected and analyzed for espionage. It is believed this could be done in one of three ways: inserting backdoors during the cable manufacturing process, targeting onshore landing stations and facilities linking cables to networks on land, or tapping the cables at sea. Each is more difficult than the one before, and the last—tapping the cables at sea— is believed to be so technically challenging that it is not publicly known whether any country is even capable of it.
The final type of threat is cyber or network attacks. By hacking into the network management systems that private companies use to manage data traffic passing through the cables, malicious actors could disrupt data flows. A “nightmare scenario” would involve a hacker gaining control, or administrative rights, of a network management system. At that point, they could discover physical vulnerabilities, disrupt or divert data traffic, or even execute a “kill click” deleting the wavelengths used to transmit data. The potential for sabotage or espionage is quite clear—and according to Lawfare, the security of many of the network management systems is not up to date. The recent SolarWinds and Colonial Pipeline cyberattacks also exposed the cyber vulnerabilities of the U.S. private sector with dramatic implications for national security.
At the time of this writing, there is no publicly available information indicating that any actor, be it Russia, China, or a non-state group, is entertaining such a cyberattack. But one could imagine feasible motives for all of them: for Russia, the same reasons that it might consider a physical attack would apply; for China, its emergence as a leading global competitor in providing undersea cables could make the prospects of discrete espionage or even industrial sabotage alluring; and for a terrorist group, the prospect of holding transatlantic financial commerce hostage or destroying it could be enticing. At the moment, however, assigning these motives is a speculative exercise.
Strengthening Undersea Cables Resilience
Given the critical importance of subsea cables for transatlantic security, ensuring their full resiliency should be a collective priority for the United States and its European allies and partners—and while some have already adopted measures at the national level, multilateral action remains limited. Given the multi-faceted nature of the use, private ownership, and vulnerabilities of subsea cables, international action would necessarily need to leverage different formats to be effective. The following steps could be taken:
Increase intelligence sharing among allies: The U.S. administration should conduct bilateral confidential dialogues with its main European partners, in particular, the United Kingdom and France, to exchange information on their threat perspective and analysis, their respective cable projects, and the national measures implemented to protect them. At NATO, allies should work on a collective assessment of both the potential vulnerabilities to undersea cables in the Euro-Atlantic region and the implications of disruptions for allied operations. The upcoming NATO summit on June 14 may provide an opportunity to begin that conversation.
Promote national risk assessments of cable projects: Even though cables are privately managed, maintained, and secured, governments have a responsibility to make sure that any project is closely scrutinized beforehand to avoid security breaches. National authorities also have a responsibility to ensure that cable routes are redundant and diverse enough to guarantee their overall resilience. Individual allies have already put in place such procedures, starting with the United States where an interagency group known as “Team Telecom” reviews the national security implications of all potential subsea cables landing on U.S. shores. In Europe, the European Union should use its regulatory power to likewise promote high security standards for all member states, building on its 2008 critical infrastructures directive and its growing efforts in the field of cybersecurity. Security at landing stations, which is often limited, should be a priority in this regard.
Ensure private sector commitment to security: In addition to reviewing projects in advance, national governments should also ensure that operating companies implement the highest standards. As a first step, allies should encourage operators to adhere to voluntary guidelines, most notably those provided by the International Cable Protection Committee (ICPC), an industry forum for cable owners and some governments that develops standard procedures. Allied governments, which are not members, should also consider joining, as this would enhance the legitimacy of the organization. If voluntary standards fail to incentivize companies to invest adequately in cybersecurity, allies should consider defining mandatory requirements, as recently decided in the United States for oil and gas pipelines following the ransomware attack against Colonial Pipeline.
Develop national monitoring and repair capabilities: Allied governments should also step up their efforts to protect this critical infrastructure from malicious activity. Once allies agree on a shared assessment of vulnerabilities, NATO defense planners could consider setting capability targets to encourage allies to develop appropriate assets, such as surveillance ships or autonomous undersea drones. The United Kingdom has already announced the acquisition of a vessel specifically designed to protect underwater infrastructure. It will be equipped with advanced sensors and underwater drones and is expected to come into service by 2024. In addition to monitoring capabilities, allies could also consider policies to bolster the global fleet of cable repair vessels, which as of now is both overstretched and informally organized. The Fiscal Year 2020 U.S. National Defense Authorization Act (NDAA), for example, allocated a small stipend for a program to incorporate two privately owned vessels into a “fleet” the government can activate in a crisis.
Adopt contingency planning in case of major breaks: The United States and its European allies and partners should also develop, in close coordination with the private sector, contingency planning to prepare for the consequences of intended or unintended significant cuts. A focus should be on scenarios where many cables are severed in a short time period, overwhelming the redundancy features that the private sector builds into account for more common, isolated failures. This planning process could help governments and cable owners to identify national points of contact, conduct regular exercises, and determine ways to improve the resiliency of the networks. This effort could be undertaken at the national level or collectively as appropriate. This could be an area of cooperation between the European Union and NATO, harnessing the strengths of both organizations (the European Union’s financial and regulatory competence and NATO’s experience in military planning).
Complete international legal framework: Finally, the United States and its European partners should explore ways of better protecting undersea cables from a legal point of view. As of now, the legal regime is a patchwork of international conventions and customary law, in particular, the United Nations Convention on the Law of the Sea (UNCLOS), which does not fully protect cables. Significant gaps remain: this regime does not explicitly prohibit, for instance, states from treating undersea cables as legitimate military targets during wartime. The U.S. administration, together with Europeans, should therefore promote a more comprehensive and holistic legal regime that would apply to all states.
While there is certainly much more that can be done, these recommendations are intended to serve as a useful starting point as the United States and its European allies and partners begin to consider how to collectively ensure that the protection of this critical infrastructure is commensurate with their immense importance for transatlantic security, societies, and economies.
Pierre Morcos is a visiting fellow with the Europe, Russia, and Eurasia Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Colin Wall is a research associate with the CSIS Europe, Russia, and Eurasia Program.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2021 by the Center for Strategic and International Studies. All rights reserved.