Cybersecurity Under the Ocean: Risks Facing Submarine Cables and the Global Internet
Hundreds of submarine cables carry over 95% of intercontinental internet traffic. They raise increasingly urgent cybersecurity, geopolitical, and other questions.
Submarine cables are vital to the global internet’s very function. Yet, in a world that often focuses on the digital elements of the internet — from social media platforms to mobile apps — it is easy to forget about the importance of physical internet infrastructure. This post summarizes a new report I wrote on submarine cables, cybersecurity, and geopolitics and provides key takeaways on the issue set. Brought to you by Global Cyber Strategies, a Washington, DC-based research and advisory firm.
The One-Liner
While financing, building, laying, and managing submarine cables requires international collaboration, submarine cables and their international entanglement also pose increasingly urgent questions across infrastructure protection, investment flows, cybersecurity, and geopolitical risk.
Submarine Cables Meet Security and Geopolitics
There are at least a few important points to know about submarine cables, cybersecurity, and geopolitics today:
There are hundreds of submarine cables around the world, laid across the ocean floor. They carry at least 95% of intercontinental internet traffic.
Every submarine cable has at least two landing points, the places where the cable meets a shoreline. The companies managing a cable will build a “landing station” at each landing point, a facility that can supply power, provide cable system management tools, and video-monitor the landing point, among others.
Companies looking to build submarine cables touching the US and/or to construct and operate submarine cable landing stations in the US must apply for a license from the Federal Communications Commission (FCC). That application is also subject to a potential national security review by the executive branch.
Building and laying a submarine cable can take years of work and cost hundreds of millions of dollars. Generally, it is a necessary and positive reality that many companies, investors, and even government organizations from around the world will collaborate on cable funding, construction, laying, and management.
Simultaneously, governments’ continued efforts to spy on internet traffic — and the efforts of governments, companies, and other actors to shape the internet’s layout and design — mean that cables pose increasingly urgent questions across infrastructure protection, investment flows, cybersecurity, and geopolitical risk.
Diving Deeper on Submarine Cables
As I describe in a new report for the Hoover Institution at Stanford University, there are at least three sets of risks to consider vis-a-vis this infrastructure:
Authoritarian governments’ influence on cables (in addition to other governments’ influence on cables);
The growing use of internet-connected cable management systems; and
The explosion in data and sensitive data traversing submarine cables each year.
The report focuses mainly on questions related to cybersecurity and geopolitical influence, rather than hypothetical kinetic attacks on submarine cables (whether by a government or another actor). It does note that most damage to submarine cables is caused by natural weather events, such as underwater earthquakes.
Historically, traditional telecommunications companies — the likes of AT&T and Verizon in the US; the likes of Deutsche Telecom, Orange, and Vodafone in Europe — invested in submarine cables. Today, some of the fastest-growing investors in submarine cables, and the dominant US investors in submarine cables, are Amazon, Google, Meta (Facebook), and Microsoft. It’s a vital reminder that the companies that many businesses, investors, and policymakers think of as “internet companies” in fact are investing in and expanding their ownership of physical internet infrastructure. Cables, on top of cloud and other server infrastructure, are now part of their portfolios.
On the authoritarian government side, Chinese state-owned telecoms China Mobile, China Telecom, and China Unicom have greatly ramped up their submarine cable investments in recent years. Over a third of those invested-in cables do not touch the Chinese mainland. This is not automatically nefarious, but there are risks to consider:
Broadly, financing a cable allows an actor—whether a company or a government—to influence where the cable is laid, which parts of the world it connects, and how quickly it connects them. This can encourage economic dependence on the entity laying the cable to a country. It can also empower that cable investor to shape the path of internet traffic. While internet traffic does not always take the most intuitive route from its origin to its destination, placing a significantly faster and higher-bandwidth cable alongside a slower and lower-bandwidth one could encourage more traffic to move across the new cable. This could potentially encourage traffic to move through points in the world that an entity, like the Chinese government, monitors.
Hence, the US government is conducting more security reviews — through its interagency committee focused on foreign risks from telecommunications activity — to assess the potential risks of proposed cables with a US landing point.
Second, many organizations that manage cable infrastructure are shifting towards using “remote network management systems” for cable networks.
Historically, on-site personnel managed the operating centers located at or near landing stations. Cable operators also managed the infrastructure at landing stations through systems not directly connected to the internet, such as systems to help ensure signal connectivity and manage power flows to cables. Now, however, more companies are connecting landing stations and operating centers to remotely controllable software.
This poses cybersecurity risks, as hackers could break into cable systems remotely, including to disrupt signal flows. For example, in April 2022, the US Department of Homeland Security announced that it had disrupted an attempted cyber attack on an unnamed company’s servers in Hawaii — servers linked with a submarine cable. The Department provided few details but said it worked with foreign law enforcement partners to make an arrest, strongly suggesting that the perpetrator was overseas.
More data is also traversing submarine cables over time, and there is more sensitive data traversing submarine cables. As I write in the Hoover Institution report:
The COVID-19 pandemic has shifted more living, learning, and working online in ways that have not completely reverted to the pre-pandemic status quo. Cloud computing is driving more data online too, as companies in the transportation, energy, defense, health, and financial sectors, among others, move data off previously backend, in-house systems to internet-linked cloud networks. Fifth-generation cellular network technology, or 5G, will similarly contribute to a massive increase in data routed over undersea cables. Even though much of the 5G discussion focuses on the network’s software-driven nature, 5G will not eliminate the need for undersea cables. On the contrary, when a cell phone makes a request to a cell tower for internet content, that cellular network may be retrieving data from the global internet that crosses a submarine cable.
Looking to the Future
At least several points stand out:
Submarine cables are vital to the internet’s function.
Despite lots of attention to satellite technology, such as Elon Musk’s Starlink, satellites are meant to supplement submarine cables and will by no means replace them. Submarine cable technology is quickly evolving, and submarine cables offer much higher bandwidth, at far lower latency (time delay), than satellites.
There is growing investment interest in submarine cables globally, from collections of investors, some telecommunications firms, and what many think of as “internet” companies like Amazon, Google, Meta (Facebook), and Microsoft.
Chinese state-owned telecommunications companies are investing more in submarine cables, including those beyond Chinese borders.
India is another highly active country in this area; while the aforementioned Hoover report I wrote more so focused on China (and to some extent, Russia), many Indian companies, like NTT, are building out more submarine cables.
International collaboration is a necessary and generally positive aspect of submarine cable investment, building, laying, and management. Simultaneously, there are geopolitical and cybersecurity risks associated with this activity.
The US government is by several indications ramping up its security reviews of telecommunications activities, such as proposed submarine cables, as evinced by the executive branch’s November 2022 recommendation that the FCC deny the application of a proposed submarine cable project linking the US and Cuba.
Subscribe for more public insights, and reach out on Global Cyber Strategies’ website for a range of custom-tailored research and advisory services.
—
© 2023 Global Cyber Strategies LLC.