Unnamed hackers recently targeted servers linked to a Hawaiian submarine cable — and the US Department of Homeland Security (DHS), thankfully, “disrupted” it. The specific target, DHS said, was the servers of a telecommunications company “associated with” an undersea cable that carried internet traffic and other data to Hawaii and the surrounding region. International law enforcement cooperation enabled the US and its partners to arrest those responsible.
The backbone of international communications
That unidentified submarine cable is one of over 475 deployed around the world, all of which collectively carry more than 95% of intercontinental internet traffic. While most individuals’ experience with the internet is entirely wireless, growing internet use and dependence are making countries and citizens around the world more reliant on this infrastructure. But three growing risks to cable security and resilience — including from companies’ poor security decisions and authoritarian governments’ influence-projection — demand stronger European Union-United States cooperation on protecting the internet along the ocean floor.
Submarine cables have a trans-Atlantic root — and they have long involved trans-Atlantic cooperation. Shortly after England and France laid the world’s first submarine telegraph cable in 1850, the first trans-Atlantic subsea telegraph cable was laid in 1856. In 1858, the United Kingdom sent the United States the inaugural message on the cable, in which Queen Victoria praised President James Buchanan on their cooperation to build it. Since then, US and European companies have laid many more cables, with currently over a dozen connecting the continents.
These cables carry volumes of global internet traffic around the world. Without them, today’s internet would quite literally not exist — and each day, submarine cables empower e-commerce and scientific research, social media posts and video calls, and communications from governments and militaries worldwide. But the EU and US must address three growing risks to their security and resilience: authoritarian governments reshaping the internet through companies, companies using remote network management systems for cable networks, and the growing volume and sensitivity of data sent over undersea cables.
China and Russia taking over the “physical” internet
Western governments often conceptualize the internet as an abstract thing — “cloud,” “cyberspace” — while forgetting it depends on physical infrastructure to run. The same cannot be said for every other government. Beijing has long focused on controlling internet infrastructure at home, nationalizing China’s internet backbone in the 1990s, and might be doing so abroad through its Belt and Road Initiative. Moscow factors the physical elements of cyberspace (from people to infrastructure) into its influence-projection, with the Russian military even reportedly cutting fiber-optic land cables when it illegally annexed Crimea in 2014.
Many Chinese investments in the global submarine cable network are controlled by the Chinese government. It is normal and necessary — and largely valuable — that companies and governments from around the world collaborate to build and maintain costly, complex, and inter-country submarine cables. Yet, Beijing’s focus on influence projection on and through the internet increases the risk it uses submarine cable investments to shape the internet’s layout in its favor: more Chinese-funded cables possibly contributing to more foreign dependence on China, and more traffic going through China’s borders increasing the risk of Beijing spying on the data.
Private companies saving money on security.
Another growing risk to submarine cables lies with companies managing the infrastructure. Increasingly, these firms are using “remote network management systems” to connect submarine cable infrastructure to the global internet to enable remote monitoring and control. For some companies, the cost savings and convenience (e.g., not needing an individual on-site to monitor cable signals) are too good to pass up. However, connecting these systems to the global internet — often via poorly secured software — increases the risk that malicious actors, from foreign spies to criminal gangs, remotely break into submarine cables. They could attempt to spy on or even manipulate, degrade, or disrupt internet traffic flows altogether.
The third growing risk to submarine cable security and resilience is the growing volume and sensitivity of data carried over the infrastructure. Internet usage skyrocketed during the Covid-19 pandemic, and increased online dependence in general — plus the expansion of cloud computing, the Internet of Things, and 5G telecommunications — will continue to increase the amount of traffic flowing over submarine cables.
Further, many critical sectors, from healthcare to defense to finance, are moving data and services to the cloud. As data previously stored in back-end systems is transmitted over the global internet, foreign governments, criminals, and other actors will have even greater incentive to intercept or disrupt it — and the cloud companies investing more in submarine cables will face greater security responsibilities.
The EU and the US: together we (should) stand
Submarine cables are too numerous and too globally distributed for the EU and the US to tackle these risks alone. The political foundation is partially there: the US Department of Homeland Security’s Communications Sector Coordinating Council has involved undersea cable owners since its inception; the Italian Ministry of Economic Development, to use another example, hosted a fall 2021 event on how Italian society is “largely dependent on subsea infrastructures” as well as their “security and resilience.” NATO has published multiple papers in recent years highlighting the importance of submarine cables to its mission and to broader international security. But there is much more to be done.
Washington and Brussels should pursue a common framework for screening submarine cable investments and projects for security risks — and for protecting the security and resilience of cables once deployed. The EU does not have the power to grant licenses to build digital infrastructure; that authority lies with member states. Nonetheless, the EU can forge policy and political dialogue on submarine cables at the bloc level (alongside policy development within member states). For its part, the US already has a structure in place to screen foreign investments in critical sectors and to screen telecommunications infrastructure for national security risks — though the latter is underfunded. The US-EU Trade and Technology Council, already configured to forge cooperation on internet, trade, and security issues, may be a prime venue for this work.
Yet, EU-US cooperation can go far beyond a security focus. Submarine cable resilience is important for the world’s internet connectivity — and it should be a vital part of global capacity-building programs.
For example, January’s devastating volcanic eruption and tsunami in Tonga left the entire archipelagic nation without internet. Submarine cables are mostly damaged by natural weather events or ship navigation accidents, and the global internet will not cease to function if a single cable is damaged.
Nonetheless, some countries are vulnerable to that kind of disruption (like Tonga), and many lower-resourced and even higher-resourced countries have not made submarine cable resilience a key part of their natural disaster and crisis response plans.
By investing in submarine cable resilience at home and around the world, the EU and the US can boost the security and resilience of the cables underpinning the internet.