Submarine cables make up the backbone of the global Internet infrastructure, carrying as much as 99 percent of international telecommunications data. In recent months, the security of these cables has been a major point of concern for Western officials.
On 11 June 2018, the U.S. Treasury Department announced the latest tranche of sanctions against Russian individuals and organizations. The sanctions included entities that support Russia's "underwater capabilities," citing concerns of Russian activity "tracking undersea communication cables." The sanctions follow December 2017 announcement that NATO would be re-establishing a command post to track Russian submarines, due in part to Russian activity around cables in the North Atlantic.
Australian intelligence officials have also been focusing on controlling undersea cables. On 13 June 2018, Australia finalized a deal to provide a submarine Internet connection to the Solomon Islands. The deal was initially awarded to Chinese firm Huawei, but was eventually given to an Australian firm due to diplomatic pressure and direct intervention by the head of the Australian Secret Intelligence Service (ASIS). The ASIS chief reportedly described Chinese ownership of a cable that would connect Australia's network infrastructure as an unacceptable cybersecurity risk. To prevent this situation, Australia agreed to cover as much as two-thirds of the construction costs for the cable using foreign aid funds.
Are Undersea Cable Attacks Cause for Concern?
One of the biggest fears with underwater internet security is the potential for massive denial of service (DoS) attacks. By severing the submarine cables, a threat actor could disrupt data throughput across a network. At least one senior U.K. military official has warned that attacks against submarine internet cables could "immediately and potentially catastrophically" impact the economy. But are these concerns warranted?
In most cases, the impacts of such an attack would be limited by redundant infrastructure. In fact, cable breaks are a relatively common occurrence—100 per year happen on average, and two-thirds of those are accidents caused by ships dragging their anchors. Though the disruption of individual cables is commonplace, there are two types of disruptions that could result in serious impacts:
Simultaneous Cable Breaks—One of the most disruptive incidents on record happened in 2006 when an earthquake simultaneously severed eight cables off the coast of Taiwan, resulting in the loss of 90 percent of the traffic between China, the United States, and Europe, and the complete disruption of access to several of the major U.S.-based webmail and Internet services by mainland China. The United States has similar areas in the Atlantic where many cables converge at a single point on the coast of New York, New Jersey, and Florida. A simultaneous break of multiple cables at these points could significantly affect routing within the network, though the effect on organizations located in the United States would be dampened by the ability to reroute traffic through cables in the Pacific and the fact that a major portion of the infrastructure used by American organizations is located in the United States.
Regional Points of Failure—Regions with limited connectivity may have a heightened exposure to single points of failure. In 2008, two Egyptian cables carrying 90 percent of internet traffic through the Suez Canal were severed. The break took out Internet access for 75 million people across North Africa, the Middle East, and South Asia. The outage affected half of the outbound capacity from Western India—a major hub of IT outsourcing—and 70 percent of Internet connectivity in Eygpt. Other regions may be similarly isolated. For example, all traffic between the United States and Brazil is routed through a single Brazilian city: Fortaleza.
Foresight: The Attack Surface is Growing
While redundancy in the global network may blunt the impacts of attacks on undersea cables today, growth in undersea infrastructure could create more potential targets for nation-state actors in the future. For example, Microsoft's Project Natick is seeking to deploy full-scale undersea datacenters to provide cloud computing services to coastal communities. In June 2018, Microsoft successfully launched an undersea module containing 864 servers off the coast of Scotland, potentially paving the way for making the service commercially available. If undersea data centers become commonplace around the world, the capabilities honed by nation states to target submarine cables could be similarly deployed for destruction or espionage against other undersea infrastructure.
How to Reduce Risk for Your Organization
Private sector companies may not be able to reduce the risk of nation-state attacks on undersea cables, but they can factor these risks into decisions about if, and where, they choose to outsource their operations around the world. Operations in regions with less redundant infrastructure or with facilities that depend on smaller ISPs could be more at risk of disruption. And given the rise of IT outsourcing in the global economy, this could have an outsized impact on companies that rely on IT services based out in isolated locations.
Companies should consider doing an assessment with their network carriers to determine whether any of their core services are provided in regions that lack cable redundancy. If a cable fault disrupts Internet access in a region with limited connectivity—such as Pakistan—companies that rely on employees or workers in that region may have little recourse. Conducting an assessment in advance—and potentially leasing more fiber or getting another ISP as a backup—may allow for a much smoother transition to backup infrastructure than attempting to navigate a recovery during an outage.