The U.S. Should Get Serious About Submarine Cable Security

Nokia recently won a 5G contract with U.S. Cellular, the fourth-largest wireless provider in the United States, another step in building out American 5G without Chinese telecom Huawei. Yet, for all the noise about 5G, cloud, and other “emerging” technologies, the internet still vitally depends on a far-less-flashy infrastructure — submarine cables that haul internet traffic along the ocean floor. 

For centuries, submarine cables have carried information between continents, from electric telegraphs to voice calls to now, internet data. Today’s internet would quite literally not function without them: it is estimated that over 95 percent of intercontinental internet data flows over these cables. Even if these metal tubes do not receive much press coverage or policy attention, they underpin everything from civilian communications and business transactions to scientific research and government document-sharing on the global internet. 

As detailed in a new report for the Atlantic Council, three trends are accelerating risks to these cables’ security and resilience. Authoritarian governments are exerting more control over internet companies in their borders to manipulate internet infrastructure in their favor. More cable owners are deploying remote network management systems for cable infrastructure, and these systems are often poorly secured, thus increasing cybersecurity risks. And the growing volume and sensitivity of data flowing over cables increase the incentives states and other actors have to spy on or disrupt traffic. Given these trends, U.S. policy makers should better protect this vital infrastructure in cooperation with the private sector and allies and partners worldwide. 

Submarine cables are owned by combinations of private companies, state-owned firms, and international consortia from around the world; a single cable could have anywhere from one to dozens of owners. These owners are distinct from the entities that build cable components (e.g., the fiber, the metal casing around it) and those that lay cables along the ocean floor. But international cooperation and multi-firm ownership is a standard and generally beneficial feature of cable development. Deploying a cable is expensive and logistically complex, with longer cables linking many different countries together and costing hundreds of millions of dollars. All these owners can help cover the costs and manage the landing points where the cable meets different shorelines. 

Nonetheless, some authoritarian governments, particularly China and Russia, are exerting more control over internet companies in their borders to favorably manipulate internet infrastructure.  Both governments regularly exert control over internet companies in their borders for censorship, surveillance, and hijacking global internet traffic. The Kremlin routinely discusses the strategic importance of physical internet infrastructure, and the Russian military has seized such infrastructure to control information flows in previous conflicts (e.g., when Russia illegally annexed Crimea in 2014). It regularly coerces domestic tech firms who do not comply with surveillance demands. Meanwhile, many Chinese investments in the submarine cable network are controlled by the Chinese government. Those investments are either made through Chinese state-owned telecoms (like China Mobile) or companies owned by state investment arms (like Companhia de Telecomunicações de Macau (CTM)), and they include cables touching the United States. All of those firms are under Beijing’s control.  

This kind of influence could be used in numerous ways. Beijing could leverage state-owned telecoms’ cable ownership to spy on cable landing stations. It could also potentially use that influence to disrupt the flows of data in a conflict scenario, stifling internet connectivity to a particular region. More broadly, deciding where cables are developed — which parts of the world they link, and how quickly — is a way of influencing the internet’s overall physical shape. This can shift the paths internet data travels, such as encouraging traffic to take a faster path across a midpoint a country can spy on. New, faster internet infrastructure could also create economic or technological dependence on the owners of the cable. That Beijing is an authoritarian government with a history of manipulating other internet infrastructure makes this a distinct risk to cable security and resilience. 

The second concerning trend is that more cable operators are using remote management systems for their cable networks. Cables today are increasingly complex, which generates demand for new software to manage landing stations, cable repair systems, and other parts of the infrastructure. Cable owners also find remote systems compelling because they do not require having personnel on-site. Yet, many of these systems have poor security, which exposes cables to new levels of cybersecurity risk. Hackers could break into these internet-connected systems from anywhere in the world and physically manipulate cable signals, causing them to drop off entirely — undermining the flow of internet data to specific parts of the world. Governments and criminal organizations could also hack these tools to gather traffic data. As the ransomware threat grows, one can even imagine a threat actor (state or non-state) hacking into a cable management system and trying to hold the infrastructure hostage. 

Third, more data is flowing over the internet each year, and that data is increasingly sensitive. As more energy, finance, defense, and healthcare firms adopt cloud computing, data previously kept in corporate intranet systems is centralized in cloud data centers and routed over the global internet. These shifts increase the incentives for governments to spy on traffic and increase their leverage over internet choke points. They also increase the incentives for non-state threat groups, like criminals, to surreptitiously monitor traffic. 

Washington should increase its investment in protecting submarine cable security and resilience. As the White House increasingly focuses on cybersecurity threats to the nation and the global community, including from the Chinese and Russian governments, it should prioritize investing in the security and resilience of the physical infrastructure that underpins internet communication worldwide. Failing to do so will only leave these systems more vulnerable to espionage and to potential disruption that cuts off data flows and harms economic and national security. 

The government committee responsible for inspecting foreign state-owned telecoms for security risks does not have the authorities or the resources to do so properly. Congress needs to give the organization more funding and statutory authorities that would enable it to better screen for potential malicious influence on submarine cables. The U.S. government has been able to scare off certain projects involving China in the past, but it still needs a more robust, systemic security review process. Congress should also consider giving more funding to the Cable Ship Security Program — a new initiative for government-licensed, privately operated ships to quickly repair damaged cables relevant to national security — once it is off the ground. 

In the executive branch, the Federal Communications Commission (FCC) should invest more resources in interagency cooperation on threats to cable resilience. The FCC has done much work in this area, but there is still more to be done, such as working with state and local agencies to integrate security best-practices into permitting decisions. Internationally, the State Department should conduct a study on integrating cable security and resilience into cyber capacity-building work overseas. In addition, the private sector should stand up an information sharing analysis center for the submarine cable sector, as no single venue for those owners to share threat information currently exists. 

Even if overlooked, submarine cables are essential to the global internet as we know it. With a more concerted investment from the U.S. government — working with industry, allies, and partners — they can be far more secure and resilient than they are today. 

Justin Sherman (@jshermcyber) is a fellow at the Atlantic Council’s Cyber Statecraft Initiative. 

This piece, first published by the Council on Foreign Relations, is used with permission.