Pages

5 October 2021

Cyber defense across the ocean floor: The geopolitics of submarine cable security

Justin Sherman

Introduction

Much of the security commentariat has lately focused the global Internet security conversation on communications technologies deemed “emerging,” such as cloud computing infrastructure, new satellite technology, and 5G telecommunications. However, the vast majority of international traffic traversing the Internet each day, from video calls to banking transactions to military secrets, travels over a much older and far less flashy technology: undersea cables.1 These cables, which lay along the ocean floor and haul data intercontinentally, have been developed for 180 years by private sector firms and international consortia of companies. In recent years, large Internet companies (e.g., Facebook, Google) have gained significant ownership in these cables. Chinese state-owned firms have also greatly increased both their construction (e.g., Huawei Marine) and ownership (e.g., China Telecom, China Unicom) of undersea cables in recent years.

Source: Jayne Miller, “The 2020 Cable Map Has Landed,” TeleGeography Blog,

The undersea cables that carry Internet traffic around the world are an understudied and often underappreciated element of modern Internet geopolitics, security, and resilience. It is estimated that upwards of 95 percent of intercontinental Internet traffic is carried over these cables.2 Without them, the Internet would not exist as it does today. These cables are largely owned by private companies, often in partnership with one another, though some firms involved in cable management are state-controlled or intergovernmental. Submarine cables are, therefore, a major vector of influence that companies have on the global Internet’s shape, behavior, and security.3

Not only does the private sector manage large swaths of the constituent networks that compose the broader Internet, it also builds, owns, manages, and repairs the underlying physical infrastructure. Undersea cables are the basis of global digital interconnectedness, defining which areas of the world are connected, how those areas are connected (e.g., speed, bandwidth), and who controls those connections (e.g., the companies building the cables, the companies managing the “landing points” that link the cables to shore). Companies directing the deployment of undersea cables, therefore, produce geopolitical effects on Internet connectivity and everything that comes with it, including scientific research, digital trade, and government and personal communications. They also reshape the Internet’s physical topology in the process.

Securing this physical backbone of the global Internet against damage, manipulation, and disruption has long been a vital job of the companies that own and manage this infrastructure. Yet three trends are making the security and resilience of undersea cables a more urgent issue for the US government, its allies and partners around the world, and the companies that own and manage the infrastructure. First, authoritarian governments, especially in Beijing, are reshaping the Internet’s physical layout through companies that control Internet infrastructure, to route data more favorably, to route data more favorably, gain better control of internet chokepoints, and potentially gain espionage advantage. Second, more companies that manage undersea cables are using network management systems to centralize control over active components (such as reconfigurable optical add/drop multiplexers (ROADMs) and robotic patch bays in remote network operations centers), which introduces new levels of operational security risk. Third, the explosive growth of cloud computing has increased the volume and sensitivity of data crossing these cables. Some of these trends have greater effects on geopolitics and others on operations, but they are inextricably intertwined.

As the White House increasingly focuses on cybersecurity threats to the nation and the global community, including from the Chinese and Russian governments, it must prioritize investing in the security and resilience of the physical infrastructure that underpins Internet communications. US technology policy on China that focuses purely on 5G neglects the most central part of the global Internet infrastructure and the ways in which Beijing is reshaping and potentially dominating it. Engagement with Russia on security issues must likewise include Moscow’s activities vis-à-vis monitoring undersea cables. And for all that US society may invest in securing digital systems, the cables that carry those systems’ data and services remain vulnerable to surveillance, signal manipulation, and even serious damage or other disruption. Some of these issues may be addressed in forthcoming executive actions on cyber defense and supply chain security, but a comprehensive response to these threats cannot and will not be addressed by executive orders alone.

The US government, therefore, has a new opportunity and responsibility—in coordination with the US private sector and with allies and partners abroad—to significantly increase its involvement in protecting the security and resilience of undersea cables. This report makes this argument drawing on policy and technological research, interviews with key stakeholders, and empirical data collected and subsequently analyzed on the 475 undersea cables deployed around the world (at the time of writing). It is laid out as follows:

The first chapter provides background on undersea cables and details their geopolitical importance.

The next chapter uses empirical data on the 475 undersea cables deployed around the world, and their collective 383 owning entities, to highlight the state of Internet cable development.
The third, fourth, and fifth chapters each examine a key trend with undersea cables: authoritarians reshaping the Internet’s topology and behavior through companies; cable owners using remote management systems for cable networks; and the increasing volume and sensitivity of data sent over undersea cables. Each of these sections discusses evidence of the trend, its implications on strategic and/or operational levels, and previews of recommendations for the US government to address problems at hand.

The final chapter concludes with eight specific recommendations for the US government to better protect the security and resilience of undersea cables in coordination with the US private sector and with allies and partners around the world.

Primer: Undersea cable development today

Undersea cables vary in thickness from about 1 cm to about 20 cm, with cost-per-length roughly proportional to cross-sectional areas. Cables can be constructed in many ways, but most consist of a central strengthening member, which prevents kinking of the fiber strands, surrounded by the jacketed strands themselves, buffered in gel; then any copper cables needed to transmit power for repeaters and branching units; layers of armor; and, finally, an outer membrane intended to prevent seawater and plant and animal intrusion.4 It is only that hair-thin inner fiber that transmits Internet data across the cable, whether emails, videos, or sensitive documents.

Fiber-optic cables are faster and cheaper than satellite communications.5 These cables are laid across the ocean floor to connect disparate land masses, like South America and Europe. Every undersea cable also has at least two “landing points,” or the locations where the cable meets the shoreline. Facilities at these landing points can provide multiple functions, including terminating an international cable, supplying power to the cable, and acting as a point of domestic and/or international connection.6 The owner of an undersea cable (ownership is discussed more in later chapters) may not be the same entity as the owner of the landing station. As an example of this infrastructure, Image 2 depicts an undersea cable that carries Internet traffic underwater between two land masses.

Source: iStock

For nation-states, tapping into cables carrying information around the world is an attractive spying opportunity. Back in the late nineteenth century, British intelligence used its access to an international hub of telegram cables in the small village of Porthcurno to gain eavesdropping advantage.7 In the 1970s, the US National Security Agency deployed submarines and divers to attach recording devices to a vulnerable cable on Russia’s eastern coast that carried sensitive Russian military communications.8 Today, a similar phenomenon occurs with undersea cables hauling Internet traffic—they are a potential information gold mine for governments. When Russia illegally annexed Crimea in 2014, the Russian military targeted the undersea cables “linking the peninsula and the mainland” to gain “control of the information environment.”9 The Russian government broadly recognizes the strategic value of physical Internet infrastructure. In December 2019, Taiwan claimed Beijing was backing private investment in Pacific undersea cables as a mechanism for spying and stealing data.10 And the US government earlier this year paused a Google project to build an Internet cable from the United States to Hong Kong: it was concerned Beijing could use its new national security law to access cable data on the Hong Kong side.11 Across these and other cases, access to and influence over undersea cables can have direct effects on economic and national security.12

History of undersea cables

Undersea cables have been in use worldwide for decades upon decades. The first submarine cables were used in the 1820s by an attaché to the Russian Embassy in Munich to send electric telegraph communications.13 This undersea cable technology evolved with more sophisticated telegraph communications in the mid- and late 1800s (with the first trans-Atlantic submarine telegraph cable in 1858), voice communications in the early to mid-1900s, and fiber-optic data transmission in the mid- to late 1900s.14 Undersea cable lines were also tied with European imperial expansion and colonialism, thought of as enabling wider boundaries of global empire.15 Today, these cables transmit previously inconceivable volumes and kinds of data, from business communications and scientific research to personal messages and military documents, making their security (confidentiality, integrity, and availability) and their resilience (the degree to which they can be restored or repaired in the event of damage or disruption) a key part of securing the global Internet in the twenty-first century.

Damaging these cables is another way to disrupt Internet communications. For all the intangible-sounding imagery around the Internet—“cloud,” “cyberspace”—the Internet still relies on physical things to run,16 and those physical objects, including cables, can be destroyed.17 In 2008, a ship which tried to moor off the Egyptian coast accidentally severed an undersea cable, leaving seventy-five million people in the Middle East and India with limited Internet access.18 In 2015, the Yemeni government shut down Internet connectivity in the country, an act of repression aided by the low bar of controlling access to just two undersea cables running into the country.19 Even natural weather events like undersea earthquakes can damage cables and temporarily decrease Internet availability to an entire region.20 Ensuring the resilience of undersea cables—that they help route data around failure and are quickly restored if damaged or disrupted—is thus critical to ensuring the resilience of global Internet traffic and the societal functions that depend on it. This is not to say that a single damaged cable will bring down the global Internet, for the Internet is designed to route around failure, and data can be sent via other routes, though it could substantially decrease Internet connectivity for a country or region.21 There are also not many publicly documented examples of governments destroying or damaging cables, even though there is much national security concern about the potentially severe consequences should governments elect to pursue those ends (e.g., in a wartime scenario).22 But ensuring submarine cable resilience, especially for key chokepoints in the global network, is geopolitically important because even slow repairs of major cables can slow down traffic delivery between land masses.

For all undersea cables’ implications for governments, the private sector’s involvement comes into play with each of the aforementioned activities, from intelligence collection to damage repair. Governments looking to spy on the data traveling across submarine cables often turn to private sector companies to carry it out because the private sector has a heavy involvement in cable ownership and maintenance worldwide. Citizens, businesses, and government agencies who need Internet access restored after a submarine cable is damaged likewise often turn to the private sector to repair the infrastructure and restore Internet connectivity. More broadly, on the geopolitical level, governments looking to improve the security of physical Internet infrastructure, or those looking to alter the global Internet’s physical shape and digital behavior in their image, must include the private sector’s influence on undersea cables in their strategies and policies because those firms often directly control and deeply understand the infrastructure. This has been true for much of the critical infrastructure in democracies, and specifically with telecommunications cables, for some time.

There are 475 of these undersea cables deployed around the world as of December 2020. This number and this report’s analysis of those cables draws on a compilation of publicly available data from TeleGeography’s Submarine Cable Map website, coded with additional data gathered from open sources on the 383 different entities (private firms and state-controlled entities) with listed ownership stakes in those cables.23 The first observation from this data is that cable development, globally, is on the rise. Figure 1 shows the number of undersea cables ready for service—that is, fully built and ready to be used—around the world from 2000 to 2020.

Source: Data from TeleGeography’s Submarine Cable Map website visualized by author.

By these numbers, the rate of submarine cable deployment is increasing. In 2016, fifteen new cables were ready for service around the world. In 2020, twenty-eight new cables entered service around the world, representing an almost twofold increase in just four years. This uptick is no accident—there are several drivers at play. More traffic is sent over the global Internet every year (discussed further in the third trends chapter). More countries are also looking to expand Internet penetration within their borders (e.g., how many people have Internet access) as well as to expand the bandwidth available to those Internet users.24 Cloud service providers are getting more involved in directing the building of physical infrastructure to support their data storage and routing services. And broadly, Internet companies can also profit off cable investments in the long run by using this physical infrastructure to push their own data across the global Internet more quickly.25

This global Internet infrastructure has long been developed by an international consortia of companies. One single cable may have several corporate owners, often each incorporated in different countries. This consortium-based approach to cable construction and maintenance is driven by a variety of factors, including the financial costs26 and complex logistics of laying cables across the ocean floor, the number of shorelines those cables may touch (and, therefore, the need to have a company at the other end to manage a landing point), and the profit those companies can generate from hauling cable traffic. For instance, the Europe India Gateway cable, a 15,000-km-long cable put into operation in February 2011, connects eleven different countries and has sixteen different co-owners, ranging from AT&T (the United States) to Djibouti Telecom (Djibouti) to Airtel (India) to Vodafone (the United Kingdom). The Japan-Guam-Australia South Cable System, to give a recent example, went operational in March 2020, connects Australia and the United States, and is owned by Google (the United States), RTI Cables (the United States), and Australia’s Academic and Research Network (Australia; a nonprofit company originally set up by Australian universities).27 Each one of the deployed cables is unique based on such factors as length, bandwidth, and the number of shorelines on which it lands.

Not all submarine cables have multiple owners, but this international collaboration between different firms is a key component of financing their construction and subsequently maintaining them. Figure 2 illustrates the number of cables deployed around the world with different numbers of owners.

Source: Data from TeleGeography’s Submarine Cable Map website visualized by author.

Mapping the ownership landscape of submarine cables is critical to understanding what levers of control can be pulled by private companies, state-owned firms, and governments. While some parts of the Internet’s physical and digital infrastructure are maintained by a few core private sector companies,28 these cables are different. The majority of undersea cables deployed worldwide—65 percent as of December 2020— have a single owner. Only a third of deployed cables have multiple owners. Within that latter category, those ownership structures are themselves varied. Seventy-two cables have just two owners, twenty-one cables have just three owners, and fifteen have four owners. These numbers are higher in some cases, though: four cables each have eighteen owners spanning several countries, and the highest number of owners for any single cable is fifty-three—the 39,000-km SeaMeWe-3 cable deployed in September 1999. The cables with multiple owners are often the ones that cost more to build and maintain, such as those connecting more countries and with higher bandwidth. Such consortia may also involve a state-controlled firm.

The distinction of the number of owners is important from a security and resilience perspective because it can produce a diversity of control over cables, it can produce a situation where multiple governments have legal oversight over companies involved with building and/or maintaining a single cable, and it can make more difficult the process of determining which entities have control over a cable and to what extent that creates risks to infrastructure.

Three trends are increasing security and resilience risks to submarine cables. As a result, there is an accentuated opportunity and responsibility for the US government to work more effectively with allies, partners, and private companies to better protect their security and resilience. These three motivating trends are each discussed in the following chapters: first, authoritarian governments reshaping the Internet’s physical topology and digital behavior through companies, to route data more favorably, gain better control of internet chokepoints, and potentially gain espionage advantage; second, companies using remote management systems for cable networks, introducing new levels of cybersecurity risk; and third, the growing volume and sensitivity of data sent over these cable systems.
Trend 1: Authoritarian governments reshaping the internet through companies

Authoritarian governments are increasingly reshaping the Internet’s physical topology (structure) and digital behavior by exerting control over companies. This accelerates security and resilience risks to undersea cables because authoritarian governments—particularly in Beijing and Moscow—can use that control to undermine Internet security and resilience, and favorably shape the topology of the Internet itself, for their own strategic purposes. For instance, this could include the Chinese government building cables that will increase the overall flow of Internet traffic through its borders, which it could then exploit for intelligence gathering. Certainly, building more cables in and of itself, in a sense, arguably increases the resilience of the global Internet in absolutist terms: there are new routes over which data can travel in the event of failure. But if authoritarian governments have increasing influence over submarine cables globally, that creates its own risks of those governments manipulating and disrupting the infrastructure.

States must go through companies, in many cases, to reshape the Internet’s topology. This is because much of the global Internet infrastructure is in companies’ hands (even if some of those companies are state-controlled), as depicted in Figure 3.

Source: Data from TeleGeography’s Submarine Cable Map website visualized by author.

The majority (59 percent) of global undersea cables deployed as of December 2020, or 279 out of 475 cables, have only private owners. The worldwide private sector is thus influential not just on the Internet’s digital rules but also on its changing physical shape. By contrast, only 19 percent of all cables deployed worldwide, or ninety-three out of 475, are entirely owned by state-controlled entities (e.g., owned directly by a government or through a subsidiary).29 Of course, ownership by a private firm does not mean that a government cannot directly or indirectly exert control over a cable. For example, the US government, as with most others, has a long history of tapping into private sector-controlled Internet infrastructure for espionage purposes. In most liberal democracies, however, factors such as rule of law and oversight and accountability mechanisms for surveillance place controls on the degree to which the government can influence that infrastructure. By contrast, many authoritarian regimes do not have those same oversight mechanisms and the same independence between the state and the private sector. Understanding a cable’s ownership structure is still important for assessing state influence on the submarine cable network.

The Chinese and Russian governments are increasingly working to reshape the Internet through control over companies. This matters on the geopolitical level for Internet security and resilience because choosing where, when, and how to build cables is a way to shape where global Internet traffic is routed.30 Changes to traffic routing patterns generate profits for companies and can move new volumes of traffic through different countries’ borders. This can enable data interception and the development of technological dependence. Yet these geopolitical influences also affect the operational level of securing undersea cables. Cable owners might insert backdoors into or otherwise monitor landing stations. Cable builders might similarly compromise the security of the physical infrastructure along the ocean floor before it is laid. As Beijing and Moscow exert more control over Internet companies, the risk of them undermining Internet security and resilience grows. This trend also connects with the other two key trends discussed later in the report: the growing cybersecurity vulnerability of cable networks and the more sensitive data sent over cables create larger incentives for states to intercept that information.

The Russian government has increasingly exerted control over companies with influence on Internet infrastructure to serve geopolitical purposes. For decades, the Kremlin has spoken of the importance of state control of the Internet, and that has included Internet infrastructure. In 2011, for example, then Russian president Dmitry Medvedev told G20 leaders that Internet infrastructure needed more state regulation to account for the “public interest.”31 In 2014, as Russia was illegally annexing Crimea, there were reports of armed men damaging fiber-optic cables that carried Internet traffic to Ukraine.32 Finnish media have reported on alarm over Russian land acquisitions beyond Russia that are in the vicinity of key telecommunications links, such as around the Turku archipelago.33 In 2017, Andrew Lennon, then commander of NATO’s submarine forces, told the Washington Post that “we are now seeing Russian underwater activity in the vicinity of undersea cables that I don’t believe we have ever seen” and that “Russia is clearly taking an interest in NATO and NATO nations’ undersea infrastructure.”34 The 2021 Office of the Director of National Intelligence’s unclassified threat assessment found that Russia “continues to target critical infrastructure, including underwater cables.”35 And broadly, the Kremlin continues expanding its control over domestic technology firms to serve and protect its political agenda.36

Rostelecom, the Russian state-owned telecommunications giant, is a prime example of a firm whose influence on Internet infrastructure seems to be continually leveraged by the Kremlin. Data compiled for a previous report showed Rostelecom to be involved with dozens of potential hijacks of the Border Gateway Protocol (BGP), the Internet’s “GPS” for traffic, in the first few months of 2020 alone; it appeared the company deliberately rerouted reams of global Internet traffic through Russian borders, a tactic used by several authoritarian governments to spy on Internet data.37 This practice weaponizes a security flaw at the very core of the global Internet.

In an August 2020 meeting, meanwhile, Rostelecom President Mikhail Oseyevsky told Russian President Vladimir Putin that the company was “completing an ambitious basic infrastructure expansion programme in the Far East,” having recently laid cables to Russian islands. Oseyevsky added that Rostelecom saw “additional opportunities for working on international markets” in light of rising global volumes of Internet traffic, a situation in which “Russia can provide the simplest and most reliable method for transmitting these volumes from Europe to Asia.”38 This is significant because Rostelecom is a state-owned firm, and all such “meetings” with Putin are scripted. Thus, in addition to the likely security dimensions of Russia’s Internet infrastructure foothold, it also appears to have economic dimensions—with submarine cables serving as a potential mechanism for the Kremlin to grow its levers of economic coercion.

The Chinese government also presents risks in this vein across cable ownership and cable construction. Broadly, numerous governments, researchers, and independent observers have expressed concerns about the Chinese government’s exerted influence over technology companies within its borders. Domestically, the Chinese government’s Internet filtering and surveillance regime depends on the cooperation of private companies that own and manage the infrastructure.39 It is these firms that may set up state-mandated filtering technologies on their Internet hardware or build algorithms to flag certain keywords on their digital platforms.40 Similarly, there are concerns that the Chinese government exerts that same kind of control over foreign-operating Chinese companies to reshape the Internet’s physical topology and digital rules. Chinese state-owned firms have (akin to Rostelecom) been involved with repeated hijackings of the BGP, where global Internet traffic is rerouted through Chinese borders, over the last few years.41

There are real risks that Chinese state-owned Internet companies that own or manage Internet infrastructure will become vectors for the government to reshape the Internet’s topology and behavior. There are also concerns that Chinese government capacity-building projects abroad have involved building computer systems that secretly exfiltrate data to Beijing.42 Two specific risks of Chinese government influence over cable-involved companies—influence through a cable owner and influence through a cable builder—form the basis of a more detailed case study below.

Source: Visualized by author.

Risk 1: Chinese state influence through cable owner

First, there is a risk of Chinese government influence through the (co-)owner of a cable, which is typically involved in funding the construction of the cable from the beginning. This risk implicates Internet security and resilience because faster routes for Internet data are generally preferable to slower ones.43 Cable investors can, therefore, shape the flow of global Internet traffic by choosing the connecting nodes and the bandwidth of new undersea cables: as the Internet’s physical shape changes, offering newer and faster routes for data between locations, more data could get digitally routed along different paths and through different countries’ borders. Infrastructure changes, in other words, affect the Internet’s digital behavior—potentially increasing economic dependence and enabling traffic interception. Cable owners with control of landing stations could also provide an intelligence collection vector for governments who mandate the insertion of monitoring equipment or backdoors. States exerting more control over cable owners thus creates impacts on Internet security and resilience, on both geopolitical and operational levels.

The US government, as previously mentioned, recommended in June 2020 that the Federal Communications Commission (FCC) refuse to approve cable licensing for the Pacific Light Cable Network (PLCN)—a submarine cable involving Google, Facebook, a New Jersey-based telecom, and a Hong Kong-based telecom owned by a Chinese firm—because its routing of US data through Hong Kong allegedly posed a national security risk. One of the Department of Justice’s (DOJ’s) specific concerns was that Beijing would use the Chinese owner of the Hong Kong subsidiary to access data on US persons. It cited “the current national security environment, including the PRC government’s sustained efforts to acquire the sensitive data of millions of U.S. persons” as well as the cable project’s “connections to PRC state-owned carrier China Unicom” as reasons for blocking the cable’s development. The DOJ also cited:
“Concerns that PLCN would advance the PRC government’s goal that Hong Kong be the dominant hub in the Asia Pacific region for global information and communications technology and services infrastructure, which would increase the share of U.S. internet, data, and telecommunications traffic to the Asia Pacific region traversing PRC territory and PRC-owned or -controlled infrastructure before reaching its ultimate destinations in other parts of Asia.”44

In other words, the US government highlighted the risk of Chinese state influence on two fronts: compromising cable data via cable owners (e.g., intelligence collection through a state-controlled landing point) and changing the Internet’s physical shape to route more global traffic through China (e.g., creating more chokepoints in the global network under the Chinese government’s control). These risks are distinct but related, as the referenced actions can be carried out by the same entity.

The DOJ is not alone in its concerns about the Chinese government’s control of cable owners. In November 2019, CNN reported on an internal Filipino government report alleging that the National Grid Corporation of the Philippines, partly owned by a Chinese state-owned electrical company, was in fact “under the full control” of the Chinese government and vulnerable to disruption.45 Reporting focused on the Filipino power grid, but the National Grid Corporation of the Philippines is also the sole owner of an undersea cable in the Philippines, making the Chinese state firm a co-owner.46 If those concerns about disruption apply to the power grid, there are related questions to be asked about Beijing’s influence over the submarine cable. In December 2020, Taiwan accused the Chinese government of backing Pacific-area cable investments as a means of spying on foreign countries and stealing data; a spokesperson for Taiwan’s Ministry of Foreign Affairs told Newsweek that Beijing wanted to “monopolize” Pacific information.47 These allegations arrive as Chinese state-controlled entities are taking growing ownership stakes in undersea cables, as depicted in Figure 5.

Source: TeleGeography’s Submarine Cable Map.

The three Chinese-incorporated firms listed as owners of undersea cables (at the time of writing)— China Mobile, China Telecom, and China Unicom—are all state-owned. In addition, two other companies that own cables, CITIC Telecom International and CTM, incorporated in Hong Kong and Macau, respectively, are themselves controlled by the Chinese government. The Chinese government is also a part of the aforementioned National Grid Corporation of the Philippines, a consortium of different cable owners. China Mobile, China Telecom, and China Unicom largely do not own years-old cables, however; the rate at which they are co-owners of newly deployed submarine cables is growing, as depicted in Figure 6.

Source: Data from TeleGeography’s Submarine Cable Map website visualized by author.
Note: Cables listed in the future are coded based on their expected ready-for-service date.

The three Chinese state-owned telecoms’ quickly rising investment in undersea cables increases the risk that Beijing leverages that influence to support its monitoring of cable data. It also gives the Chinese government more power to shape, quite literally, how and where cables are laid before construction even begins. For projects scheduled in 2021, China Mobile is currently invested as an owner in twenty-one, China Telecom is invested in twelve, and China Unicom is invested in eleven. On top of that, each state-owned company is invested in at least one project into 2022 or 2023. Currently, the firms have barely any stake (at the time of writing) in cables deployed before 2020, a stark departure from the many other companies around the world with ownership stakes in cables deployed back in the 1990s or early 2000s. And these firms’ activity in the United States has drawn scrutiny from Washington. The FCC denied China Mobile’s application to provide telecom services in the United States in 2019, citing national security risks.48 A year later, it ordered China Telecom and China Unicom to provide evidence they did not pose national security risks through their US operations.49

This growing investment is also likely tied to the Chinese government’s infrastructure capacity building around the world—and risks of Beijing reshaping the Internet’s topology globally. Beijing is estimated to be spending hundreds of billions of dollars on infrastructure development projects in dozens of countries as part of its Belt and Road Initiative (BRI).50 In 2015, Beijing launched its Digital Silk Road (DSR) project, formally making a focus on Internet technology and infrastructure a part of the broader BRI.51 A 2015 white paper released by China’s National Development and Reform Commission, Ministry of Foreign Affairs, and Ministry of Commerce reads, “[China] should jointly advance the construction of cross-border optical cables and other communications trunk line networks, improve international communications connectivity, and create an information Silk Road.” It also specifically mentioned planning undersea, transcontinental cable projects.52

These projects, when conducted by or with Chinese state-owned or -controlled firms, are a potential way for Beijing to influence the Internet’s physical shape. Once the projects are completed, it is possible they could be used as economic and/or technological levers of influence. Since 2015, Chinese firms have moved to fill cable-building voids in low-resourced countries,53 including with heavy focus on Internet infrastructure across the African content.54 The Chinese government has also signed DSR cooperative agreements, or given DSR-linked investment to, at least sixteen countries, and dozens more BRI participants may be involved with DSR projects.55 Not all DSR projects are directly state-controlled or -supervised to the same degree, but the Chinese government’s control over specific elements of the DSR is only poised to grow in the coming years.56 In December 2020, Chinese Foreign Minister Wang Yi claimed government spending on the BRI, digital infrastructure included, had increased in 2020 even with the COVID-19 pandemic.57 This focus on capacity building abroad aligns with data on cables owned by Chinese state-owned firms, depicted in Figure 7.

Source: Data from TeleGeography’s Submarine Cable Map website visualized by author.

China Mobile, China Telecom, and China Unicom collectively own twenty-two cables; there is some overlap in their cable investments. Significantly, however, many of these projects are entirely focused abroad. Figure 7 shows that more than one-third of submarine cables owned by these Chinese state-owned firms do not have landing stations in China—that is, they make no direct contact with the Chinese mainland. This is not inherently cause for concern. Many companies invest in cables that do not touch the shores of their country of incorporation because it can be a way to make money off Internet traffic as well as influence the Internet’s physical shape in business-favorable ways (e.g., building faster data transmission to a new market).58 But growing investment notably coincides with the Chinese government’s focus on capacity building worldwide and its efforts to reshape the Internet’s physical topology and digital behavior.

Risk 2: Chinese state influence through cable builder

Second, there is a risk of Chinese government influence through the builder of a cable rather than its (co-)owner. This is an important distinction because the companies building a cable are different from the ones that fund the project and ultimately own the cable. State influence through this vector could theoretically let a government insert vulnerabilities into cables before they are even laid underwater. Evidence, as always, is vital to assessing this risk, as is the Chinese government’s supposed cost-benefit calculus on information collection; the mere existence of possibility is not enough. But along with Beijing’s growing leveraging of Chinese technology companies for its geopolitical interests, this second risk of state control speaks to geopolitical and operational issues: states potentially monitoring, corrupting, or disrupting the flow of data.

Any company that builds parts of cables—whether a company like Corning that makes optical fiber or a company like TE SubCom that lays a cable underwater—could potentially be tapped on the shoulder by a government to build backdoors into the equipment before deployment. There are multiple parts of the submarine cable supply chain that could each potentially be compromised in this fashion. This kind of backdooring is distinct from the many other ways in which governments could potentially tap into cables once they are deployed, from hacking into remote network management systems (discussed more in the next section) to installing physical taps on cable lines.

The Chinese company Huawei Marine has been a focus of such espionage concerns internationally. Huawei Marine has no identified ownership stake in any of the 475 undersea cables deployed worldwide as of this report’s writing. The company has, however, been involved in laying numerous undersea cables, and repairing those cables, around the world. According to an October 2020 FCC document, Huawei Marine has “built or repaired almost a quarter of the world’s cables.”59 Examples abound of Huawei partnering with telecoms in other countries to build undersea cables. For instance, in April 2019, Huawei announced a partnership with FiberStar, the Indonesian telecom, to “deepen cooperation in addition to building a high-speed optical fiber network.” The Huawei press release also noted that Huawei had already worked with FiberStar to build an enhanced fiber-optic backbone connecting Jakarta to Surabaya.60 This is not on its face unusual, given the private sector’s influence on the bulk of global Internet infrastructure and that collaboration is a common feature of undersea cable development. The question comes down to the risk that a specific company—in this case, Huawei, one with critical foothold in global Internet architecture and alleged close ties to the Chinese government61—is a vector of state geopolitical influence projecting. In this case, the US government has reportedly been warning Pacific Island countries that Huawei Marine’s cable-building activities pose security risks.62

One could argue these disputes are essentially two major powers vying for espionage advantage.63 The Chinese state-controlled Global Times itself quoted a telecom industry writer in July 2019 as saying, “The US’s undersea battle with Huawei is all about taking control of data and information, which is also the backbone of networks. Washington is worried that China will gain a larger stake in the submarine cable market so that Americans will not be able to listen in to networks or steal data from others.”64 The Global Times’ propaganda purposes aside, espionage is a genuine reason for states to be concerned about information hauled over submarine cables. In 2014, for example, after the Snowden leaks about US global espionage and surveillance programs, Brazil announced plans for its own undersea cables “so that data can travel between Brazil and the European Union without going through the United States.”65 One such cable was completed in December 2020.66 Private companies with control of Internet infrastructure already help states conduct espionage, and that risk is pronounced when the entity in question is not privately owned but state-controlled. This is doubly the case in a country like China, where authoritarian surveillance practices—not fully comparable to surveillance carried out in the United States—mean there is an even greater likelihood that Beijing would use this vector of influence over the undersea cable infrastructure if desired.

Recommendation previews

Companies have long led the development of the Internet globally, especially in the United States and many other liberal democracies. In kind, it has been and generally remains a positive and necessary component of submarine cable construction that many firms from many countries collaborate to fund these financially expensive and logistically intensive projects. But growing exertion of authoritarian control over Internet companies, especially from Beijing and Moscow, calls into question the independence of some of the firms in these consortia, and thus increases cybersecurity and resilience risks. Key policy issues include:
Oversight: Federal inspection and monitoring of foreign telecoms operating in the United States is essential for identifying vectors of potential authoritarian influence on Internet security and resilience. Yet the US government body responsible for monitoring foreign-owned telecoms in the United States for security risks is not adequately resourced to monitor the full spectrum of security and resilience risks posed by certain foreign telecoms. In response, the US Congress should statutorily authorize the executive branch committee responsible for these reviews, ensuring it has the resources and authorities it needs to screen foreign cable ownership structures for national security risks (Recommendation 1).

Transparency: TeleGeography’s Submarine Cable Map data is comprehensive, but it is also limited by its use of public sources. The coding of cable ownership for this report—specifying if firms are privately owned, state-controlled, or have an unclear ownership structure (just five out of the 383 cable owners)—was similarly dependent upon open sources and, therefore, has many limitations. Limited transparency into submarine cable ownership structures limits the ability of third parties (researchers, third-party firms, etc.) to evaluate the risks of a government exerting control over that infrastructure in ways that compromise its security and/or resilience. Increased authorities and resources for the US committee that screens foreign telecoms for security risks would help to address this problem (Recommendation 1). The State Department should also conduct a study on ways to better integrate undersea cables in cyber capacity-building and foreign assistance programs for infrastructure, focused on these security and resilience questions (Recommendation 5).

Trend 2: Companies using remote management systems for cable networks

In addition to who owns and builds undersea cables, the technologies used to manage them increasingly create risks to cable security and resilience. More companies are using remote management systems for submarine cable networks—tools to remotely monitor and control cable systems over the Internet—which are cost-compelling because they virtualize and possibly automate the monitoring of cable functionality. Yet when these cable management tools are connected to the global Internet, they expose undersea cables to new risks of hacking—both for monitoring cable traffic and disrupting it altogether. This second key trend presents a more operational risk to Internet security and resilience than the previous trend; much of the opportunity and responsibility for the US government to renew its engagement with allies, partners, and companies to protect these management systems comes back to practices like software updates and security standards. But this risk is still entangled with the other two trends: because companies are increasingly using remote network management systems, states have incentives to hack into them to monitor traffic; and because the volume and sensitivity of traffic sent on the global Internet is increasing, intercepting or disrupting that data is more attractive to governments and criminal actors—and easier through these poorly secured and Internet-connected technologies.

The US Office of the Director of National Intelligence (ODNI) classifies the possibility of cyberattacks against cable landing stations as a “high risk” to national security.67 In a worst-case scenario,68 hackers could breach multiple remote network management systems used to control different submarine cables to completely disrupt the flow of Internet data across that infrastructure. This could be targeted at the US mainland or at another geographic area of interest to a malicious actor (e.g., a conflict zone) to either greatly slow or corrupt Internet traffic delivery and/or force Internet traffic intended for that region to be routed through other points on the global Internet network. Once in control of cable companies’ remote management systems, these attackers could wreak this kind of havoc on Internet traffic flows from their keyboards, miles away.

Adversaries, for instance, could execute such a targeted attack during a military conflict or other geopolitical crisis to intercept or disrupt large volumes of Internet traffic; terrorist organizations with requisite offensive cyber capabilities, to give another example, could even more destructively attempt to slow swaths of Internet traffic headed to the United States or another country, perhaps timed with some kind of kinetic attack. Potential compromise of cable management systems was a concern at least a decade ago, when Nokia introduced submarine cable terminal equipment: it had failed to clearly show the systems were not vulnerable to the attacks used in the Stuxnet operation against Iran.69 But the planned expansion of Internet-connected remote network management systems today has made this security problem dramatically worse for the United States, the US private sector, and US allies and partners around the world.

Every submarine cable must have at least two landing points—spots at which it reaches a country’s shoreline and where its fiber-optic signals are transmitted to users over land. Landing stations play a key part in the operation of undersea cables. They can perform many functions, including terminating international cables, supplying power to cables, and acting as a point of domestic and/or international connection.70 Their physical security is also important, as natural disasters and intentional damage can stop the cables from transmitting Internet data.71 Historically, the operating centers located at or near these landing points have been largely managed by on-site personnel or through tools that are not directly connected to the Internet.72 These systems were built for tasks such as ensuring signal connectivity and maintaining power flows.73 It is these operational tools, often managed by private firms, that help enable the geopolitically consequential activities on the global Internet, from personal communications to financial transactions, scientific research, and the sending of government documents, for which data is hauled over cables.

Now, however, more companies that manage submarine cables are connecting their landing points and operating centers to remotely controllable “network management systems.” These tools are compelling to companies because they do not require personnel to be on site. Working from afar, companies can monitor the data sent over cables and even alter fiber-optic signals, all through a virtual interface. Yet it is not just about cost and convenience. Optical fiber technology in undersea cables has grown more sophisticated over the last two decades. Thus, managing a cable system and a landing station now includes managing complex signal configurations.74 Hence the demand for more sophisticated cable management software that is Internet-connected and can exert physical changes to fiber signals themselves.

This push for cost-effectiveness and remote monitoring introduces new vectors of cybersecurity risk. By introducing a software-driven, “virtualized” layer of control over cable systems—one connected to the Internet—cable owners are exposing themselves to potential hacks of submarine cables through that technology. These hacks could disrupt or degrade signals traversing the submarine cable fibers. For instance, TE Subcom, a US-incorporated firm that builds cable equipment, offers an “Ocean Control suite” that uses application programming interfaces (APIs) to offer “extensive remote programmability and control of an entire communications network, both terrestrial and undersea.”75 Malicious control of those systems could enable actors to harmfully alter or disrupt Internet traffic delivery across key cables.

The risk of cable disruption through hacking is magnified by poor security practices by some of these software vendors (e.g., poorly securing communications between the virtualization interface and the physical infrastructure).76 The relative lack of diversity among remote management system vendors creates additional security risk through centralization77—compromises of one technology (e.g., backdooring updates, discovering a new vulnerability, etc.) could have wider effects on cables. Many remote network management systems also use common operating systems like Linux or Microsoft Windows with which more malicious actors are likely familiar, as opposed to highly specialized and obscure interfaces that are sometimes used in such infrastructure control systems.78 And the way vendors update and can control systems once deployed on the customer end might introduce other kinds of risks into this part of the cable supply chain. Malicious actors could exploit these realities to disrupt cable signals.

Beyond disruption, hacks of remote network management systems could enable malicious actors to intercept data flowing through landing stations. Hacking into poorly secured network management systems to intercept and collect traffic can be relatively low-cost.79 Governments already turn to private companies within their borders to collect data for a range of purposes, including legitimate foreign intelligence and law enforcement purposes and/or unchecked surveillance, depending on the specific country and specific case.80 In many democracies, this can create tensions with private companies that want to limit their involvement with state espionage activities and/or have other obligations such as privacy, transparency, and customer protections.81 All to say, there may already be technical mechanisms in place for private companies to intercept data for governments, and third parties could potentially abuse those mechanisms. Governments can also hack directly into cable management systems to steal data.82 Yet securing undersea cable management systems against malicious data theft and monitoring is even more challenging when (a) more companies’ remote management tools are Internet-connected and (b) many cables and their operations centers are controlled by consortia of firms.83 As the data compiled for this report show, these owners may be spread across many countries and are in some cases state-controlled. It is an important challenge for Internet security and resilience, as protecting the Internet data itself also means protecting the infrastructure across which they travel.84

Physical threats to landing stations

Physically securing cable landing stations against power outages, natural disasters, and malicious activity (e.g., manual insertion of monitoring equipment) remains a key part of protecting undersea cables. This is particularly the case in a nation-state context where intelligence services could work to compromise landing stations through human operatives, such as planting monitoring equipment directly onto landing station infrastructure. Much national security concern around potential physical disruptions to submarine cable infrastructure has focused on terrorism risks, where attackers could seize or physically destroy landing station infrastructure. The focus in this section remains on remote hacks of network management systems because of the accelerating nature of the risk, but investments in physical security and continuity-of-operation protocols for cable landing stations remain critically important for the private sector as well.

In sum, network management systems deployed by cable owners increase submarine cables’ attack surface: with remote, Internet-connected control systems linked directly to the Internet’s physical infrastructure, hacks can be conducted from afar and “could physically change a network or drop communication paths altogether.”85 Attackers need not be physically on site to undermine Internet security and resilience. Developers of these management systems may also not prioritize securing them due to poor market incentives; like many industrial control systems, these technologies are most often designed for convenience and functionality above cybersecurity. Further, restoring these systems once compromised may not be a straightforward effort: “legal, cultural, and language barriers may limit the ease and effectiveness of information flow in the event of a disruption, and depending on where cable disruption symptoms appear, public agencies without a local presence may struggle to coordinate a timely response.”86 It is an exceptionally impactful case in the broader Internet infrastructure security conversation. All of this presents risks to the security and resilience of the Internet.

Recommendation previews

The US government has few measures in place to ensure the software control systems for key traffic hubs, even those located in the United States, are secure; companies may be deploying poorly secured remote network management systems that potentially compromise the security and resilience of US Internet connectivity and Internet data. The US private sector also co-owns only a portion of global undersea cables, often with other companies. That said, the US government has valuable nexus over submarine cables given what influence the US private sector does have over cables (discussed more in the next section) as well as the private sector’s control of undersea cables touching US borders. Taken together, this gives the US government an opportunity and responsibility to expand cooperation with allies, partners, and the US private sector to build solutions to the operational security risks of remote cable management systems. This could produce valuable effects on scaling up security across the Internet ecosystem. Key policy issues include:

Security Baselines: Remote network management systems, as with many industrial control systems, are often poorly secured. Cable owners using these technologies are exposing the physical infrastructure itself to possible surreptitious monitoring or outright disruption. In response, the US government should use the point of leverage it has available—incentivizing private firms incorporated in the United States to use more secure remote network management systems for undersea cables, founded on a set of clear cybersecurity baselines and best practices (Recommendation 3). While the order is more focused on information technology, this aligns in principle with the Biden administration’s executive order that places priority on addressing the security of “critical software” in the supply chain.87 Amazon, Facebook, Google, and Microsoft, increasingly responsible for cable construction worldwide (discussed more in the third section), should craft and publish strategies for promoting the security and resilience of their cable infrastructure in response to these risks (Recommendation 8).

Threat Sharing: The submarine cable industry, despite these growing digital threats, still does not have robust mechanisms in place to share threat intelligence on undersea cable hacking risks. Cable systems are, meanwhile, only more attractive hacking targets as they become more important for key societal functions—from civilian communication and public health to government document sharing and scientific research—and as the data across them becomes more sensitive (discussed more in the next section). In response, US-based submarine cable owners should work with federal, state, and local authorities to establish public-private Information Sharing and Analysis Centers (ISACs) for cyber threats to undersea cables (Recommendation 7).

Trend 3: Increasing volume and sensitivity of data sent over undersea cables

There is more data sent over undersea cables each day, and that data is also becoming more sensitive. The COVID-19 pandemic has accelerated the former trend, shifting more living, learning, and working online and dramatically increasing the amount of traffic moving over the Internet’s physical backbone.88 5G will similarly contribute to a massive increase in Internet data routed over cables. The latter trend, increasing data sensitivity, is predominantly tied with the rise of cloud computing—where private companies rent out storage space and processing power to clients—as these companies are increasingly moving previously offline or back-end functions and data onto the global Internet. The effect on economic and national security is straightforward: the more data, and the more sensitive data, that travels over undersea cables, the more important their security and resilience becomes. Errors with and disruptions to this traffic become more disruptive to society as a whole, harming individuals as well as public and private organizations across health, commerce, defense, and transportation and logistics. States exerting more control over cable owners know that the growing volume and increasing sensitivity of Internet data makes data interception and manipulation more valuable. Those looking to hack into cable landing stations or remote cable management systems likewise recognize the growing value of this sensitive data.

There are many metrics that capture the growing volume of data sent over undersea cables: Hundreds of millions of tweets and billions of emails and other messages are sent online daily.89 In 2020, Internet users worldwide spent an average, per capita, of three hours online every day, and that is expected to rise by 6 percent in 2021.90 More American households are subscribed to the Internet every year.91 One estimate says global interconnection bandwidth will grow at a 45 percent compound annual growth rate from 2019 to 2023,92 yielding a potentially massive increase in the volume of data hauled by submarine cables in just the next few years.

Although much discussion of 5G infrastructure focuses on the network’s software-driven nature, 5G does not eliminate the need for undersea cables—on the contrary, 5G will only further increase the volume of data flowing over cables. For Internet content to be sent over cellular networks today, that cell tower network must connect to servers and cables that can deliver the endpoint-housed data (like for smartphone users browsing TikTok or logging into a mobile banking app). In other words, because Internet content itself is not stored on cell company networks, once a phone makes a request for Internet data, the cellular tower infrastructure must at some point connect to the global Internet to retrieve it. This will not change with 5G. The fifth generation of cellular network technology may use less hardware and have more sophisticated software functionality than its 4G predecessor. But if 5G networks are going to deliver the data speed and bandwidth that experts predict, they will rely on fast and resilient submarine cable infrastructure to carry the Internet content ultimately delivered to 5G network users.93 In turn, 5G’s higher data speed and bandwidth, and constant communication with high volumes of Internet of Things (IoT) devices, will result in even more data flowing over submarine cables.

Simultaneously, data sent over submarine cables is increasingly sensitive to the US economy and national security, and this second shift is tied to the accelerated growth of cloud computing. US cloud service providers are routing more data over the Internet as their customer bases grow. Many critical sectors are becoming more dependent on cloud computing by the month, including firms in financial services, energy, healthcare, shipping and logistics, and defense that pay cloud service providers to store and send their data. In practice, this means that more of their information is being sent across the global Internet instead of just back-end, intranet systems.94 It is in many cases highly sensitive, and highly valuable, data. Financial service providers might store customer data in the cloud for real-time access; transportation and logistics companies may run their inventory management systems on a third-party cloud system.

Defense and intelligence contractors may also run national security-critical services on government-approved cloud systems to offload the costs of managing servers in-house. Government agencies are moving to the cloud at varying speeds and to varying degrees; not every implementation involves an equal dependence, at present, on third-party cloud systems housing sensitive data and services. But cloud adoption by the defense base is growing. Every time companies in these sectors retrieve sensitive data and services from the cloud, that information is potentially routed over submarine cables, especially when data transfers are intercontinental (e.g., a company linking to a cloud server overseas). Compromising this data could enable criminals, terrorists, and especially foreign nation-states to use it for their own gain. The sensitivity of the data sent over the global Internet is also shifting alongside its rapidly growing volume.

The accelerated growth of cloud computing is directly relevant to how the US government can better work with allies, partners, and companies to protect submarine cables. This is because these providers are not just moving more data over Internet infrastructure—they increasingly own that infrastructure too, giving them a growing responsibility to protect its security and resilience. As the Submarine Telecoms Forum’s 2020 industry report put it, “providers such as Amazon, Facebook, Google and Microsoft are completely transforming the submarine cable market. They are no longer reliant on Tier 1 network operators to provide capacity and are simply build(ing) the necessary infrastructure themselves.”95 This accelerated investment became clear in 2019, when TeleGeography noted that Facebook as well as Amazon, Google, and Microsoft—the three major US cloud providers—were taking a newly active role in the changing shape of the Internet.96

The US private sector already has a notable influence on submarine cables. Figure 8 shows the number of undersea cables deployed worldwide with at least one private US owner.

Source: Data from TeleGeography’s Submarine Cable Map website visualized by author.

US government cooperation with allies and partners abroad, as well as with the US private sector, is essential to better securing this vital Internet infrastructure. One hundred and six of the 475 undersea cables (22 percent) deployed worldwide as of December 2020 have at least one US private sector owner. The US government itself only has ownership in two cables, which are linked to Guantanamo Bay.97 This means the US private sector has a notable influence on the global Internet’s physical shape, considering the US has at least one corporate owner with stake in 22 percent of the world’s undersea cables. By extension, the US private sector also has a notable influence on the security and resilience of the data sent across that infrastructure. At the same time, however, it is not a dominant influence. Many cables with US ownership have several other corporate owners from other countries. Over two-thirds of cables do not even have a US-incorporated owner. Sensitive data for critical US sectors, from public health to financial services, is routed not just over American-owned infrastructure but over that owned by many firms around the world.

US cloud providers are a unique point of leverage for the US government as they increasingly invest in undersea cables. Unlike in China or Russia, however, where state leverage over Internet companies is used for the likes of BGP traffic hijacking, the US government can use this nexus to incentivize better security. This is because the US “hyper-scalers” Amazon, Google, and Microsoft—nicknamed as such for their scaled-up infrastructure—have been spending substantially more money on submarine cables in recent years. (They also dominate the cloud computing market, a centralization which itself presents economic and security risks.98) Their American incorporation and substantial federal contracting present an opportunity for the US government to incentivize better protections on their cable systems. In tandem, these cloud providers’ responsibility to protect the infrastructure’s security and resilience grows. Figure 9 illustrates this growing cloud provider investment.

Source: Data from TeleGeography’s Submarine Cable Map website visualized by author.
Note: Cables listed in the future are coded based on their expected ready-for-service date.

The three “hyper-scalers” investing more money in submarine cable development does not by itself mean more cloud data is sent across the cables—owning an undersea cable is different than relying on it to carry data. However, given that the amount of Internet bandwidth consumed by cloud service providers is growing, the corresponding increase in hyper-scaler investment in submarine cables appears to reflect these firms’ strategic interest in resilient physical infrastructure that hauls data quickly. Maintaining a secure and resilient submarine cable network is critical to safely and reliably routing cloud service provider data. Maintaining cable ownership is also an opportunity for these firms to profit off growing Internet traffic demands worldwide in the process.99 Not all cloud data is routed over undersea cables, but it becomes more likely as the global cloud infrastructure expands (with many servers around the world) and many cloud service provider clients have operations based in multiple countries (and thus require Internet data to be hauled intercontinentally).

Google is by far the most active investor in undersea cables, with ownership stake in ten different cables that should be ready for service in 2021. It remains to be seen how many more cables Google might invest in for 2022. It is unlikely these investments are going to subside, based on estimates that place global spending on cloud services at hundreds of billions of US dollars a year and rapidly growing.100 Digital services depend on underlying physical infrastructure, so rising dependence on the former means rising dependence on the latter. This is also one explanation for why Facebook, which does not offer cloud services but runs its own Internet platform, is investing more in cable ownership.

Facebook’s investment in submarine cable development is, notably, even more accelerated than that of Amazon or Microsoft. Amazon currently has ownership stake in a 2020 cable and a 2022 cable, and Microsoft has ownership stake in just two 2021 cables, while Facebook has ownership stake in three cables deployed in 2020 alone. The firm has made a concerted push to expand physical Internet infrastructure around the world, including as a way of growing its market power.101 Submarine cable investments are, therefore, attractive not just to cloud service providers but to other private Internet companies that need fast and reliable data routing infrastructure. All the while, the more these companies invest in shaping the physical topology of the Internet and maintaining cable networks, the greater their responsibility to protect its security and resilience. They are the ones with direct ownership stake in the infrastructure. They may also control many of the data centers to and from which significant volumes of Internet data flow. Further, there are many benefits to having independence between private US cable owners and the US government compared to other countries where the state is heavily involved in the building and management of most Internet infrastructure—and there is a benefit to keeping it that way. But that means these private firms must do more to address security and resilience risks.

Recommendation previews

Undersea cables underpin global Internet traffic delivery, routing data every day for financial transactions, scientific research, government communications, personal messaging, and more. There is not just a growing volume of data traversing undersea cables, however; the sensitivity of that data is also increasing. Explosive growth in cloud computing has led more critical sectors, from defense to health to finance to supply and logistics, to transition their data and services to the cloud. In the process, more and more sensitive information, vital to everything from global financial markets to public health, is transmitted over undersea cables. This makes securing the cables, and ensuring their resilience, an urgent issue for the US government in cooperation with allies, partners, and the private sector. The growing centralization of new, US-connected cable infrastructure in the hands of a few cloud service providers (Amazon, Google, and Microsoft) as well as Facebook increases the urgency of ensuring proper investment in security and resilience. Key policy issues include:

Fast Repairs: The increasing volume and sensitivity of data routed over submarine cables means security compromises and service disruptions can inflict even greater harm on economic and national security. Coordinating the quick repair of these cables is often difficult for private companies working with consortia of other cable owners incorporated in a range of countries.102 The US Congress already funded the Cable Ship Security Program to speed up repairing damage to US national security-relevant submarine cables. The program is being stood up now, but at least one year into its launch, Congress should conduct a review of whether the program requires further funding (Recommendation 2). Internationally, the Department of State should conduct a study on ways to better integrate fast cable repair into capacity-building and foreign assistance work globally (Recommendation 6). And US cable owners—including Amazon, Facebook, Google, and Microsoft—should publish strategies to promote the security and resilience of their cable infrastructure, including plans on cable repairs (Recommendation 8).

Outage Reporting: Cable outages occur for many reasons, most often not malicious: weather events, ship collisions, and other incidents can physically damage cables; power outages and other electrical or digital problems can likewise disrupt cable operations. The FCC focused additional resources on monitoring such events in 2016, but there is still more work to be done to ensure that cable outages are communicated—and responses are coordinated—in the most efficient and effective ways possible. The FCC should focus more resources on interagency coordination on cable outages, as the range of data traversing submarine cables is of concern to many agencies across the federal government (Recommendation 4). This feeds into supporting other objectives, such as fast repairs of cables via the US Cable Ship Security Program mentioned above.

Norms: Undersea cables are already vulnerable to espionage and cyberattack, and this is especially true with poorly secured and Internet-connected remote cable management tools. If badly secured, these systems are more susceptible to compromise and with even less advanced capabilities. In response, the Department of State should strengthen international norms against nation-states damaging or disrupting undersea cables (Recommendation 5). Because of the legal complexity of protecting international cables located outside of a country’s territory, the frequently multiparty ownership structures of undersea cables, and other factors, “international State involvement is critical to the twin goals of victim compensation and deterrence against future depredations.”103 Especially when it comes to authoritarian governments in Beijing and Moscow, and Internet governance “swing states” who may find the idea of cable damage or disruption compelling, the US government must act in concert with allies and partners to bolster norms against those actions.

Recommendations

For all the attention paid to communications technologies like satellites or 5G cellular networks, the vast majority of global Internet communications still travel through metal-encased, fiber-optic tubes laid along the ocean floor. It is these submarine cables, deployed in the hundreds globally, that help haul everything from scientific research to e-commerce to government communications around the world. The international delivery of Internet data depends directly on this infrastructure’s function. Much of this infrastructure is multi-owned by consortia of private and state-controlled firms. And, importantly, this physical infrastructure is not set in stone. Just as the Internet was created and built by humans, the Internet’s physical shape continues to be shaped by humans, as cable owners look to expand global Internet connectivity and upgrade older physical infrastructure. As societal reliance on the Internet grows, more investments in submarine cables reflect a concurrently growing need to ensure the Internet’s physical backbone is secure and resilient.

Three trends, however, are accelerating risks to the security and resilience of undersea cables. First, authoritarian states are reshaping the Internet’s physical topology and digital behavior through companies, introducing new possibilities of espionage and disruption, and reshaping the Internet infrastructure to favor their Internet governance models. Second, more cable owners are linking cable landing stations to remote network management tools, which exposes cables to hacking and disruption. And third, the volume of Internet data sent daily grows, as does its sensitivity; thus, society is more reliant on cables being secure and resilient, and there are more incentives for states and other actors to intercept, disrupt, or manipulate the delivery of this valuable information.

But even with the influence the US private sector has on global cable development, the private sector cannot go it alone. Poor market incentives for robust security—combined with new threats and an internationally collaborative system of cable construction and management—mean the US government must also better engage with allies and partners to protect the security and resilience of this submarine cable infrastructure. To this end, this report makes the following recommendations for the US government, along with the private sector and allies and partners, to better protect the security and resilience of submarine cables:

The US Congress should statutorily authorize the US executive branch body responsible for monitoring foreign-owned telecoms in the United States for security risks: the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector (formerly the informal Team Telecom).104 This would provide it with the necessary funding, review authority, and formal structure to better screen foreign telecoms that own cables. The newly renamed organization is a coordinating entity between several federal agencies, with the FCC playing a key role on the telecom referral and licensing side, and the Department of Homeland Security (DHS) and the DOJ playing a key role on the security review side. However, a June 2020 Senate report, produced after months of investigations into the organization, found the committee had been conducting “minimal oversight” of Chinese state-owned telecoms in the United States in ways that “undermined the safety of American communications and endangered our national security.”105 Resource constraints were compelling the participating agencies to devote more time, money, and personnel to interagency work on the Committee on Foreign Investment in the United States (CFIUS) than the telecom security review committee.106 Because it did not have formal authorities and structure, the group also “had no formal, written processes for reviewing applications or monitoring compliance with security agreements,” and if it did not choose to enter into a security agreement with a foreign carrier, it lacked other means of getting insight into the carrier’s operations.107 The US Congress should mitigate this problem by statutorily authorizing the executive branch committee, just as it did in 2007 with CFIUS, to give the organization more resources and authorities to more expansively screen foreign cable ownership for national security risks. If the US government wants to be more proactive in assessing the national security and resilience risks to the Internet’s physical backbone, it must invest more time and resources into conducting those reviews, and it must give more authorities to the committee to do so, including legally requiring a periodic reassessment of foreign carriers and allowing the organization to inspect foreign carriers with which it has no existing security agreement.108 This expanded review process should include a more intensive focus on ownership structures of cable owners and cable consortia, as more authoritarian governments work to reshape the Internet’s physical topology and digital behavior through sometimes opaque ownership structures and influence. It should also include considering the security risks of remote network management systems deployed by cable owners. And the expanded security review process should consider not just the direct owner of a particular cable but all of the providers and subsidiary firms that interact with the cable or its data en route.

The US Congress should conduct a study, starting no earlier than one year into the program’s launch, on the Cable Ship Security Program that was authorized in the National Defense Authorization Act (NDAA) for 2020.109 The Department of Transportation is currently in the process of standing up the program with two vessels, so that government-authorized, privately owned ships are on standby to repair damaged submarine cables relevant to US national security.110 This program, therefore, helps ensure that alongside commercial investment in cable resilience, the US government is taking steps to repair damaged submarine cables more quickly than they might otherwise be if left entirely up to the private sector. Far from a purely national security issue, though, the Cable Ship Security Program also promises many economic and public benefits for the United States in the way of sped-up repairs—and as such, there are many stakeholder departments and agencies across the federal government with equities in the program. The program is beginning with two vessels, but it is possible the US government may ultimately require more. Congress should, therefore, conduct a review of the Cable Ship Security Program beginning no earlier than one year into its full launch, exploring whether additional funding for more vessels would bolster submarine cable security and resilience for the United States.

The US executive branch should create and promote the use of security baselines and best practices for cable remote network management systems. More cable owners are deploying Internet-connected industrial control systems to remotely manage complex cable infrastructure. These systems could be remotely compromised to disrupt or deny the delivery of Internet data across cables, a risk compounded by the poor market incentives for developers of these technologies to legitimately prioritize cybersecurity. As such, the National Institute of Standards and Technology (NIST) should create a set of security standards and best practices for vendors that build cable remote network management systems, and for the submarine cable owners that ultimately deploy those technologies at cable landing stations. NIST’s deep technical expertise and widely respected framework-creation process makes it well suited to craft a list of security standards and best practices for the private sector. Then, the US executive branch, particularly large and influential agencies like the Department of Defense, should consider adopting those security baselines and best practices into procurement requirements for any companies doing business with the federal government that also own undersea cables carrying US, and likely US government, data. If the US government is going to have more of its data routed over the global Internet via the public cloud in the coming years, it should be invested in protecting the security and resilience of the remote technologies that manage the underlying infrastructure because their compromise could have serious effects on economic and national security.

The Federal Communications Commission should invest more resources in promoting and maintaining federal interagency cooperation on resilience threats to submarine cables. While this has been an FCC effort for several years now,111 the growing threats to undersea cable security and resilience make this internal federal coordination an even higher priority. The FCC should focus on such measures as information sharing on resilience threats and continued reassessments of the effectiveness of outage reporting requirements, which were expanded in March 2020.112 The agency should also work with state and local authorities to integrate cable resilience best practices into permitting decisions, which would create stronger incentives for cable owners to invest in protecting cable resilience.113 FCC action here can help identify risks, take mitigating steps as necessary, and forge better coordination mechanisms with the private sector (including through ISACs discussed below). Preventing disruptions to cable operation can support the delivery of Internet data and thus economic and national security.

The Department of State should pursue confidence-building measures to strengthen international norms against nation-states damaging or disrupting undersea cables. The political will for any kind of international legal treaty to protect submarine cables is limited: It is difficult to imagine Beijing and Moscow signing onto any agreement that would tie their own hands vis-à-vis disruptively interfering with physical cable infrastructure, whether for strategic, conflict, or domestic repression purposes. The United States could pursue such legal agreements in bilateral or limited multilateral capacities, such as within the NATO bloc, which could communicate a commitment from global, open internet countries to not disrupting submarine cables. Nonetheless, the greatest risks of nation-state-caused cable disruptions—which could undermine human rights, the free flow of information, and economic and national security—do not come from within the NATO bloc, and constraints on potential malicious behavior must focus outside the United States’ closest alliances and partnerships. Confidence-building measures are thus an additional mechanism through which the United States could work to bolster norms against damaging or disrupting cables. The Department of State, and allies and partners, could place pressure on Beijing and Moscow, as well as less-discussed “swing states” in Internet governance that may be inclined to disrupt cables. This process could generally mirror the confidence-building measures used for other cyber issues: start by working with other countries to understand definitions of key terminology—for instance, what constitutes “damaging” or “tampering with” a cable, or what constitutes illegitimate government action against undersea cables (e.g., excluding nondisruptive espionage); and also establish baseline understandings of how countries view cable protection in existing agreements (e.g., whether the United Nations Group of Governmental Experts’ language on critical infrastructure applies to cables). This also must include communicating the potential costs of states engaging in cable disruption.

The Department of State should also conduct a study on ways to better integrate undersea cables into cyber capacity-building and foreign assistance programs for infrastructure worldwide, focused on security and resilience questions. Disruptions of undersea cables abroad can still undermine US economic and national security by cutting or slowing Internet connectivity to other parts of the world, and even hindering data flows to the United States. These cable disruptions can also undermine human rights, the free flow of information, and economic and national security in ally and partner countries. The Department of State should, therefore, conduct a study on ways to make this issue a more integral part of its cyber capacity-building and foreign assistance work with allies and partners. Options might include working with other governments to establish cable repair programs in their own countries, working with other governments and their private sectors to understand key risks to cable resilience, and working to ensure other governments are making fast repair and resilience requirements a key part of authorizing undersea cable construction within their jurisdictions. Boosting resilience in cable infrastructure can promote a more secure and global Internet for all.

US-based submarine cable owners should work with federal, state, and local authorities to establish public-private ISACs as threats to their submarine cable infrastructure grow.114 Industry-specific ISACs across sectors like health, energy, and finance have become integral mechanisms through which companies share cybersecurity threat information with other firms through established and confidential channels. Though many submarine cable owners are members of these and other ISACs, no ISAC exists specifically for threat sharing among submarine cable owners. Yet as more submarine cable owners deploy remote network management systems, directly connected to the Internet, to manage complex cable infrastructure, they are introducing new levels of cybersecurity risk: malicious actors could hack into these systems to disrupt cable signals. There are also many risks posed to cables that are distinct from those posed to other parts of those owners’ businesses (e.g., cloud platforms, cellular networks). US-based submarine cable owners should, therefore, establish ISACs where they can share cybersecurity threat information with one another to collectively protect submarine cable security and resilience and to increase their available intelligence for making corporate cybersecurity decisions. They should work as well with federal authorities, including the FCC and DHS, particularly the Cybersecurity and Infrastructure Security Agency (CISA), as well as state and local officials, to ensure the government also has requisite threat information to make determinations about particular cables that pose unique security risks or cables whose compromise would seriously undermine US economic and national security. That said, a key issue with threat sharing is liability. CISA’s liability protections for information sharing cover private firms giving information to DHS, but the federal government should consider expanded liability protections such that private companies can also share cable threat information with, at a minimum, those in the FCC, DOJ, and intelligence community that (in addition to DHS) are presently the driving force behind cable security reviews. Other factors can hinder threat sharing, such as a perceived lack of a business case for doing so, but this may be one way to help encourage it.

Amazon, Facebook, Google, and Microsoft, whose investment in submarine cables worldwide is rapidly growing, should craft and publish strategies for protecting the security and resilience of their cable infrastructure. Information historically sent on back-end systems in energy, health, financial, defense, and transportation sectors is increasingly transmitted to and from the public cloud. These four US companies are also increasingly investing in building and maintaining the submarine cables which route that and other Internet data. As such, they have an elevated responsibility to protect these systems’ security and resilience: they have a direct ownership stake in the infrastructure and profit from it. Their increased focus on cable security and resilience should include such measures as greater investment in securing remote network management systems, greater investment in physically securing cable landing stations, more comprehensive plans for quickly repairing and restoring cables in the event of damage or disruption, and building and maintaining robust cable threat-sharing partnerships with one another, as well as with the US government and its allies and partners.

Conclusion

Should the US government invest more in protecting undersea cables’ security and resilience, the private sector’s deployment of remote network management systems would have better security baked in from the get-go, making it more difficult for adversaries and other threat actors to spy on or even completely disrupt the delivery of Internet traffic. The US executive branch group responsible for screening foreign-owned cables touching the United States would have more personnel, resources, and authorities to adequately review new and existing infrastructure projects for national security risks. Authoritarian governments intent on reshaping the Internet’s physical topology in their strategic favor—to route more data through their borders, enhance their surveillance capabilities and control of key Internet chokepoints, and so on—would face a more concerted effort from the US government, the US private sector, and allies and partners globally to combat efforts to increase direct state control over Internet architecture. Disruptions to or failures in cable systems, for their part, would be repaired quickly as a result of US government-supported cable repair programs for the Internet backbone touching the United States.

Alternatively, the current trajectory of undersea cable development can continue without measures to better protect cable security and resilience. Companies will continue deploying remote network management systems without robust security baked in, enabling a range of threat actors, particularly foreign intelligence services, to tap into and spy upon traffic passing through cable landing stations—and potentially even disrupt Internet signals altogether in conflict-like scenarios. The US government will continue to under-resource the organizations responsible for inspecting foreign telecom cables for national security risks, both slowing down the time it takes for those entities to clear cable projects and increasing the likelihood of overlooking cables touching the United States that pose national security risks. All the while, authoritarian regimes, particularly in Beijing and Moscow, will continue funding submarine cable development projects globally, gradually reshaping the Internet’s physical topology to encourage Internet traffic to move through their own borders and through other midpoints their security agencies can intercept. And should cables be damaged or disrupted, delayed repairs will undermine Internet traffic delivery because the US government hasn’t invested sufficiently, in cooperation with US industry and allies and partners globally, in quickly fixing that infrastructure and restoring the flow of Internet traffic.

As the Internet comes under unprecedented authoritarian assault, and societal dependence on the web grows in the absence of robust and ecosystem-wide cybersecurity, the US government has an opportunity and responsibility to reinforce the global Internet’s positive potential by better protecting the submarine cables that underpin it. Alterations to the Internet’s physical topology shape the Internet’s digital behavior, and threats to the security and resilience of submarine cables likewise impact the security and resilience of the data transmitted over that infrastructure. With much of the global cable infrastructure in the hands of private and state-controlled companies, often in consortium-style arrangements, there is no one actor in charge. Yet a different future is possible, one where security and resilience are more central decision factors in the design, construction, and maintenance of undersea cables; where the US government works more proactively with industry, allies, and partners to ensure the global Internet runs reliably and securely, even in the face of failure; and where robust security for core Internet architecture is itself a compelling alternative to authoritarian visions of a state-controlled sovereign network. The US government should seize on this opportunity and embrace this responsibility.

No comments:

Post a Comment