We take a look at this critical part of the world’s internet infrastructure and what could happen if a wide-scale attack were mounted.
US officials told CNN this month that they’re seeing more Russian activity around subsea cables which could lead to potential sabotage on a critical part of the world’s internet infrastructure.
Officials are worried that the Russians could follow through with a threat Dmitry Medvedev, deputy chairman of Russia’s Security Council, made last year.
Medvedev reportedly said on Telegram that Russia had “no constraints, even moral, left to prevent us from destroying the ocean floor cable communications of our enemies”.
The warning from US officials comes after a series of suspected sabotage attacks on subsea infrastructure, such as the 2022 Nord Streamattack that ruptured two pipelines linking Russia and Germany. And, earlier this year, three undersea cables weredamaged in the Red Sea during ongoing Houthi attacks in the region.
Subsea cables are thick fibre-optic cables running along the bottom of the ocean that carry large amounts of data to connect the internet between countries.
The cables now extend for around 745,000 miles (1.1 million km) underwater. They are responsible for roughly 95 per cent of the world’s data and voice transfers,according to the US National Oceanic and Atmospheric Administration (NOAA).
How could an attack on underwater cables happen?
Christian Bueger, professor at the University of Copenhagen and author of the book Understanding Maritime Security, said there’s a real risk that foreign governments or bodies could attack the subsea cable network.
“The sheer amount of suspicious incidents has led to…thinking that new threats from state actors need to be taken seriously,” Bueger said.
There are several ways they can do this, Bueger said such as through physical damage, where a foreign agent could anonymously drag an anchor across the ocean floor and claim it was accidental damage from fishing boats.
That’s because boat operators can turn off their automatic identification system (AIS) to go undetected when cutting a cable or inciting damage, often called a “grey zone” activity, according to Jonas Franken, a researcher at the Technical University of Darmstadt in Germany.
The European Commission analysed the bloc’s subsea cable vulnerabilities in a post-Nord Stream 2022report, which said other ways the system can be attacked is through “undersea explosives,” or drones that are “easy to manufacture and cheap in production”.
“Attacks on cable infrastructures can be low-cost operations that do not necessarily require high-end capabilities,” the report continues.
If an attack did happen, it’s tough to know whether it was intentional because there are “hundreds of thousands of kilometres of data cables” without any underwater surveillance, according to Bueger.
Cable operators can send pings across the wire to figure out where it’s been broken or intercepted, but without CCTV cameras or other types of surveillance, it’s hard to know what causes the breaks, Bueger continued.
The risk of an internet blackout in any country depends on how many cable connections, or redundancies, they have. The more cables, the more likely it is that internet services can continue despite damage.
There are some EU countries or regions that are more vulnerable to internet disruptions if their cables are damaged, like the Azores Islands off the coast of Portugal, Bueger added.
The 2022 EUassessment also names Ireland, Malta, and Cyprus as areas of concern, because they have fewer redundancies than other member states.
Islands “are generally more vulnerable to undersea cable-related internet outages because they lack access to dense land-based cable networks,” the report said.
More coordinated attack ‘unlikely’
A more coordinated attack could take on a “super data highway” like the Gibraltar Strait off the coast of Spain, according to Bueger.
Another pressure point area is the Red Sea, where 16 cables connect Europe to Asia, the EU report said. These cables pass through the Maltese coast up to a major connection point in Marseille, France, and, in some cases, to the United Kingdom.
Cables that connect military or naval bases could also be targeted so intelligence officials no longer have access to the surveillance systems they’re using in the ocean, the EU report continues.
Franken and Bueger said it’s “not very likely” that any foreign government has the means or the incentive to create a large-scale attack on multiple cables.
Large coordinated attacks would also reveal a “pattern” that authorities would recognise and put a stop to before another attack begins, Franken said.
International law ‘ambiguous’ in the High Seas
The immediate next steps to respond to a subsea cable attack depends on where it’s located, Bueger said.
Individual countries have control over what happens up to 24 nautical miles (38 km) from their shores, according to the 1994treaty of the United Nations Convention on the Law of the Sea (UNCLOS).
Past this up to 200 nautical miles (321 km) is a country’s Exclusive Economic Zone (EEZ) where countries can explore, research, and manage natural resources. It’s not clear what rights states have in the EEZ to enforce international law, the 2022 EU report said.
Any ocean that is not a state’s direct territory or in an economic zone is considered the “high seas,” where regulation is “ambiguous”. The vast majority of the cables relevant to the EU are on the high seas, the EU reportcontinues.
UNCLOS also tells all signing nations that they should make cable destruction punishable by law and that any costs associated with a damaged cable will be taken on by the relevant telecommunications provider it belongs to.
Some EU states are more prepared than others.
Some EU states are more prepared than others when it comes to meeting an attack head-on, Bueger said.
France has a comprehensive seabed warfare strategy that lays out aplan to map cables around the country, develop underwater surveillance, and pass new regulations for what is permitted and not within France’s EEZ.
The EU’s subsea cable assessment also points to Ireland and Portugal as EU states that are proactively protecting their cables.
On the other side, the Germans designate any nautical issue to the national police, not the navy which could mean mounting a response to a cable attack would be “really tricky,” Bueger said.
“Germany is perhaps a good case of a country that has not taken that issue seriously enough and should step up response plans,” Bueger said.
‘Almost too many initiatives’
After the 2022 Nord Stream attacks, Franken said, actors are not in “alarm mode” but are “very keen” to work on protecting subsea cables.
The EU passed a recommendation inFebruary that asks members to protect subsea cables from physical and cybersecurity threats including through better coordination.
The Commission also set up a submarine cable expert group to provide advice on how the recommendation should be implemented.
The recommendation says the EU will enhance its cooperation with NATO, even though the alliance is taking on separate initiatives like a critical undersea infrastructure division in May. It will help the alliance’s military command decide where to deploy forces, according to a press release at thetime.
“Incidents of sabotage and hostile monitoring in last years have made it clear that we cannot take the resilience of EU critical infrastructure for granted,” an EU spokesperson told Euronews Next.
The Commission says it conducted “stress tests” in 2023 with cable operators to “increase preparedness” in case of sabotage.
A critical infrastructure blueprint, adopted by the council in June, will “ensure swift coordination” between states if there’s a cross-border attack on infrastructure like subsea cables.
The balance for individual governments and bodies like NATO or the EU is to figure out “what is enough” so the network is adequately protected, Bueger said.
“We seem to almost have too many initiatives,” Bueger said.
“Developing a lot of programmes is a very good thing but we need to keep an eye (on it, so) this is not overblown”.