NATO’s Role in Protecting Critical Undersea Infrastructure

Available Downloads

The Issue

NATO is not ready to mitigate increasingly prevalent Russian aggression against European critical undersea infrastructure (CUI). Despite its depleted ground forces and strained military industrial base, Russian hybrid tactics remains the most pressing threat to CUI in northern Europe. Despite its current limitations, NATO is the primary actor capable of deterring and preventing hybrid attacks on its allies and has expedited its approach to CUI protection by establishing new organizations to that aim. At the 2023 NATO Vilnius summit, allies agreed to establish the Maritime Centre for the Security of Critical Underwater Infrastructure within NATO’s Allied Maritime Command (MARCOM), which focuses on preparing for, deterring, and defending against the coercive use of energy and other hybrid tactics. To help NATO planners and staff at the new center conceptualize and prioritize their efforts, this issue brief provides immediate and long-term recommendations to set the new center up for success.

Introduction

NATO is not prepared to defend its allies’ critical undersea infrastructure (CUI) from increasingly prevalent Russian hybrid tactics. The recent Balticconnector pipeline incident highlighted the risk of deliberate damage to CUI across Europe. It follows last year’s Nord Stream pipeline explosions, among other incidents, and bears the hallmarks of sabotage. Europe’s expansive and growing network of undersea infrastructure will remain vulnerable to attacks aimed at disrupting transatlantic cohesion and economic activity, undermining Western support for Ukraine, and shaping potential future military operations.

Threats to undersea infrastructure are not new. In 2016 U.S. vice admiral James Foggo and Alarik Fritz warned of a “fourth battle of the Atlantic,” which included threats to “underwater infrastructure—such as oil rigs and telecommunications cables.”[1] In 2017 the UK chief of the defence staff went public with previously classified Russian threats to undersea cables that posed a “new risk to our way of life,” while member of the UK Parliament Rishi Sunak (now UK prime minister) demanded enhanced protection of undersea data cables.[2] Yet the Nord Stream incident has catalyzed a new focus in Europe on CUI resilience, including national, multinational, and institutional efforts through NATO and the European Union. Notably, this included the launch of a new NATO Maritime Centre for the Security of Critical Undersea Infrastructure at the Vilnius summit in July 2023.[3]

This issue brief examines NATO’s role in protecting CUI in more detail. It proceeds in four parts: It begins by assessing the threat “seascape” for CUI in northern Europe, including how the threat might evolve and how Europe has responded so far. The paper then turns to NATO’s approach to date, summarizing the key NATO initiatives related to CUI protection. The third part looks in more detail at the challenge of protecting CUI, proposing a basic framework to help understand the vast problem space. The final section draws on this framework to develop several immediate and longer-term recommendations to help planners in NATO’s new center prioritize their efforts.

The Evolution of Threats to Undersea Infrastructure in Northern Europe

The war in Ukraine has radically altered the threat landscape across Europe, particularly in the north. As the alliance remains focused on supporting Ukraine and shoring up its eastern flank, Sweden’s and Finland’s membership bids will provide new opportunities to deter Russian aggression in the Baltic and Arctic regions. But recent examples of CUI interference highlight vulnerabilities that will not be easily remedied. The sabotage of two Nord Stream pipelines off the Danish island of Bornholm in September 2022 forced European governments to grapple with their limited ability to deter and defend against hybrid tactics in the undersea domain.[4] Recent damage to the Balticconnector gas pipeline and a data cable between Finland and Estonia in October 2023 from a ship’s anchor is suspected as being deliberate, although attribution has not yet been declared.[5]

In this context, the main focus of critical maritime infrastructure debates has shifted from emphasis on terrorism and cyber threats toward the increasing frequency and efficacy of hybrid tactics.[6] The aim of hybrid tactics is to cause significant damage to an adversary while operating below the threshold of detection, attribution, and response—and in so doing blur the conceptual lines between conflict and peace.[7] The issue is compounded in the maritime realm by several conceptual and practical challenges, mainly related to poor definitions highly dependent on moral or political choices, a unique geophysical space, and the multitude of potential threats.[8]

Russian hybrid tactics represent the most pressing threat to CUI in northern Europe. Russia’s war against Ukraine has debilitated its ground forces and strained its military industrial base. Experts estimate it will take the Kremlin five to ten years to reconstitute its military.[9] Meanwhile, however, Russia’s power projection capabilities in northern Europe—through naval, air, and missile bases in Kaliningrad and its Northern Fleet of submarines on the Kola Peninsula—have scarcely been depleted. In fact, while the Russian navy is underfunded and a large part of its fleet comprises Soviet legacy platforms, its underwater capacity continues to grow.[10] In particular, Russia’s submarine program remains a priority amid other military budget cuts, exemplified by the Kremlin’s authorization of 13 new nuclear and conventional submarines since 2014. In broader terms, Russia’s ability to target critical infrastructure short of war and impose economic costs to deter external intervention in regional conflicts is an important component to Moscow’s doctrine and thinking on escalation management.[11]

However, even in the absence of a broader Russia-NATO conflict, hybrid tactics have been a staple in the Kremlin’s toolbox in Europe for years. As the Kremlin views itself in perpetual conflict with the West, hybrid tactics are instrumental to challenging NATO without resorting to conventional military means.[12] Russia has likely targeted critical infrastructure throughout Europe at an increased frequency since its full-scale invasion of Ukraine.[13] In the undersea domain, Russia appears committed to mapping and threatening European energy and communications infrastructure, particularly strategically important Norwegian gas pipelines and fiber-optic cables.[14]

The Nord Stream attacks resulted in a flurry of initiatives to bolster Europe’s CUI. The European Union has updated its maritime strategy to better address evolving threats and adopted an expanded directive on CUI resilience, and the EU-NATO Task Force on Resilience of Critical Infrastructure was launched in January and reported its findings in June.[15] The EU Hybrid Toolbox, including the Hybrid Fusion Cell and new Hybrid Rapid Response Teams, support member states and NATO to detect, deter, and respond to threats.[16] More recently, the 10-nation Joint Expeditionary Force (JEF) agreed to focus on protecting CUI in its new vision and deployed a maritime task force in response to the Balticconnector incident to deter further attacks.[17] Bilateral examples include the recent UK-Norway strategic partnership on undersea threats.[18] Many nations have also expanded their ability to monitor and protect undersea infrastructure: France recently announced a new seabed warfare strategy and investments in ocean floor defense, and the United Kingdom has set up a Centre for Seabed Mapping and earmarked two new Multi-Role Ocean Surveillance (MROS) vessels to serve primarily as subsea protection ships.[19]

Protecting Critical Undersea Infrastructure: A New Focus For NATO

While many stakeholders have increased their efforts to protect CUI, NATO remains the lead actor when it comes to deterring and preventing conventional and hybrid attacks on allies. NATO’s role in protecting CUI is grounded in its founding principles, such as Articles 2 and 3 of the North Atlantic Treaty, which call for the strengthening of free institutions, economic collaboration, and growing resilience to attack.[20] At the 2023 Vilnius summit, allies reiterated that hybrid operations against the alliance could meet the threshold of armed attack and trigger Article 5, NATO’s collective defense guarantee.[21]

The Value of NATO

Today, the functioning of allied civil society and the prosperity of member states depends on the extensive network of CUI across the Euro-Atlantic. NATO is critical to its protection for several reasons.

First, Russia—the primary threat—has the intent and capability, and it maximizes its opportunity to threaten allied CUI across NATO’s area of operational responsibility. Moreover, the destruction, disruption, or tapping of CUI could be the precursor to conflict through attempting to sever military and government communications.[22] Second, the protection of CUI is part of NATO’s defense and deterrence posture across the Euro-Atlantic. As hybrid attacks on CUI may meet the threshold for armed attack, NATO must be heavily invested in their protection to ensure it can act decisively.

Third, CUI spans NATO’s entire area of operational responsibility, so maintaining seamless situational awareness across the whole network is a challenge far too large for individual nations.[23] Fourth, the challenge of protecting CUI will increasingly rely on technological solutions, and NATO possesses the financial heft and mechanisms to develop and scale these. Finally, there are complex political, legal, and technical considerations for the effective protection of CUI, and seams between national permissions and restrictions can create frictions best managed at the NATO level.

NATO’s Approach

NATO has been both proactive and reactive to CUI threats. In broad terms, NATO protects CUI in three ways. First, all of NATO’s forces contribute to the alliance’s Defence and Deterrence of the Euro-Atlantic Area (DDA), which coheres all activity by region and domain. Many capabilities that contribute to CUI protection also contribute to wider deterrence activities, including standing naval and mine countermeasures groups and CUI-focused exercises.[24]

Second, NATO assets detect threats through intelligence, surveillance, and reconnaissance (ISR) capabilities and space and cyber assets to gain and maintain situational awareness. Moreover, NATO can develop and scale new technologies to increase detection coverage, such as the Defence Innovation Accelerator for the North Atlantic (DIANA) pilot challenges, which include a focus on energy resilience and sensing and surveillance.[25] The alliance’s new Digital Ocean Concept was endorsed in October 2023 to increase collective visibility of oceans, including

"the creation of a global scale network of sensors, from sea bed to space, to better predict, identify, classify and combat threats. It envisages maritime domain awareness, subsea sensors, unmanned surface vessels, drones and satellites, and exploits AI [artificial intelligence], big data, and autonomous systems, alongside conventional assets."[26]

Third, NATO has a range of response options once an incident or attack occurs, including counter hybrid support teams, the NATO Response Force (NRF) and Very High Readiness Task Force (VJTF), and ad hoc force deployments, such as the enhanced maritime patrol and mine hunter deployments in the Baltic Sea.[27] National missions and regional frameworks outside of NATO command structures can also bolster deterrence against threats to CUI, including the JEF and the aforementioned EU initiatives.

NATO’s New Centers

In response to recent incidents in the Baltic Sea, NATO has expedited its approach to CUI protection by establishing two new organizations. In February 2023 the Critical Undersea Infrastructure Coordination Cell was created at NATO headquarters. The rationale was to coordinate allied activity; bring military and civilian stakeholders together by facilitating engagement with private industry, which owns much of the infrastructure; and better protect CUI through jointly detecting and responding to threats.[28] This new cell will be instrumental in building coordination across all the organizations, policies, and capabilities identified in Table 1 both within and external to NATO.

Then, at the July 2023 Vilnius summit, allies agreed to establish the Maritime Centre for the Security of Critical Underwater Infrastructure within NATO’s Allied Maritime Command (MARCOM). This new center focuses on

"identifying and mitigating strategic vulnerabilities and dependencies . . . to prepare for, deter and defend against the coercive use of energy and other hybrid tactics by state and non-state actors. . . . NATO stands ready to support Allies if and when requested."[29]

The center arrives at a crucial time for NATO as both new threats to CUI and new initiatives to deal with them proliferate across the alliance and beyond. To help NATO planners and staff at the new center conceptualize and prioritize their efforts, the next section considers in more detail the problem of protecting CUI.

Remote Visualization

Understanding Threats to Critical Undersea Infrastructure: A Conceptual Framework

This section develops a basic framework for thinking about protecting CUI. The purpose is to help NATO planners—particularly those in the new center—to understand the vast problem space and prioritize some initial efforts over others. The following section draws on this framework to develop several recommendations.

The four elements of the framework for protecting CUI are outlined below.

  1. Infrastructure type: What counts as CUI? Which parts are most critical or most vulnerable?
  2. Threat type: What are the main threats to undersea CUI?
  3. Tasks: What is NATO’s role in protecting CUI?
  4. Geography: Where should limited resources be prioritized and focused across the Euro-Atlantic area?

1. Infrastructure Type

Maritime infrastructure is vital to basic societal functions such as trade, food and energy supplies, security and defense, communications, transport, tourism, and environmental management. The most important infrastructure is usually considered “critical,” meaning without it, society could not function for long. But critical infrastructure differs between nations given that some economies depend on fishing or tourism while others rely more on maritime trade, energy infrastructure, or data cables. What counts as CUI, therefore, is often more of a political decision than a technical one. There is no one-size-fits-all definition: it depends on the nation and region in question.

Maritime infrastructure is often categorized by sector. One classification system lists five types: transport, energy, communication, fishing, and marine ecosystems.[30] Of these, four have substantial elements of underwater infrastructure. Above-water transport is often precluded, while commercial submersibles—such as remotely operated vehicles (ROVs) or autonomous underwater vehicles (AUVs) used in pipeline maintenance—are considered part of the energy infrastructure they serve.

Maritime infrastructure security policies traditionally focus on maritime transport (e.g., ports) and energy (e.g., gas and oil infrastructure) over other types.[31] However, the infrastructure picture is changing rapidly. Undersea cable projects have proliferated in recent years, while offshore renewable energy technologies like wind and tidal systems will increase to help nations meet global carbon emissions targets.[32] Future proliferation of AUVs—driven by new oil and gas exploration, military applications, reduced manufacturing costs, and improvements in AI and automation technology—could present both new types of CUI under the category of transport and new threats. As the recent NATO-EU task force on critical infrastructure summarizes,

These challenges are compounded for undersea energy infrastructure, which is extensive and more difficult to survey and protect. Moreover, the network of undersea energy infrastructure in the Euro-Atlantic area is expected to grow as offshore energy platforms become more numerous.[33]

Meanwhile, fishing and marine ecosystems are increasingly important to some nations as fishing stocks decrease and marine habitats are degraded by pollution and the effects of climate change.

Beyond rapid change, there are several challenges associated with coordinating CUI protection, including interdependence, the physical characteristics of the subsea domain, and the complex, transnational nature of undersea infrastructure.[34] Meanwhile, fishing and marine ecosystems are increasingly important to some nations as fishing stocks decrease and marine habitats are degraded by pollution and the effects of climate change. This suggests a key challenge for NATO will be prioritizing between CUI sectors, which are critical to different NATO allies. This assessment will be driven to some extent by the next element of the framework: the threat picture.

2. Threat

Although most definitions of critical infrastructure depend on how vital it is to the functioning of society, in practice governments tend to designate infrastructure as critical if it is vulnerable to harm. While pipeline sabotage has driven the headlines, the range of threats to CUI is much broader. The threat picture has also changed in recent years.

Maritime security threats have been driven by the rise of terrorism, international piracy, human trafficking, and the “blue economy,” defined by the World Bank as “the sustainable use of ocean resources for economic growth, improved livelihoods, and ocean ecosystem health.”[35] Protection of maritime and undersea infrastructure has typically focused on physical attacks from terrorism and blue crime (i.e., transnational organized crime at sea).[36] However, the threat environment has changed markedly over the last decade—and drastically since 2022. After invading Ukraine, Russia became “the most significant and direct threat to Allies’ security,” according to NATO’s new Strategic Concept—a threat that includes the ability to “target our civilian and military infrastructure.”[37]

NATO’s new concept also points to hybrid threats to critical infrastructure and reaffirms their inclusion under Article 5.[38] The maritime domain has been viewed as particularly vulnerable to hybrid threats.[39] Attacks on underwater infrastructure have been a particular concern.[40] Recent events appear to confirm these fears, with several incidents such as the Nord Stream pipeline explosions in the Baltic Sea or severed subsea cables near Svalbard that appear to follow the hybrid playbook of deniable attacks on undersea infrastructure. These incidents highlight the difficulty of dealing with ambiguous hybrid threats, which are difficult to distinguish from accidental damage. For example, around 70 percent of undersea cable faults are caused by fishing vessels or ship anchors, alongside natural causes or even shark bites.[41]

Hybrid aggressors can also use the cover of fishing, private, or research vessels, which are difficult to track. The rapid proliferation of AUVs will exacerbate the problem. Specialized vessels for the task also exist, such as Russia’s dedicated fleet of submarines, designed for infrastructure sabotage and manned by the Russian navy and the Main Directorate for Deep Sea Research (GUGI).[42] Research vessels operated by GUGI are suspected of mapping networks of undersea infrastructure across Europe.[43]

For all these reasons, many assessments suggest a new era of hybrid threats is emerging and poses “a particular challenge” to protecting undersea infrastructure.[44] As the NATO-EU task force puts it, “The seabed is a field of growing strategic importance, due to increasing reliance on undersea infrastructure and the particular challenges in protecting it from hybrid threats and physical damage.”[45]

3. Tasks

The final element of the framework comprises the tasks and missions NATO may have to carry out to protect CUI. The most important role, short of war, is deterrence, which holds the promise of avoiding armed attacks altogether. Beyond deterrence, military forces perform a wide range of roles relevant to protecting CUI.

One example is counterpiracy. During Operation Ocean Shield—NATO’s contribution to international efforts to combat piracy off the Horn of Africa during 2008–16—the role of NATO forces spanned surveillance, interdiction, escort, and deterrence.[46] Cooperation with international bodies and the private sector was also vital to mission success, which contributed to the cessation of attacks after 2012.[47]

Another relevant example is protecting national infrastructure. The U.S. National Infrastructure Protection Plan outlines threats to national infrastructure and a framework of missions to protect them.[48] These are divided into two tasks: counterthreat missions and preparedness missions.[49]

  • Counterthreat missions identify and counter threats and hazards: identify, deter, detect, disrupt, and prepare.
  • Preparedness missions reduce vulnerabilities and mitigate the consequences of damage: prevent, protect, mitigate, respond, recover.

More broadly, several existing frameworks for countering hybrid threats may be applied to protecting CUI. NATO’s strategy is to “prepare, deter, defend,” while the European Union’s approach is based on “awareness, resilience, and response.”[50] Another framework is proposed by the 14-nation Multinational Capability Development Campaign (MCDC): “detect, deter, and respond.”[51] This framework is used to examine NATO’s role in protecting CUI regarding all three functions below. [52]

Detect

Countering any threat requires first detecting and identifying it. Detection is even more important for hybrid threats, which rely on deniability or ambiguity to delay, complicate, or prevent reprisal. However, the variety and complexity of hybrid threats make detection challenging.[53]

For protecting CUI, the main focus is on enhancing maritime domain awareness (MDA).[54] MDA systems are “one of the core solutions in maritime security” but are focused on civil transport, fishing, and leisure.[55] To rectify this, a 2018 report by CSIS advocates a renewed focus on undersea MDA to combat hybrid threats.[56] Specific recommendations include establishing dedicated analytic centers (with teams focused on hybrid threats), training courses, a common classified data picture, and an operational framework that integrates surface and subsurface sensors. Another recent analysis recommends closing gaps in the surveillance of small boats, leisure craft, and underwater vehicles through “investments in new underwater sensors and drones which can enhance the overall picture of the domain.”[57] The recent EU-NATO Task Force also recommends enhancing “maritime situational awareness.”[58]

One detection challenge is that malign activity often appears, by design, as an accident, whereas some suspected attacks could actually be accidents (most damage to cables and pipelines is accidental). This means NATO does not have the luxury of ignoring apparent accidents. Here, a conceptual distinction between monitoring (known threats) and discovering (new, unknown threats) can help establish situational awareness and distinguish signal from noise in the realm of detection.[59] This task is also well suited to advances in AI and machine learning.[60]

Deter

Deterring hybrid threats to CUI is difficult but not impossible.[61] The most promising strategy is deterrence by denial, which reduces the prospects of successful attack by hardening the target and strengthening resilience to damage.[62] Denial in this context comprises two functions: prevention and resilience (see Figure 3). Preventing attacks is part of NATO’s core business and is achieved through a combination of detection (see above) and physical presence. For example, NATO’s Cold War deterrence strategy of basing substantial “shield forces” in central Europe was designed to physically prevent a Soviet attack.[63]

Resilience measures are designed to help CUI systems withstand or quickly recover from any damage sustained. Much of this amounts to good practice in the design and management of critical infrastructure systems.[64] Such measures are therefore generally low cost and less reliant on detecting threats; best practices for resilience are based on understanding and mitigating one’s own vulnerabilities, regardless of whether they have been targeted. This is why resilience measures have become foundational to counter hybrid strategies.[65] However, resilience building is a long-term strategy that will take years to deliver given the vast size and complexity of Euro-Atlantic CUI.

Respond

Moreover, resilience is not a strategy on its own; deterrence by punishment also has a role.[66] When it comes to punishing low-level aggression, celerity beats severity most of the time, putting a premium on credible response options that can be deployed quickly and reliably.[67] These measures may not threaten vital interests but merely assure an aggressor will always face some costs for threatening CUI, however minor. This means simple measures such as enhanced presence or surveillance around key sites can work to deliver what has been referred to as “deterrence by detection.”[68] More creative measures also play a role, such as attribution disclosure, legal interventions, or targeted sanctions (e.g., against implicated vessels, companies, or individuals).[69]

That credible responses are required suggests the utility of a preapproved playbook to counter hybrid threats to CUI.[70] Too often such measures are ad hoc or post hoc, or not sufficiently tailored to the specific demands of protecting CUI.[71] If military forces are part of the response (e.g., to provide surveillance or bolster presence), then a forward, flexible posture is required to ensure force elements are in the area of responsibility or held at high readiness to deploy to quickly generate effects.[72]

It is important to note that given the limited resources of allies, any increase in demand to protect CUI will likely require trade-offs with other tasks and missions. Any contribution to protecting CUI is important but not all-important. NATO’s unique role—and the focus of the strategic concept—remains deterring armed attack above the threshold of war, not protecting against all forms of hybrid aggression.[73] Protecting CUI should therefore not be overemphasized in NATO’s overall posture or capability development at the expense of conventional deterrence and defense.

4. Geography

The final element of the framework is geography. NATO is named after an ocean: the North Atlantic. But the alliance’s undersea infrastructure picture is more complex. NATO’s maritime areas of responsibility comprise the following:[74]

  • High North region (including the Norwegian Sea, Greenland Sea, Barents Sea, and Arctic Ocean)
  • Baltic Sea
  • North Atlantic (including the North Sea, Irish Sea, English Channel, and Bay of Biscay)
  • Mediterranean Sea (east and west)
  • Black Sea
  • North Pacific Ocean

Within these areas, the seascape of undersea infrastructure is extensive and complex. Figures 1–2 show the extent of underwater energy infrastructure (Figure 1) and subsea data cables (Figure 2) across Europe.

Image
Figure 1: Undersea Energy Infrastructure in Northern Europe
Image
Figure 2: Undersea Data Cables in Europe

While data cables are uniformly spread across the Euro-Atlantic area, the picture is different for energy infrastructure, which is concentrated in northern Europe—namely the North Atlantic (North Sea) and High North (Norwegian Sea). This supply is critical to Europe: in the second quarter of 2023, the European Union imported 44.3 percent of its natural gas (in gaseous state) from Norway and 17.8 percent from the United Kingdom.[75] That 16.5 percent was from Algeria (through three subsea Mediterranean pipelines) also shows the importance of energy infrastructure in southern Europe.[76] This could increase in the future with new projects (such as the EastMed pipeline) and new gas field discoveries as Europe diversifies away from Russian supply.[77] Offshore wind energy infrastructure (along with subsea electrical cables) is also concentrated in northern Europe but present in significant amounts across Europe. Such infrastructure is also expanding quickly: under the European Green Deal, for example, offshore wind energy will expand over 25 times by 2030.[78]

However, any judgment about prioritizing NATO’s efforts to protect CUI in one region cannot rely on the density of infrastructure alone because all undersea infrastructure is proportionately important to each ally. In addition to including the views of all allies, any assessment must combine geography with the other elements of the framework. This task is explored in the final section of this brief.

Recommendations: Winning the Fourth Battle of the Atlantic

The staff at NATO’s new Maritime Centre for the Security of Critical Underwater Infrastructure do not have the luxury of pondering future threats. NATO’s CUI is under attack right now. This situation may worsen as Russia tries to undermine Western support for Ukraine and cheaper, more advanced AUVs enable a wider range of actors to pose a threat. As Foggo, the former commander of the U.S. Naval Forces Europe and Allied Joint Force Command Naples, puts it: “the fourth battle of the Atlantic is underway.” Like its predecessors, this battle is “a struggle between Russian forces that probe for weakness, and US and NATO anti-submarine warfare (ASW) forces that protect and deter. Just like in the Cold War, the stakes are high.”[79]

NATO and its new center must therefore act quickly. The final section provides a series of recommendations for NATO planners to conceptualize and prioritize their efforts in the coming years. The recommendations comprise two parts. The first is a general assessment of initial priorities for protecting CUI based on the four-part framework developed above. The second builds on this broad assessment to propose more specific and immediate actions.

General Assessment of Initial Priorities for Protecting CUI

This section presents a general indicative assessment of NATO’s role in protecting CUI based on the framework discussed in Figure 3. The shaded area suggests where NATO’s initial focus should be for protecting CUI. This assessment is discussed in more detail below, starting with the prioritization criteria for each element.

Image
Figure 3: A Framework for Protecting Critical Undersea Infrastructure

Infrastructure Type

Undersea infrastructure may be prioritized for protection by considering the criticality to NATO allies and vulnerability to different threats. Doing so suggests NATO focus on protecting energy and communications infrastructure—the most critical infrastructure to many NATO allies, whose developed economies depend on either importing or exporting energy and transmitting data. Such infrastructure is also the most vulnerable to attack, as recent attacks on pipelines and undersea cables have demonstrated. If further prioritization is required, it should be driven by an analysis of resilience of energy infrastructure compared to data cables: although both are vital and vulnerable, some systems are more resilient and easier to reconfigure in the event of damage.[80]

However, it is important to remember undersea infrastructure is much broader than pipelines and cables. Many NATO allies depend on fishing, the health of their marine ecosystems, and maritime security in the broadest sense. The rapid growth of AUVs may transform the transport sector, introducing new types of CUI and new threats. Most importantly, NATO’s approach to protecting CUI will need to incorporate the preferences of all allies.

Threat

Threats may be prioritized by considering the likelihood and consequences of an attack. With this in mind, NATO should focus on hybrid or gray zone threats to CUI, as these are the most likely threats in the near term. At the same time, the most dangerous threat to NATO allies remains the threat of armed attack on CUI as a prelude to aggression or during conflict.

Terrorism targeted at CUI remains a risk, and blue crime is ever present. But other bodies should take the lead (e.g., national police and coast guards, multinational maritime security frameworks), with NATO providing support only where necessary, as with combating large-scale piracy. NATO can contribute to awareness of accidental damage through MDA and crisis response to natural damage and disaster, but these tasks should not drive alliance force structure or posture.

Task

The role of NATO assets in protecting CUI may be prioritized by considering the importance of relevant tasks and their role in NATO’s Strategic Concept.[81] Deterrence and defense is the alliance’s core task. Deterring armed aggression is NATO’s raison d'être and remains its most important task. However, NATO’s capacity to do this is dependent on its general deterrence posture and is not related to the specific problem of protecting CUI—so it is not considered a primary focus here (see Figure 3).[82] Within the context of protecting CUI, NATO should focus on three primary tasks:

  • Detect: NATO should focus on detecting threats to CUI, as detection is the foundation of deterrence and critical for removing the cloak of ambiguity around hybrid threats. Detection can be strengthened through enhanced MDA in priority regions. This may require increasing the persistent presence of forces and assets that can contribute to MDA in the maritime, air, space, and cyberspace domains.
  • Deter by denial: NATO should also focus on strengthening deterrence by denial by improving the defenses that can prevent attacks in the first place. This may also require strengthening the persistent presence of allied forces in regions of concern to protect key sites, reassure vulnerable allies, and deter aggressors. Wider resilience measures can also strengthen denial, but these are judged to be a lower priority for NATO because much of this infrastructure is owned and operated by civilian enterprises, not amenable to military solutions, and already subject to extensive efforts by other actors more suited to boosting public and private sector resilience—such as the European Union.
  • Deter by punishment: Responses to imminent threats or attacks should prioritize speed and reliability over severity. In the context of deterring low-end hybrid threats (rather than high-end conventional threats) to CUI, this suggests the utility of maritime forces that are forward based in priority regions—or at least persistently present or rapidly deployable (i.e., held at high readiness). More broadly, existing NATO units such as countering hybrid threat teams also have a role to play in immediate incident response and recovery.[83]

However, although this assessment is focused on protecting allied CUI against hybrid threats, this should not unduly warp NATO’s force posture. Any trade-offs in posture, capability, or readiness to deal with hybrid threats should not come at the expense of the credibility of NATO’s ability to deal with—and thereby deter—armed aggression.

Region

Not all subregions within the Euro-Atlantic area are equal when it comes to protecting CUI. The extent of regional energy infrastructure, proximity to advanced Russian undersea capabilities, and track record of recent incidents (attacks and infrastructure mapping) suggest NATO should focus initially on the Baltic, North Atlantic, and High North regions. At the same time, NATO cannot afford to ignore other regions that are critical to allies and where Russian forces and other threats (such as terrorism and blue crime) are known to operate, including the Mediterranean and Black Sea region.

Specific Recommendations

The general assessment above, combined with the previous discussion of the four framework elements, suggests several more recommendations for NATO’s role in protecting CUI. These are divided into two parts: immediate actions that the new NATO center should implement quickly and longer-term approaches that are equally important but may take more time.

Immediate Recommendations

  • Establish a new Standing NATO Maritime Group (SNMG) focused on protecting CUI. NATO’s four standing maritime groups are in high operational demand and none are focused on protecting CUI.[84] Considering the growing threat, NATO should consider establishing an “SNMG3” to focus on protecting CUI in northern Europe, focused on the Baltic Sea, North Sea, and Norwegian Sea (the areas of highest CUI density). The JEF task group that is currently deployed is a good example but only temporary.[85] The capabilities of the group should include submarines, anti-submarine warfare, maritime surveillance, and seabed mapping, with contributions from allies who specialize in this domain. The group would play a vital role in organizing and delivering the functions of detecting, deterring, and responding to attacks on CUI in priority regions described in this report.
  • Commission a CUI vulnerability triage. Any approach to enhancing resilience starts with a vulnerability assessment.[86] An initial triage assessment of criticality versus vulnerability to a range of threats can help MARCOM and NATO direct limited resources to protecting and defending those assets most at risk. The initial assessment presented here forms a starting point, but NATO’s own assessment must consider all forms of infrastructure, threats, regions, and the preferences of all allies.
  • Develop a fused MDA picture. A critical step in transforming MDA to improve detection and identification of threats to CUI will be fusing the existing intelligence picture across nations, the private and public sectors, and multinational and maritime domains (e.g., air, sea, subsea, space, and cyber).[87] Assessing the highest-priority infrastructure and threats can help identify which ISR capabilities and combinations not currently available to MARCOM are necessary to rapidly attribute malign activity.[88]
  • Produce regular CUI threat assessments. NATO already produces maritime threat assessments for governments and the commercial sector that focus on threats such as terrorism—for example, through the NATO Maritime Shipping Centre (MSC).[89] These should either be expanded to include threats to CUI or be dedicated assessments that focus on nontraditional hybrid threats to CUI.
  • Clarify the role of NATO’s Critical Undersea Infrastructure Coordination Cell. The cell is based in NATO headquarters, but its wide remit—which includes industry and civil-military engagement, best practice, and technology—and senior leadership may overlap with the new MARCOM center.[90] The coordination cell could perform the role the MSC did during Ocean Shield of protecting CUI, which will be even more important given CUI is mostly owned and operated by private companies.[91]
  • Implement a CUI exercise program. Exercises are a vital part of NATO’s deterrence and reassurance efforts and have been stepped up over the last year. Yet CUI exercises have been limited and focused on technology.[92] A wider CUI exercise program using existing assets would deliver wider effects to deter adversaries and reassure allies and industry partners.[93]
  • Update NATO’s maritime strategy. NATO’s maritime strategy is over 12 years old, does not mention Russia or China, and mentions undersea infrastructure only in passing.[94] It needs updating to reflect the new threat environment and NATO’s new Strategic Concept—including a focus on protecting CUI.[95] The new center should have a lead role in producing a new strategy—or at least a “Protecting CUI” annex.

Longer-Term Recommendations

  • Develop a NATO CUI resilience strategy. Building on the vulnerability assessment, a longer-term effort that the new center could lead is developing a NATO CUI resilience strategy. This would meet NATO’s Strengthened Resilience Commitment and could inform (and be informed by) a NATO resilience planning process.[96]
  • Adopt a NATO CUI preparedness goal. As part of a strengthened approach to CUI resilience, allies could commit to a NATO CUI preparedness goal to bolster national and pan-NATO approaches to preparing for attacks on CUI.[97]
  • Take a risk management approach. The sheer variety of threats to CUI and the number of potential targets require an approach that prioritizes and manages risk. Even better than a risk-centric strategy would be an uncertainty-centric approach that seeks robustness against a range of unknowable threats.[98]
  • Develop a CUI attack response playbook. Effective deterrence against CUI attacks requires a credible and reliable set of measures to respond to threats or attacks on CUI. A counter-CUI playbook of military (and nonmilitary) response options would help.[99] This playbook could also be the basis of a robust exercise program.
  • Adopt a framework nation approach to regional CUI protection. A regional framework nation approach to protecting CUI could help tailor CUI protection to the differing concerns of regional allies.[100] One example is the JEF, newly focused on protecting northern Europe’s CUI.[101] Whatever the framework, any regional approach to protecting CUI should be directed by the alliance’s DDA concept, NATO’s guiding framework for all operations short of war, and align with new regional plans agreed at the Vilnius summit.[102]

Sean Monaghan is a visiting fellow with the Europe, Russia, and Eurasia Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Otto Svendsen is a research associate with the CSIS Europe, Russia, and Eurasia Program. Michael Darrah is a military fellow with the CSIS International Security Program. Ed Arnold is a research fellow with the International Security department at the Royal United Services Institute.

This brief is made possible by general funding to CSIS and generous support from the Norwegian Ministry of Foreign Affairs.

Please consult the PDF for references.

Image
Sean Monaghan
Visiting Fellow, Europe, Russia and Eurasia Program
Image
Otto Svendsen
Research Associate, Europe, Russia, and Eurasia Program

Ed Arnold

Research Fellow, Royal United Services Institute.