Beneath NATO’s Radars: Unaddressed Threats to Subsea Cables

Undersea telecommunication cables form the foundation of the global internet and communication networks, carrying 99% of transoceanic digital communications and $10 trillion dollars in financial transactions daily. Despite their critical importance, these cables remain vulnerable to a variety of threats that could have significant consequences for economies, governments, and military operations. On November 17, 2024, BCS East-West Interlink, a cable connecting Sweden to Lithuania stopped working. Two days later, on November 18, 2024, C-Lion 1, connecting Finland to Germany, was cut. Although the investigation is still ongoing, preliminary findings point to a Chinese ship, the Yi Peng 3, which was en route to Egypt from the Russian port of Ust-Luga, with a Russian captain on board. No attribution has been made so far, but European officials denounced a potential act of sabotage, and warned against increasing Russian hybrid threats. This is not the first subsea cable-related incident in the Baltic Sea. 

The North Atlantic Treaty Organization (NATO) has been central to the North Atlantic and European security architecture for over 75 years. Its strong deterrence capabilities, coupled with its strategic presence in key maritime areas makes it well-suited to ensure the protection of the cables. Operationally, NATO’s naval forces are among the most advanced in the world. NATO member-states possess both the cutting-edge technologies and the military expertise to boast robust naval forces. Additionally, the standardization of military equipment and procedures and a well-established and functioning collective response framework enables swift actions in the event of an emergency or attack across the joint operational area. Going forward, it is essential for NATO to adapt their strategy to address these evolving risks to their critical undersea infrastructures. As it is, NATO’s strategy fails to address the full range of potential threats to subsea cables.  

The Cable Infrastructure 

Subsea cable infrastructures are made of two main components: the wet plant, and the dry plant. The wet plant refers to the segment of the cable system that runs in the water, from a beach manhole to another. It corresponds to the actual fiber optic cable, which is made of multiple pairs of optical fibers, covered in silicone gel and layers of plastic, steel wiring, and copper. On the other hand, the dry plant is the terrestrial section of the infrastructure, including the cable landing station (CLS) and the provider’s point of presence. The CLS hosts the submarine line terminal equipment (SLTE), which receives the signal from the cable, and the power feed, which powers repeaters along the cable. CLS’s equipment tends to be operated through remote network management systems (RNMS), which provide a centralized, network-based system to control and monitor the cable activities (both the data transmission and the power).  

The Threat Environment 

The multitude of components listed above makes the cable infrastructure susceptible to a large number of threats, both intentional and accidental. Out of the 100-150 cable faults reported every year, two-thirds are caused by fishing vessels and ships, around 6% are due to component failures, and environmental factors are responsible for another 10% of breakage. Intentional cable damage thus happens at a much lower rate. However, it poses significant national security risks, which is why this piece will solely focus on intentional threats such as espionage and sabotage. 

Physical Domains 

In the physical domains, especially in the maritime domain, subsea cables are vulnerable to cutting and tapping. Both require extremely sophisticated equipment that very few countries possess. Over the years, Russia has shown both the capabilities and intent to target undersea telecommunications infrastructures critical to NATO countries. Its seabed operations assets include nuclear-powered submarines and oceanographic surveillance ships, as well as smaller manned and unmanned submarine vehicles.  

On land, the CLS constitutes a low-cost high-reward target for both state and non-state malicious actors. Despite their relevance in the cable infrastructure, CLSs are often non-descript buildings with minimal physical security, geographically concentrated, and chosen primarily due to their proximity to a carrier, data center, or point of presence, which magnifies the risk that a single natural or man-made event could damage multiple cables. In addition, the lack of clear mandate over governance and responsibility over CLSs tends to prevent the implementation of strong and clear security guidelines. One way to mitigate these risks would be for NATO countries to implement collective security standards, such as access control, oversight in ownership, operation and maintenance, and geographical location and concentration. 

Digital domain 

The cable infrastructure is susceptible to numerous threats in cyberspace, such as the one posed by the use of remote network management systems (RNMS). RNMS are tools used to remotely control and monitor cable activities, such as data transmission flows and the power of the overall infrastructure. Their relative cost-efficiency makes them highly attractive for cable operators but some lacks critical layers of security. Indeed, for ease of use, RNMS are often operating on non-air gapped systems using common operating systems such as Windows or Linux and running on common protocols like TCP/IP. Additionally, RNMS interface with the system that can selectively switch or route individual wavelength within an optical fiber network. These systems also enable the insertion and extraction of specific wavelengths at different points in the network, which is crucial for directing traffic efficiently. Most importantly, the wavelength selective switch (WSS ROADMs) is reconfigurable, which means that operators can remotely adjust the paths of wavelength and the configuration of optical channels without physical intervention on the hardware.  

Hence, although RNMS provide highly cost-effective services in the operation of one or multiple cables, it must also contend with operational security risks at the logical and information layers. The connection to the Internet provides ease of hacking; the hacking of RNMS provides access to WSS ROADMs; control over WSS ROADMs allows the activation or blocking of specific wavelength which could be used to collect or disrupt the flow of data. Finally, there are no common standards nor guidelines as for how RNMS should be operated and secured. One way to mitigate this threat would be through NATO implementing collective standards to build more secure and resilient systems and networks. A first step could be the implementation of passive cybersecurity measures, such as automated traffic monitoring and stronger access controls, to then transition towards zero-trust architectures, mandatory air-gapping, and active network monitoring. 

Another potential threat in the digital domain is the growing involvement of the People’s Republic of China (PRC) in cable activities around the world. As an official Chinese Communist Party (CCP) outlet reported, “although undersea cable laying is a business, it is also a battlefield where information can be obtained.” In recent years, Chinese telecommunication companies have started to invest heavily in owning and supplying undersea cables. China Mobile (中国移动), China Telecom (中国电信), and China Unicom (中国联通), the “Big Three” fully state-owned and state-controlled Chinese telecommunication companies, control 98.5% of China’s bandwidth. At least 31 cables deployed in 2021 had ownership stakes in one of these companies. The threat is twofold: supply chain attacks, and data collection. In the case of the former, it could for instance translate into the PRC placing a backdoor on the cable during the manufacturing process. In the case of the latter, the PRC could leverage the growing ownership and involvement of Chinese companies as operators to collect data flows. In the context of the 2017 Chinese National Intelligence Law Article 7, which obligates all Chinese entities to cooperate with the government’s intelligence activities, the PRC government can legally access the data Chinese operating companies have access to. Given the reach of Chinese companies’ networks, this could pose a significant risk to Allied security.  

One way to mitigate this threat would be by reducing network dependency at the infrastructure level for both NATO and the United States. For instance, contrary to what the United States has been pushing for, the U.S-China network decoupling has been slow. Since 2015, U.S.-China direct connection has grown, which, in simplified terms, translated into growing interdependency at the infrastructure level. As U.S. systems continue to connect to Chinese telecommunication companies' networks, the two countries’ networks become increasingly intertwined, allowing for more data traffic exchanges. It also means that any changes in Chinese networks, whether through policy development, technical issues, or intentional interference, would impact U.S. networks. To limit this dependency on Chinese networks, the United States and NATO countries could introduce regulations to limit the establishment of direct broader gateway protocols adjacencies with Chinese telecom companies. Another way to reduce dependency on Chinese networks would be to offer financial incentives for telecom operators to connect through allied networks. Finally, establishing and expanding secure internet exchange points within NATO countries could reduce the need for traffic to travel through Chinese infrastructure. The U.S. has already taken a step in this direction, banning Huawei Marine from operating in the United States, as well as through the Biden Administration’s “rip and replace” program. 

NATO’s Approach 

Following the attacks on the Nord Stream pipelines in September 2022, NATO implemented a series of significant measures to strengthen its ability to detect, prevent, and respond to threats. The Alliance’s first efforts to boost subsea cable security were in cooperation with the EU through the creation of the EU-NATO Task Force on Resilience of Critical Infrastructure in January 2023, which aims to enhance preparedness and resilience. Subsequently, in February 2023, Secretary General Stoltenberg announced the creation of the Critical Undersea Infrastructure Coordination Cell (CUI-CC) to identify vulnerabilities and improve information sharing and best practices between civilian authorities, the military, and the industry. NATO furthered its efforts by announcing the creation of the Maritime Center for the Security of Critical Underwater Infrastructure (MCSCUI) within NATO’s Allied Maritime Command at the July 2023 NATO Summit in Vilnius. The MCSCUI’s primary goal is to act as an operational hub to coordinate efforts and enhance effective decision making. In October 2023, NATO, in collaboration with Sweden, launched the Digital Ocean Initiative to facilitate technology integration to strengthen seabed to space situational awareness.  

Although these progressive steps have positively contributed to enhance physical cable security, they fail to address the full range of threats. Indeed, as it emerged in response to the Nord Stream pipelines attacks and the Baltic Connector incident, this approach mainly focuses on Russian threats in the Baltic Sea. Although these are significant, it is essential for NATO to adopt a more complete approach to defend the entire infrastructure. For instance, none of the initiatives listed above address cyber threats nor the digital security of the cable infrastructure. This is partly due to the fact that NATO countries have yet to be faced with a cyber threat to their cable infrastructures. The closest example they have come to experience such an incident was in 2022, when the Department of Homeland Security thwarted a cyberattack on a cable in Hawaii. This tendency to focus on realized threats, and thus failure to address the full range of potential risks, has profound implication on allied security.  

What now? 

NATO's strategic approach to subsea cable security must evolve to meet the complexities of modern threats. While steps have been taken to address physical vulnerabilities, particularly in response to incidents in the Baltic Sea, a more holistic and forward-thinking strategy is required. To begin, NATO should prioritize the establishment of collective standards and regulations across both physical and digital domains. In the physical domain, this includes enhancing security protocols for CLS and developing clear guidelines for their operation and protection. In the digital sphere, NATO must address the cybersecurity vulnerabilities of RNMS and implement mandatory measures such as zero-trust architectures, air-gapping, and active network monitoring.  

Additionally, NATO should lead efforts to promote international cooperation. Amending the United Nations Convention on the Law of the Sea (UNCLOS) to explicitly address cable protection would be a significant step forward, alongside encouraging the United States to ratify UNCLOS. NATO can also collaborate with organizations such as the International Committee on the Protection of Cables (ICPC) to drive the development of global standards for cable security. In November 2024, the United Nations, the International Telecommunication Union and the ICPC created the International Advisory Body for Submarine Cable Resilience, which focuses on improving cable security, promoting best practices, and ensuring timely repairs. Although it is a first step in the right direction, further work will be necessary to ensure Allied security across domains.  

Finally, addressing dependency on Chinese telecom infrastructure must become a priority. Financial incentives for allied operators to bypass Chinese networks, regulations to limit direct connections, and investment in secure internet exchange points within NATO countries are necessary to mitigate risks associated with geopolitical rivalries. Subsea cables are the arteries of the modern digital world. Ensuring their resilience is not just about safeguarding communications but about protecting the economic and security interests of the Alliance and its member nations. A comprehensive, adaptive, and cooperative approach for NATO is the only way forward.