CYBER STATECRAFT

Atlantic Council I N I T I A T I V E

SCOWCROFT CENTER
FOR STRATEGY AND SECURITY

CYBER DEFENSE
ACROSS
THE OCEAN FLOOR
The Geopolitics of
Submarine Cable Security
Justin Sherman
 Scowcroft Center for Strategy and Security
The Scowcroft Center for Strategy and Security works to develop sustainable,
nonpartisan strategies to address the most important security challenges facing
the United States and the world. The Center honors General Brent Scowcroft’s
legacy of service and embodies his ethos of nonpartisan commitment to the cause
of security, support for US leadership in cooperation with allies and partners, and
dedication to the mentorship of the next generation of leaders.

Cyber Statecraft Initiative

The Cyber Statecraft Initiative works at the nexus of geopolitics and cybersecurity
to craft strategies to help shape the conduct of statecraft and to better inform and
secure users of technology. This work extends through the competition of state and
non-state actors, the security of the internet and computing systems, the safety of
operational technology and physical systems, and the communities of cyberspace.
The Initiative convenes a diverse network of passionate and knowledgeable
contributors, bridging the gap among technical, policy, and user communities.
 CYBER STATECRAFT
I N I T I A T I V E

CYBER DEFENSE
ACROSS
THE OCEAN FLOOR
The Geopolitics of
Submarine Cable Security
Justin Sherman

ISBN-13: 978-1-61977-191-8

Cover: Shutterstock/Vinko93

This report is written and published in accordance with the Atlantic Council Policy on Intellectual Independence. The au-
thors are solely responsible for its analysis and recommendations. The Atlantic Council and its donors do not determine,
nor do they necessarily endorse or advocate for, any of this report’s conclusions.

September 2021
 #ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

Table of Contents
Executive Summary 1

Introduction 2

Primer: Undersea Cable Development Today 4

Trend 1: Authoritarian Governments Reshaping the Internet through Companies 9

Risk 1: Chinese State Influence through Cable Owner 11

Risk 2: Chinese State Influence through Cable Builder 14

Recommendation Previews 16

Trend 2: Companies Using Remote Management Systems for Cable Networks 17

Recommendation Previews 19

Trend 3: Increasing Volume and Sensitivity of Data Sent Over Undersea Cables 21

Recommendation Previews 23

Recommendations 25

Conclusion 29

About the Author 30

Acknowledgments 30

ii ATLANTIC COUNCIL
Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security #ACcyber

Executive Summary

T
he vast majority of intercontinental global Internet makes this argument drawing on policy and technological
traffic—upwards of 95 percent—travels over un- research, interviews with key stakeholders, and empirical
dersea cables that run across the ocean floor. data collected and subsequently analyzed on the 475 un-
These hundreds of cables, owned by combina- dersea cables deployed around the world (at the time of
tions of private and state-owned entities, support every- writing).
thing from consumer shopping to government document
sharing to scientific research on the Internet. The security It offers eight concrete recommendations for the US gov-
and resilience of undersea cables and the data and ser- ernment, working with the US private sector and allies
vices that move across them are an often understudied and partners worldwide, to better protect the security
and underappreciated element of modern Internet geo- and resilience of the world’s undersea cables: Congress
politics. The construction of new submarine cables is a key should give more authorities and funding to the commit-
part of the constantly changing physical topology of the tee screening foreign cable owners for security risks, and
Internet worldwide. should consider more funding for the Cable Ship Security
Program; the executive branch should promote baseline
Three trends are increasing the risks to undersea cables’ security standards for remote cable management systems;
security and resilience: First, authoritarian governments, the Federal Communications Commission should invest
especially in Beijing, are reshaping the Internet’s physical more resources in interagency cooperation on resilience
layout through companies that control Internet infrastruc- threats to cables; the State Department should pursue con-
ture, to route data more favorably, gain better control of fidence-building measures for cables and conduct a study
internet chokepoints, and potentially gain espionage ad- on building cables into more capacity-building work; US-
vantage. Second, more companies that manage undersea based cable owners should create an information sharing
cables are using network management systems to cen- analysis center to share threat information; and Amazon,
tralize control over components (such as reconfigurable Facebook, Google, and Microsoft should create and pub-
optical add/drop multiplexers (ROADMs) and robotic patch lish strategies on better protecting cables’ security and
bays in remote network operations centers), which intro- resilience.
duces new levels of operational security risk. Third, the
explosive growth of cloud computing has increased the As the Internet comes under unprecedented authoritarian
volume and sensitivity of data crossing these cables. assault, and societal dependence on the web grows in the
absence of robust and ecosystem-wide cybersecurity, the
The US government, therefore, has a new opportunity US government has an opportunity and responsibility to
and responsibility—in coordination with the US private reinforce the global Internet’s positive potential by better
sector and with allies and partners abroad—to signifi- protecting the submarine cables that underpin it. A differ-
cantly increase its involvement in protecting the security ent future is possible, one where security and resilience
and resilience of undersea cables. As the White House are more central decision factors in the design, construc-
increasingly focuses on cybersecurity threats to the na- tion, and maintenance of undersea cables; where the US
tion and the global community, including from the Chinese government works more proactively with industry, allies,
and Russian governments, it must prioritize investing in the and partners to ensure the global Internet runs reliably and
security and resilience of the physical infrastructure that securely, even in the face of failure; and where robust se-
underpins Internet communication worldwide. Failing to do curity for core Internet architecture is itself a compelling
so will only leave these systems more vulnerable to espi- alternative to authoritarian visions of a state-controlled
onage and to potential disruption that cuts off data flows sovereign network. The US government should seize on
and harms economic and national security. This report this opportunity and embrace this responsibility.

ATLANTIC COUNCIL 1
 #ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

Introduction

M
uch of the security commentariat has late- and personal communications. They also reshape the
ly focused the global Internet security con- Internet’s physical topology in the process.
versation on communications technologies
deemed “emerging,” such as cloud computing Securing this physical backbone of the global Internet
infrastructure, new satellite technology, and 5G telecom- against damage, manipulation, and disruption has long
munications. However, the vast majority of international been a vital job of the companies that own and manage
traffic traversing the Internet each day, from video calls this infrastructure. Yet three trends are making the secu-
to banking transactions to military secrets, travels over a rity and resilience of undersea cables a more urgent issue
much older and far less flashy technology: undersea ca- for the US government, its allies and partners around the
bles.1 These cables, which lay along the ocean floor and world, and the companies that own and manage the in-
haul data intercontinentally, have been developed for 180 frastructure. First, authoritarian governments, especially in
years by private sector firms and international consortia of Beijing, are reshaping the Internet’s physical layout through
companies. In recent years, large Internet companies (e.g., companies that control Internet infrastructure, to route data
Facebook, Google) have gained significant ownership in more favorably, gain better control of internet chokepoints,
these cables. Chinese state-owned firms have also greatly and potentially gain espionage advantage. Second, more
increased both their construction (e.g., Huawei Marine) and companies that manage undersea cables are using net-
ownership (e.g., China Telecom, China Unicom) of under- work management systems to centralize control over ac-
sea cables in recent years. tive components (such as reconfigurable optical add/drop
multiplexers (ROADMs) and robotic patch bays in remote
The undersea cables that carry Internet traffic around network operations centers), which introduces new levels
the world are an understudied and often underappreci- of operational security risk. Third, the explosive growth of
ated element of modern Internet geopolitics, security, and cloud computing has increased the volume and sensitivity
resilience. It is estimated that upwards of 95 percent of of data crossing these cables. Some of these trends have
intercontinental Internet traffic is carried over these ca- greater effects on geopolitics and others on operations, but
bles.2 Without them, the Internet would not exist as it does they are inextricably intertwined.
today. These cables are largely owned by private compa-
nies, often in partnership with one another, though some As the White House increasingly focuses on cybersecurity
firms involved in cable management are state-controlled threats to the nation and the global community, including
or intergovernmental. Submarine cables are, therefore, from the Chinese and Russian governments, it must prior-
a major vector of influence that companies have on the itize investing in the security and resilience of the physi-
global Internet’s shape, behavior, and security.3 cal infrastructure that underpins Internet communications.
US technology policy on China that focuses purely on 5G
Not only does the private sector manage large swaths neglects the most central part of the global Internet in-
of the constituent networks that compose the broader frastructure and the ways in which Beijing is reshaping
Internet, it also builds, owns, manages, and repairs the and potentially dominating it. Engagement with Russia on
underlying physical infrastructure. Undersea cables are security issues must likewise include Moscow’s activities
the basis of global digital interconnectedness, defining vis-à-vis monitoring undersea cables. And for all that US
which areas of the world are connected, how those areas society may invest in securing digital systems, the cables
are connected (e.g., speed, bandwidth), and who controls that carry those systems’ data and services remain vulner-
those connections (e.g., the companies building the cables, able to surveillance, signal manipulation, and even serious
the companies managing the “landing points” that link the damage or other disruption. Some of these issues may be
cables to shore). Companies directing the deployment of addressed in forthcoming executive actions on cyber de-
undersea cables, therefore, produce geopolitical effects fense and supply chain security, but a comprehensive re-
on Internet connectivity and everything that comes with it, sponse to these threats cannot and will not be addressed
including scientific research, digital trade, and government by executive orders alone.

1 “Undersea cables” and “submarine cables” are used interchangeably in this report.
2 Based on conversations with US government officials. See also: “Submarine Cables,” National Oceanic and Atmospheric Administration Office of General
Counsel, accessed June 21, 2021, https://www.gc.noaa.gov/gcil_submarine_cables.html.
3 For background on this argument, see Justin Sherman, The Politics of Internet Security: Private Industry and the Future of the Web, Atlantic Council,
October 5, 2020, https://www.atlanticcouncil.org/in-depth-research-reports/report/the-politics-of-internet-security-private-industry-and-the-future-of-the-
web/.

2 ATLANTIC COUNCIL
Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security #ACcyber

Image 1: TeleGeography 2020 Submarine Cable Map

Source: Jayne Miller, “The 2020 Cable Map Has Landed,” TeleGeography Blog, June 16, 2020, https://blog.telegeography.
com/2020-submarine-cable-map.

The US government, therefore, has a new opportunity and ■ The third, fourth, and fifth chapters each examine
responsibility—in coordination with the US private sector and a key trend with undersea cables: authoritarians
with allies and partners abroad—to significantly increase its reshaping the Internet’s topology and behavior
involvement in protecting the security and resilience of un- through companies; cable owners using remote
dersea cables. This report makes this argument drawing on management systems for cable networks; and the
policy and technological research, interviews with key stake- increasing volume and sensitivity of data sent over
holders, and empirical data collected and subsequently an- undersea cables. Each of these sections discusses
alyzed on the 475 undersea cables deployed around the evidence of the trend, its implications on strategic
world (at the time of writing). It is laid out as follows: and/or operational levels, and previews of recom-
mendations for the US government to address prob-
■ The first chapter provides background on undersea lems at hand.
cables and details their geopolitical importance.
■ The final chapter concludes with eight specific rec-
■ The next chapter uses empirical data on the 475 un- ommendations for the US government to better pro-
dersea cables deployed around the world, and their tect the security and resilience of undersea cables
collective 383 owning entities, to highlight the state in coordination with the US private sector and with
of Internet cable development. allies and partners around the world.

ATLANTIC COUNCIL 3
 #ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

Primer: Undersea Cable Development Today

U
ndersea cables vary in thickness from about 1 “landing points,” or the locations where the cable meets
cm to about 20 cm, with cost-per-length roughly the shoreline. Facilities at these landing points can provide
proportional to cross-sectional areas. Cables can multiple functions, including terminating an international
be constructed in many ways, but most consist cable, supplying power to the cable, and acting as a point
of a central strengthening member, which prevents kinking of domestic and/or international connection.6 The owner of
of the fiber strands, surrounded by the jacketed strands an undersea cable (ownership is discussed more in later
themselves, buffered in gel; then any copper cables need- chapters) may not be the same entity as the owner of the
ed to transmit power for repeaters and branching units; landing station. As an example of this infrastructure, Image
layers of armor; and, finally, an outer membrane intend- 2 depicts an undersea cable that carries Internet traffic un-
ed to prevent seawater and plant and animal intrusion.4 derwater between two land masses.
It is only that hair-thin inner fiber that transmits Internet
data across the cable, whether emails, videos, or sensitive For nation-states, tapping into cables carrying information
documents. around the world is an attractive spying opportunity. Back
in the late nineteenth century, British intelligence used its
Fiber-optic cables are faster and cheaper than satellite access to an international hub of telegram cables in the
communications.5 These cables are laid across the ocean small village of Porthcurno to gain eavesdropping advan-
floor to connect disparate land masses, like South America tage.7 In the 1970s, the US National Security Agency de-
and Europe. Every undersea cable also has at least two ployed submarines and divers to attach recording devices

Image 2: Undersea Cable Illustration

Source: iStock

4 Thanks to Bill Woodcock, executive director of Packet Clearing House, for discussion of these details.
5 Nicole Starosielski, “In our Wi-Fi world, the internet still depends on undersea cables,” Conversation, November 3, 2015, https://theconversation.com/
in-our-wi-fi-world-the-internet-still-depends-on-undersea-cables-49936.
6 United Nations International Telecommunication Union, “Cable Landing Stations: Building, Structuring, Negotiating and Risk,” 2, 2017, https://www.itu.int/
en/ITU-D/Regional-Presence/AsiaPacific/SiteAssets/Pages/Events/2017/Submarine%20Cable/submarine-cables-for-Pacific-Islands-Countries/Cable%20
Landing%20Stations%20SNCC.pdf.
7 Ben Buchanan, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics (Cambridge, MA: Harvard University Press, 2020), 16-17.

4 ATLANTIC COUNCIL
Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security #ACcyber

History of Undersea Cables

Undersea cables have been in use worldwide for de- also tied with European imperial expansion and colo-
cades upon decades. The first submarine cables were nialism, thought of as enabling wider boundaries of
used in the 1820s by an attaché to the Russian Embassy global empire.3 Today, these cables transmit previously
in Munich to send electric telegraph communications.1 inconceivable volumes and kinds of data, from business
This undersea cable technology evolved with more communications and scientific research to personal
sophisticated telegraph communications in the mid- messages and military documents, making their secu-
and late 1800s (with the first trans-Atlantic submarine rity (confidentiality, integrity, and availability) and their
telegraph cable in 1858), voice communications in the resilience (the degree to which they can be restored or
early to mid-1900s, and fiber-optic data transmission repaired in the event of damage or disruption) a key part
in the mid- to late 1900s.2 Undersea cable lines were of securing the global Internet in the twenty-first century.

1 Lionel Carter, Douglas Burnett, Stephen Drew, Graham Marle, Lonnie Hagadorn, Deborah Bartlett-McNeil, and Nigel Irvine, Submarine Cables and
the Oceans: Connecting the World (Cambridge, UK: United Nations Environment Programme World Conservation Monitoring Centre, 2009), 11.
2 Ibid., 14-15; Geoff Huston, “At the bottom of the sea: a short history of submarine cables,” APNIC, February 12, 2020, https://blog.apnic.
net/2020/02/12/at-the-bottom-of-the-sea-a-short-history-of-submarine-cables/; Allison Marsh, “The First Transatlantic Telegraph Cable Was a Bold,
Beautiful Failure,” IEEE Spectrum, October 31, 2019, https://spectrum.ieee.org/tech-history/heroic-failures/the-first-transatlantic-telegraph-cable-
was-a-bold-beautiful-failure.
3 Roxana Vatanparast, “The Infrastructures of the Global Data Economy: Undersea Cables and International Law,” Harvard Law International
Journal 61 (2020): 4-5, https://harvardilj.org/wp-content/uploads/sites/15/Vatanparast-PDF-format.pdf.

to a vulnerable cable on Russia’s eastern coast that car- Across these and other cases, access to and influence
ried sensitive Russian military communications.8 Today, a over undersea cables can have direct effects on economic
similar phenomenon occurs with undersea cables hauling and national security.12
Internet traffic—they are a potential information gold mine
for governments. When Russia illegally annexed Crimea Damaging these cables is another way to disrupt Internet
in 2014, the Russian military targeted the undersea cables communications. For all the intangible-sounding imagery
“linking the peninsula and the mainland” to gain “control around the Internet—“cloud,” “cyberspace”—the Internet
of the information environment.”9 The Russian government still relies on physical things to run,13 and those physical
broadly recognizes the strategic value of physical Internet objects, including cables, can be destroyed.14 In 2008, a
infrastructure. In December 2019, Taiwan claimed Beijing ship which tried to moor off the Egyptian coast acciden-
was backing private investment in Pacific undersea cables tally severed an undersea cable, leaving seventy-five
as a mechanism for spying and stealing data.10 And the million people in the Middle East and India with limited
US government earlier this year paused a Google project Internet access.15 In 2015, the Yemeni government shut
to build an Internet cable from the United States to Hong down Internet connectivity in the country, an act of repres-
Kong: it was concerned Beijing could use its new national sion aided by the low bar of controlling access to just two
security law to access cable data on the Hong Kong side.11 undersea cables running into the country.16 Even natural

8 Matthew Carle, “Operation Ivy Bells,” Military.com, accessed January 2, 2021, https://www.military.com/history/operation-ivy-bells.html; Olga Khazan, “The
Creepy, Long-Standing Practice of Undersea Cable Tapping,” Atlantic, July 16, 2013, https://www.theatlantic.com/international/archive/2013/07/the-creepy-
long-standing-practice-of-undersea-cable-tapping/277855/.
9 Mark Galeotti, Russian Political War: Moving Beyond the Hybrid (New York: Routledge, 2019), 75.
10 David Brennan and John Feng, “Taiwan Says China Wants to Spy on Nations, Steal Data Through Undersea Cable Networks,” Newsweek, December 18,
2020, https://www.newsweek.com/taiwan-china-spy-nations-steal-data-undersea-cable-networks-kiribati-connectivity-project-1555849.
11 Justin Sherman, “The US-China Battle Over the Internet Goes Under the Sea,” WIRED, June 24, 2020, https://www.wired.com/story/opinion-the-us-china-
battle-over-the-internet-goes-under-the-sea/.
12 See, for example, Keir Giles, Russia’s ‘New’ Tools for Confronting the West: Continuity and Innovation in Moscow’s Exercise of Power, Chatham House,
63, March 2016, https://www.chathamhouse.org/sites/default/files/publications/2016-03-russia-new-tools-giles.pdf.
13 For more on this, see Sherman, The Politics of Internet Security; Robert Morgus and Justin Sherman, The Idealized Internet vs. Internet Realities (Version
1.0), New America, last updated July 26, 2018, https://www.newamerica.org/cybersecurity-initiative/reports/idealized-internet-vs-internet-realities/.
14 Joseph S. Nye, Jr., The Future of Power (New York: PublicAffairs, 2011), 128.
15 Bobbie Johnson, “How one clumsy ship cut off the web for 75 million people,” Guardian, February 1, 2008, https://www.theguardian.com/business/2008/
feb/01/internationalpersonalfinancebusiness.internet.
16 Andrea Peterson, “Another casualty in Yemen: Internet stability,” Washington Post, April 2, 2015, https://www.washingtonpost.com/news/the-switch/
wp/2015/04/02/another-casualty-in-yemen-internet-stability/.

ATLANTIC COUNCIL 5
 #ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

Cables Ready for Service per Year, Global

Figure 1: Cables Ready for (2000-2020)
Service per Year, Global (2000-2020)

30 28
25 22 22 21
20 19
20 16 16
14 14 15 15 15
15 13 12
11 10 11 10 9
10 7
5
0

10

17
15

16

19
12

18
11
01

13

14
03

04
00

20
07
05

06

09
02

08

20

20
20

20

20

20

20

20

20

20

20
20

20

20
20

20

20

20

20

20

20
Source: Data from TeleGeography’s Submarine Cable Map website visualized by author.

weather events like undersea earthquakes can damage cable is damaged likewise often turn to the private sector
cables and temporarily decrease Internet availability to to repair the infrastructure and restore Internet connectiv-
an entire region.17 Ensuring the resilience of undersea ity. More broadly, on the geopolitical level, governments
cables—that they help route data around failure and are looking to improve the security of physical Internet infra-
quickly restored if damaged or disrupted—is thus critical structure, or those looking to alter the global Internet’s
to ensuring the resilience of global Internet traffic and the physical shape and digital behavior in their image, must
societal functions that depend on it. This is not to say that include the private sector’s influence on undersea cables
a single damaged cable will bring down the global Internet, in their strategies and policies because those firms often
for the Internet is designed to route around failure, and directly control and deeply understand the infrastructure.
data can be sent via other routes, though it could sub- This has been true for much of the critical infrastructure
stantially decrease Internet connectivity for a country or in democracies, and specifically with telecommunications
region.18 There are also not many publicly documented cables, for some time.
examples of governments destroying or damaging cables,
even though there is much national security concern about There are 475 of these undersea cables deployed around
the potentially severe consequences should governments the world as of December 2020. This number and this re-
elect to pursue those ends (e.g., in a wartime scenario).19 port’s analysis of those cables draws on a compilation of
But ensuring submarine cable resilience, especially for key publicly available data from TeleGeography’s Submarine
chokepoints in the global network, is geopolitically import- Cable Map website, coded with additional data gathered
ant because even slow repairs of major cables can slow from open sources on the 383 different entities (private
down traffic delivery between land masses. firms and state-controlled entities) with listed ownership
stakes in those cables.20 The first observation from this
For all undersea cables’ implications for governments, the data is that cable development, globally, is on the rise.
private sector’s involvement comes into play with each of Figure 1 shows the number of undersea cables ready for
the aforementioned activities, from intelligence collection service—that is, fully built and ready to be used—around
to damage repair. Governments looking to spy on the data the world from 2000 to 2020.
traveling across submarine cables often turn to private sec-
tor companies to carry it out because the private sector has By these numbers, the rate of submarine cable deploy-
a heavy involvement in cable ownership and maintenance ment is increasing. In 2016, fifteen new cables were ready
worldwide. Citizens, businesses, and government agen- for service around the world. In 2020, twenty-eight new
cies who need Internet access restored after a submarine cables entered service around the world, representing an

17 Dante D’Orazio, “Into the Vault: The Operation to Rescue Manhattan’s Drowned Internet,” Verge, November 17, 2012, https://www.theverge.
com/2012/11/17/3655442/restoring-verizon-service-manhattan-hurricane-sandy.
18 See, for example, Louise Matsakis, “What Would Really Happen If Russia Attacked Undersea Internet Cables,” WIRED, January 5, 2018, https://www.wired.
com/story/russia-undersea-internet-cables/.
19 Most damage is caused by natural disasters and accidents.
20 Data on the 475 undersea cables deployed worldwide were pulled from the publicly accessible TeleGeography Submarine Cable Map (https://www.
submarinecablemap.com/) as of December 2020. Data on the 383 entities that collectively have listed ownership stake in those cables were also pulled
from the Submarine Cable Map site (as of December 2020), and then coded as privately or state-owned using open sources (including stock listings,
regulatory disclosures, the entities’ websites and public documents, and media reporting).

6 ATLANTIC COUNCIL
Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security #ACcyber

almost twofold increase in just four years. This uptick is key component of financing their construction and subse-
no accident—there are several drivers at play. More traffic quently maintaining them. Figure 2 illustrates the number
is sent over the global Internet every year (discussed fur- of cables deployed around the world with different num-
ther in the third trends chapter). More countries are also bers of owners.
looking to expand Internet penetration within their borders
(e.g., how many people have Internet access) as well as
to expand the bandwidth available to those Internet us-
Figure 2: Cables With Single vs. Multiple Owners
ers.21 Cloud service providers are getting more involved
(December 2020 Snapshot)
in directing the building of physical infrastructure to sup-
port their data storage and routing services. And broadly, 2%
Internet companies can also profit off cable investments
in the long run by using this physical infrastructure to push
their own data across the global Internet more quickly.22

This global Internet infrastructure has long been devel-

oped by an international consortia of companies. One sin-
gle cable may have several corporate owners, often each
incorporated in different countries. This consortium-based
approach to cable construction and maintenance is driven 33%
by a variety of factors, including the financial costs23 and
complex logistics of laying cables across the ocean floor, the
number of shorelines those cables may touch (and, there-
fore, the need to have a company at the other end to man-
age a landing point), and the profit those companies can
generate from hauling cable traffic. For instance, the Europe 65%
India Gateway cable, a 15,000-km-long cable put into oper-
ation in February 2011, connects eleven different countries
and has sixteen different co-owners, ranging from AT&T Single owner Multiple owners Not Coded
(the United States) to Djibouti Telecom (Djibouti) to Airtel
(India) to Vodafone (the United Kingdom). The Japan-Guam- Source: Data from TeleGeography’s Submarine Cable Map
Australia South Cable System, to give a recent example, website visualized by author.
went operational in March 2020, connects Australia and the
United States, and is owned by Google (the United States),
RTI Cables (the United States), and Australia’s Academic
and Research Network (Australia; a nonprofit company orig- Mapping the ownership landscape of submarine cables
inally set up by Australian universities).24 Each one of the is critical to understanding what levers of control can be
deployed cables is unique based on such factors as length, pulled by private companies, state-owned firms, and gov-
bandwidth, and the number of shorelines on which it lands. ernments. While some parts of the Internet’s physical and
digital infrastructure are maintained by a few core private
Not all submarine cables have multiple owners, but this sector companies,25 these cables are different. The major-
international collaboration between different firms is a ity of undersea cables deployed worldwide—65 percent

21 See, for example, Cisco, Cisco Annual Internet Report (2018-2023), 2020, https://www.cisco.com/c/en/us/solutions/collateral/executive-perspectives/
annual-internet-report/white-paper-c11-741490.pdf; and on digital divides worldwide, Jan A.G.M. van Dijk, Closing the Digital Divide: The Role of Digital
Technologies on Social Development, Well-Being of All and the Approach of the Covid-19 Pandemic, United Nations, July 2020, https://www.un.org/
development/desa/dspd/wp-content/uploads/sites/22/2020/07/Closing-the-Digital-Divide-by-Jan-A.G.M-van-Dijk-.pdf; Internet Society, 2017 Internet
Society Global Internet Report: Paths to Our Digital Future, 2017, https://future.internetsociety.org/2017/wp-content/uploads/sites/3/2017/09/2017-Internet-
Society-Global-Internet-Report-Paths-to-Our-Digital-Future.pdf.
22 Klint Finley, “How Google Is Cramming More Data Into Its New Atlantic Cable,” WIRED, April 5, 2019, https://www.wired.com/story/google-cramming-more-
data-new-atlantic-cable/.
23 This often ranges from tens to hundreds of millions of dollars. See, e.g., Submarine Cable Almanac 33 (February 2020), https://issuu.com/subtelforum/
docs/almanac_issue_33.
24 Submarine cable data compiled from TeleGeography’s Submarine Cable Map website.
25 For instance, the global cloud computing infrastructure is dominated by the US “hyper-scalers” Microsoft, Google, and Amazon. Within any given 4G
cellular network, there is usually only a single cellular supplier (e.g., Vodafone, AT&T) with predominant ownership of the infrastructure. See, for example,
Trey Herr, Four Myths About the Cloud: The Geopolitics of Cloud Computing, Atlantic Council, August 2020, https://www.atlanticcouncil.org/in-depth-
research-reports/report/four-myths-about-the-cloud-the-geopolitics-of-cloud-computing/; Dana Mattioli and Aaron Tilley, “Amazon Has Long Ruled the
Cloud. Now It Must Fend Off Rivals,” Wall Street Journal, January 4, 2020, https://www.wsj.com/articles/amazon-has-long-ruled-the-cloud-now-it-must-
fend-off-rivals-11578114008.

ATLANTIC COUNCIL 7
 #ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

as of December 2020— have a single owner. Only a third over companies involved with building and/or maintaining
of deployed cables have multiple owners. Within that lat- a single cable, and it can make more difficult the process of
ter category, those ownership structures are themselves determining which entities have control over a cable and
varied. Seventy-two cables have just two owners, twen- to what extent that creates risks to infrastructure.
ty-one cables have just three owners, and fifteen have
four owners. These numbers are higher in some cases, Three trends are increasing security and resilience risks
though: four cables each have eighteen owners spanning to submarine cables. As a result, there is an accentuated
several countries, and the highest number of owners for opportunity and responsibility for the US government to
any single cable is fifty-three—the 39,000-km SeaMeWe-3 work more effectively with allies, partners, and private
cable deployed in September 1999. The cables with multi- companies to better protect their security and resilience.
ple owners are often the ones that cost more to build and These three motivating trends are each discussed in the
maintain, such as those connecting more countries and following chapters: first, authoritarian governments reshap-
with higher bandwidth. Such consortia may also involve a ing the Internet’s physical topology and digital behavior
state-controlled firm. through companies, to route data more favorably, gain
better control of internet chokepoints, and potentially gain
The distinction of the number of owners is important from espionage advantage; second, companies using remote
a security and resilience perspective because it can pro- management systems for cable networks, introducing new
duce a diversity of control over cables, it can produce a levels of cybersecurity risk; and third, the growing volume
situation where multiple governments have legal oversight and sensitivity of data sent over these cable systems.

8 ATLANTIC COUNCIL
Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security #ACcyber

Trend 1: Authoritarian Governments

Reshaping the Internet through Companies

A
uthoritarian governments are increasingly re- contrast, many authoritarian regimes do not have those
shaping the Internet’s physical topology (struc- same oversight mechanisms and the same independence
ture) and digital behavior by exerting control between the state and the private sector. Understanding a
over companies. This accelerates security and cable’s ownership structure is still important for assessing
resilience risks to undersea cables because authoritarian state influence on the submarine cable network.
governments—particularly in Beijing and Moscow—can use
that control to undermine Internet security and resilience, The Chinese and Russian governments are increasingly
and favorably shape the topology of the Internet itself, for working to reshape the Internet through control over com-
their own strategic purposes. For instance, this could in- panies. This matters on the geopolitical level for Internet
clude the Chinese government building cables that will security and resilience because choosing where, when,
increase the overall flow of Internet traffic through its bor- and how to build cables is a way to shape where global
ders, which it could then exploit for intelligence gathering. Internet traffic is routed.27 Changes to traffic routing pat-
Certainly, building more cables in and of itself, in a sense, terns generate profits for companies and can move new
arguably increases the resilience of the global Internet in volumes of traffic through different countries’ borders.
absolutist terms: there are new routes over which data can
travel in the event of failure. But if authoritarian govern-
ments have increasing influence over submarine cables
globally, that creates its own risks of those governments Figure 3: Cables’ Public-Private Ownership Breakdown
manipulating and disrupting the infrastructure. (December 2020 Snapshot)

States must go through companies, in many cases, to re- 3%

shape the Internet’s topology. This is because much of the
19%
global Internet infrastructure is in companies’ hands (even
if some of those companies are state-controlled), as de-
picted in Figure 3.

The majority (59 percent) of global undersea cables de-

ployed as of December 2020, or 279 out of 475 cables,
have only private owners. The worldwide private sector
is thus influential not just on the Internet’s digital rules but
also on its changing physical shape. By contrast, only 19
percent of all cables deployed worldwide, or ninety-three
out of 475, are entirely owned by state-controlled entities
(e.g., owned directly by a government or through a sub-
59%
sidiary).26 Of course, ownership by a private firm does not 19%
mean that a government cannot directly or indirectly exert
control over a cable. For example, the US government, as
with most others, has a long history of tapping into pri- All private owners All state owners
vate sector-controlled Internet infrastructure for espionage
Both private and state owners Not Labeled
purposes. In most liberal democracies, however, factors
such as rule of law and oversight and accountability mech-
anisms for surveillance place controls on the degree to Source: Data from TeleGeography’s Submarine Cable Map
which the government can influence that infrastructure. By website visualized by author.

26 For this report, companies coded as “state-controlled” were those either directly, majority owned by a national government or indirectly, majority owned
by a subsidiary of a national government (e.g., majority owned by another state-owned company). Public companies in which the national government is a
minority shareholder, for instance, and public companies in which multiple local governments are shareholders were not in this classification.
27 This is reflected in the fact that “traffic that appears to be traveling via separate network paths could potentially be relying on the same physical
resource.” Zachary S. Bischof, Romain Fontugne, and Fabián E. Bustamante, “Untangling the world-wide mesh of undersea cables,” HotNets ’18:
Proceedings of the 17th ACM Workshop on Hot Topics in Networks, 81, November 2018, https://dl.acm.org/doi/abs/10.1145/3286062.3286074.

ATLANTIC COUNCIL 9
 #ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

This can enable data interception and the development Rostelecom, the Russian state-owned telecommunica-
of technological dependence. Yet these geopolitical influ- tions giant, is a prime example of a firm whose influence
ences also affect the operational level of securing under- on Internet infrastructure seems to be continually lever-
sea cables. Cable owners might insert backdoors into or aged by the Kremlin. Data compiled for a previous report
otherwise monitor landing stations. Cable builders might showed Rostelecom to be involved with dozens of po-
similarly compromise the security of the physical infrastruc- tential hijacks of the Border Gateway Protocol (BGP), the
ture along the ocean floor before it is laid. As Beijing and Internet’s “GPS” for traffic, in the first few months of 2020
Moscow exert more control over Internet companies, the alone; it appeared the company deliberately rerouted
risk of them undermining Internet security and resilience reams of global Internet traffic through Russian borders, a
grows. This trend also connects with the other two key tactic used by several authoritarian governments to spy on
trends discussed later in the report: the growing cyberse- Internet data.34 This practice weaponizes a security flaw at
curity vulnerability of cable networks and the more sen- the very core of the global Internet.
sitive data sent over cables create larger incentives for
states to intercept that information. In an August 2020 meeting, meanwhile, Rostelecom
President Mikhail Oseyevsky told Russian President
The Russian government has increasingly exerted control Vladimir Putin that the company was “completing an am-
over companies with influence on Internet infrastructure to bitious basic infrastructure expansion programme in the
serve geopolitical purposes. For decades, the Kremlin has Far East,” having recently laid cables to Russian islands.
spoken of the importance of state control of the Internet, Oseyevsky added that Rostelecom saw “additional oppor-
and that has included Internet infrastructure. In 2011, for tunities for working on international markets” in light of ris-
example, then Russian president Dmitry Medvedev told ing global volumes of Internet traffic, a situation in which
G20 leaders that Internet infrastructure needed more state “Russia can provide the simplest and most reliable method
regulation to account for the “public interest.”28 In 2014, as for transmitting these volumes from Europe to Asia.”35 This
Russia was illegally annexing Crimea, there were reports is significant because Rostelecom is a state-owned firm,
of armed men damaging fiber-optic cables that carried and all such “meetings” with Putin are scripted. Thus, in ad-
Internet traffic to Ukraine.29 Finnish media have reported dition to the likely security dimensions of Russia’s Internet
on alarm over Russian land acquisitions beyond Russia that infrastructure foothold, it also appears to have economic
are in the vicinity of key telecommunications links, such as dimensions—with submarine cables serving as a potential
around the Turku archipelago.30 In 2017, Andrew Lennon, mechanism for the Kremlin to grow its levers of economic
then commander of NATO’s submarine forces, told the coercion.
Washington Post that “we are now seeing Russian under-
water activity in the vicinity of undersea cables that I don’t The Chinese government also presents risks in this vein
believe we have ever seen” and that “Russia is clearly across cable ownership and cable construction. Broadly,
taking an interest in NATO and NATO nations’ undersea numerous governments, researchers, and independent
infrastructure.”31 The 2021 Office of the Director of National observers have expressed concerns about the Chinese
Intelligence’s unclassified threat assessment found that government’s exerted influence over technology compa-
Russia “continues to target critical infrastructure, including nies within its borders. Domestically, the Chinese govern-
underwater cables.”32 And broadly, the Kremlin continues ment’s Internet filtering and surveillance regime depends
expanding its control over domestic technology firms to on the cooperation of private companies that own and
serve and protect its political agenda.33 manage the infrastructure.36 It is these firms that may set

28 Kremlin.ru, “Dmitry Medvedev’s message to the G20 leaders,” November 3, 2011, http://en.kremlin.ru/events/president/news/13329.
29 Pavel Polityuk and Jim Finkle, “Ukraine says communications hit, MPs phones blocked,” Reuters, March 4, 2014, https://www.reuters.com/article/us-
ukraine-crisis-cybersecurity/ukraine-says-communications-hit-mps-phones-blocked-idUSBREA231R220140304.
30 Keir Giles, “The Next Phase of Russian Information Warfare,” NATO Strategic Communications Centre of Excellence, 12, May 20, 2016, https://www.
stratcomcoe.org/next-phase-russian-information-warfare-keir-giles.
31 Michael Birnbaum, “Russian submarines are prowling around vital undersea cables. It’s making NATO nervous,” Washington Post, December 22, 2017,
https://www.washingtonpost.com/world/europe/russian-submarines-are-prowling-around-vital-undersea-cables-its-making-nato-nervous/2017/12/22/
d4c1f3da-e5d0-11e7-927a-e72eac1e73b6_story.html?utm_term=.a57f9e4f495f.
32 Office of the Director of National Intelligence, Annual Threat Assessment of the US Intelligence Community, 10, April 2021, https://www.dni.gov/files/
ODNI/documents/assessments/ATA-2021-Unclassified-Report.pdf.
33 Dylan Myles-Primakoff and Justin Sherman, “Russia’s Internet Freedom Shrinks as Kremlin Seizes Control of Homegrown Tech,” Foreign Policy, October
26, 2020, https://foreignpolicy.com/2020/10/26/russia-internet-freedom-kremlin-tech/.
34 These incidents were particularly suspicious as Rostelecom has been involved in numerous such attacks before. See Sherman, The Politics of Internet
Security.
35 Kremlin.ru, “Meeting with Rostelecom President Mikhail Oseyevsky,” August 5, 2020, http://en.kremlin.ru/events/president/news/63857.
36 For more on this regime, see Margaret E. Roberts, Censored: Distraction and Diversion Inside China’s Great Firewall (Princeton, NJ: Princeton University
Press, 2018).

10 ATLANTIC COUNCIL
Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security #ACcyber

Figure 4: Risk Overview of Chinese State Influence through Cable Owner vs. Cable Builder

State influence via… The company: The risks: Some Chinese firms in
question:

Cable owner Owns and maintains, and Spying on data, disrupt- China Mobile, China
may have financed, the ing data, shaping cable Telecom, China Unicom
cable layout

Builds part of the cable Backdooring equipment Huawei Marine

Cable builder (such as the fiber or the
cable itself)

Source: Visualized by author.

up state-mandated filtering technologies on their Internet preferable to slower ones.40 Cable investors can, therefore,
hardware or build algorithms to flag certain keywords on shape the flow of global Internet traffic by choosing the
their digital platforms.37 Similarly, there are concerns that connecting nodes and the bandwidth of new undersea
the Chinese government exerts that same kind of control cables: as the Internet’s physical shape changes, offer-
over foreign-operating Chinese companies to reshape ing newer and faster routes for data between locations,
the Internet’s physical topology and digital rules. Chinese more data could get digitally routed along different paths
state-owned firms have (akin to Rostelecom) been involved and through different countries’ borders. Infrastructure
with repeated hijackings of the BGP, where global Internet changes, in other words, affect the Internet’s digital be-
traffic is rerouted through Chinese borders, over the last havior—potentially increasing economic dependence and
few years.38 enabling traffic interception. Cable owners with control of
landing stations could also provide an intelligence collec-
There are real risks that Chinese state-owned Internet tion vector for governments who mandate the insertion
companies that own or manage Internet infrastructure of monitoring equipment or backdoors. States exerting
will become vectors for the government to reshape the more control over cable owners thus creates impacts on
Internet’s topology and behavior. There are also con- Internet security and resilience, on both geopolitical and
cerns that Chinese government capacity-building projects operational levels.
abroad have involved building computer systems that
secretly exfiltrate data to Beijing.39 Two specific risks of The US government, as previously mentioned, recom-
Chinese government influence over cable-involved com- mended in June 2020 that the Federal Communications
panies—influence through a cable owner and influence Commission (FCC) refuse to approve cable licensing for
through a cable builder—form the basis of a more detailed the Pacific Light Cable Network (PLCN)—a submarine
case study below. cable involving Google, Facebook, a New Jersey-based
telecom, and a Hong Kong-based telecom owned by
Risk 1: Chinese State Influence through Cable a Chinese firm—because its routing of US data through
Owner Hong Kong allegedly posed a national security risk. One
of the Department of Justice’s (DOJ’s) specific concerns
First, there is a risk of Chinese government influence was that Beijing would use the Chinese owner of the Hong
through the (co-)owner of a cable, which is typically in- Kong subsidiary to access data on US persons. It cited
volved in funding the construction of the cable from the “the current national security environment, including the
beginning. This risk implicates Internet security and resil- PRC government’s sustained efforts to acquire the sensi-
ience because faster routes for Internet data are generally tive data of millions of U.S. persons” as well as the cable

37 See, for example, Lotus Ruan, Jeffrey Knockel, and Masashi Crete-Nishihata, Censored Contagion: How Information on the Coronavirus is Managed on
Chinese Social Media, Citizen Lab, March 3, 2020, https://citizenlab.ca/2020/03/censored-contagion-how-information-on-the-coronavirus-is-managed-on-
chinese-social-media/.
38 Sherman, The Politics of Internet Security.
39 Joan Tilouine, “A Addis-Abeba, le siège de l’Union africaine espionné par Pékin,” (“In Addis Ababa, the headquarters of the African Union spied on by
Beijing”), Le Monde, January 27, 2018, https://www.lemonde.fr/afrique/article/2018/01/26/a-addis-abeba-le-siege-de-l-union-africaine-espionne-par-les-
chinois_5247521_3212.html.
40 Quicker routes for Internet data are not always chosen, but they are generally preferred to slower ones.

ATLANTIC COUNCIL 11
 #ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

Figure 5: Cables Owned by Chinese State-Controlled Entities (December 2020 Snapshot)

Entity Ownership by Chinese Number of Sole-owned Number of Co-owned

Government Cables Cables

China Mobile State-owned 1 10

China Telecom State-owned 0 15

China Unicom State-owned 0 12

CITIC Telecom State-controlled 0 1

International

CTM State-controlled 0 1

National Grid Corporation Beijing is a consortium 0 1

of the Philippines member

Source: TeleGeography’s Submarine Cable Map.

project’s “connections to PRC state-owned carrier China The DOJ is not alone in its concerns about the Chinese
Unicom” as reasons for blocking the cable’s development. government’s control of cable owners. In November 2019,
The DOJ also cited: CNN reported on an internal Filipino government report al-
leging that the National Grid Corporation of the Philippines,
“
Concerns that PLCN would advance the PRC partly owned by a Chinese state-owned electrical com-
government’s goal that Hong Kong be the dom- pany, was in fact “under the full control” of the Chinese
inant hub in the Asia Pacific region for global in- government and vulnerable to disruption.42 Reporting
formation and communications technology and focused on the Filipino power grid, but the National Grid
services infrastructure, which would increase the Corporation of the Philippines is also the sole owner of
share of U.S. internet, data, and telecommunica- an undersea cable in the Philippines, making the Chinese
tions traffic to the Asia Pacific region traversing state firm a co-owner.43 If those concerns about disrup-
PRC territory and PRC-owned or -controlled infra- tion apply to the power grid, there are related questions
structure before reaching its ultimate destinations to be asked about Beijing’s influence over the submarine
in other parts of Asia.”41 cable. In December 2020, Taiwan accused the Chinese
government of backing Pacific-area cable investments as
In other words, the US government highlighted the risk a means of spying on foreign countries and stealing data;
of Chinese state influence on two fronts: compromising a spokesperson for Taiwan’s Ministry of Foreign Affairs told
cable data via cable owners (e.g., intelligence collection Newsweek that Beijing wanted to “monopolize” Pacific in-
through a state-controlled landing point) and changing formation.44 These allegations arrive as Chinese state-con-
the Internet’s physical shape to route more global traf- trolled entities are taking growing ownership stakes in
fic through China (e.g., creating more chokepoints in the undersea cables, as depicted in Figure 5.
global network under the Chinese government’s control).
These risks are distinct but related, as the referenced ac- The three Chinese-incorporated firms listed as owners of
tions can be carried out by the same entity. undersea cables (at the time of writing)—China Mobile,

41 U.S. Department of Justice Office of Public Affairs, Team Telecom Recommends that the FCC Deny Pacific Light Cable Network System’s Hong
Kong Undersea Cable Connection to the United States, press release number 20-555, June 17, 2020, https://www.justice.gov/opa/pr/team-telecom-
recommends-fcc-deny-pacific-light-cable-network-system-s-hong-kong-undersea.
42 James Griffiths, “China can shut off the Philippines’ power grid at any time, leaked report warns,” CNN, November 26, 2019, https://edition.cnn.
com/2019/11/25/asia/philippines-china-power-grid-intl-hnk/index.html; CNN Philippines Staff, “Carpio: Chinese ‘control’ of national power grid a cause for
concern,” CNN, November 26, 2019, https://www.cnnphilippines.com/news/2019/11/26/Antonio-Carpio-Chinese-control-NGCP.html.
43 This is the Sorsogon-Samar Submarine Fiber Optical Interconnection Project (SSSFOIP) cable deployed in 2019.
44 Brennan and Feng, “Taiwan Says China Wants to Spy.”

12 ATLANTIC COUNCIL
Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security #ACcyber

Figure 6: Current Chinese State-Owned Telecom Cable Ownership, by Year Ready for Service
(December 2020 Snapshot)

14

12

10

0
1999 2015 2016 2017 2018 2019 2020 2021 2022 2023

China Mobile China Telecom China Unicom

Source: Data from TeleGeography’s Submarine Cable Map website visualized by author.
Note: Cables listed in the future are coded based on their expected ready-for-service date

China Telecom, and China Unicom—are all state-owned. stake (at the time of writing) in cables deployed before
In addition, two other companies that own cables, CITIC 2020, a stark departure from the many other companies
Telecom International and CTM, incorporated in Hong Kong around the world with ownership stakes in cables deployed
and Macau, respectively, are themselves controlled by the back in the 1990s or early 2000s. And these firms’ activity
Chinese government. The Chinese government is also a in the United States has drawn scrutiny from Washington.
part of the aforementioned National Grid Corporation of The FCC denied China Mobile’s application to provide tele-
the Philippines, a consortium of different cable owners. com services in the United States in 2019, citing national
China Mobile, China Telecom, and China Unicom largely security risks.45 A year later, it ordered China Telecom and
do not own years-old cables, however; the rate at which China Unicom to provide evidence they did not pose na-
they are co-owners of newly deployed submarine cables tional security risks through their US operations.46
is growing, as depicted in Figure 6.
This growing investment is also likely tied to the Chinese
The three Chinese state-owned telecoms’ quickly rising in- government’s infrastructure capacity building around the
vestment in undersea cables increases the risk that Beijing world—and risks of Beijing reshaping the Internet’s topol-
leverages that influence to support its monitoring of cable ogy globally. Beijing is estimated to be spending hundreds
data. It also gives the Chinese government more power of billions of dollars on infrastructure development proj-
to shape, quite literally, how and where cables are laid ects in dozens of countries as part of its Belt and Road
before construction even begins. For projects scheduled Initiative (BRI).47 In 2015, Beijing launched its Digital Silk
in 2021, China Mobile is currently invested as an owner Road (DSR) project, formally making a focus on Internet
in twenty-one, China Telecom is invested in twelve, and technology and infrastructure a part of the broader
China Unicom is invested in eleven. On top of that, each BRI.48 A 2015 white paper released by China’s National
state-owned company is invested in at least one project Development and Reform Commission, Ministry of Foreign
into 2022 or 2023. Currently, the firms have barely any Affairs, and Ministry of Commerce reads, “[China] should

45 US Federal Communications Commission, FCC Denies China Mobile USA Application to Provide Telecommunications Services, press release, May 9,
2019, https://docs.fcc.gov/public/attachments/DOC-357372A1.pdf.
46 U.S. Federal Communications Commission, “FCC Scrutinizes Four Chinese Government-Controlled Telecom Entities,” April 24, 2020, https://www.fcc.gov/
document/fcc-scrutinizes-four-chinese-government-controlled-telecom-entities.
47 Andrew Chatzky and James McBride, China’s Massive Belt and Road Initiative, Council on Foreign Relations, January 28, 2020, https://www.cfr.org/
backgrounder/chinas-massive-belt-and-road-initiative.
48 Joshua Kurlantzick, “China’s Digital Silk Road Initiative: A Boon for Developing Countries or a Danger to Freedom?” Diplomat, December 17, 2020, https://
thediplomat.com/2020/12/chinas-digital-silk-road-initiative-a-boon-for-developing-countries-or-a-danger-to-freedom/.

ATLANTIC COUNCIL 13
 #ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

Figure 7: Landing Stations of China Mobile-, China on Internet infrastructure across the African content.51 The
Telecom-, and China Unicom-Owned Cables Chinese government has also signed DSR cooperative
(December 2020 Snapshot) agreements, or given DSR-linked investment to, at least
sixteen countries, and dozens more BRI participants may
be involved with DSR projects.52 Not all DSR projects are
36% directly state-controlled or -supervised to the same de-
gree, but the Chinese government’s control over specific
elements of the DSR is only poised to grow in the com-
ing years.53 In December 2020, Chinese Foreign Minister
Wang Yi claimed government spending on the BRI, digital
infrastructure included, had increased in 2020 even with
the COVID-19 pandemic.54 This focus on capacity building
abroad aligns with data on cables owned by Chinese state-
owned firms, depicted in Figure 7.

China Mobile, China Telecom, and China Unicom collec-

tively own twenty-two cables; there is some overlap in their
64% cable investments. Significantly, however, many of these
projects are entirely focused abroad. Figure 7 shows that
more than one-third of submarine cables owned by these
Chinese state-owned firms do not have landing stations
At least one landing station in China in China—that is, they make no direct contact with the
No landing stations in China Chinese mainland. This is not inherently cause for con-
cern. Many companies invest in cables that do not touch
Source: Data from TeleGeography’s Submarine Cable Map the shores of their country of incorporation because it
website visualized by author. can be a way to make money off Internet traffic as well
as influence the Internet’s physical shape in business-fa-
vorable ways (e.g., building faster data transmission to a
new market).55 But growing investment notably coincides
jointly advance the construction of cross-border optical with the Chinese government’s focus on capacity building
cables and other communications trunk line networks, im- worldwide and its efforts to reshape the Internet’s physical
prove international communications connectivity, and cre- topology and digital behavior.
ate an information Silk Road.” It also specifically mentioned
planning undersea, transcontinental cable projects.49 Risk 2: Chinese State Influence through Cable
Builder
These projects, when conducted by or with Chinese state-
owned or -controlled firms, are a potential way for Beijing Second, there is a risk of Chinese government influence
to influence the Internet’s physical shape. Once the proj- through the builder of a cable rather than its (co-)owner.
ects are completed, it is possible they could be used as This is an important distinction because the companies
economic and/or technological levers of influence. Since building a cable are different from the ones that fund
2015, Chinese firms have moved to fill cable-building voids the project and ultimately own the cable. State influence
in low-resourced countries,50 including with heavy focus through this vector could theoretically let a government

49 Quoted in Keshav Kelkar, “From silk threads to fiber optics: The rise of China’s digital silk road,” Observer Research Foundation, August 8, 2018, https://
www.orfonline.org/expert-speak/43102-from-silk-threads-to-fiber-optics-the-rise-of-chinas-digital-silk-road/.
50 Stacia Lee, “The Cybersecurity Implications of Chinese Undersea Cable Investment,” East Asia Center at the University of Washington, February 6, 2017,
https://jsis.washington.edu/eacenter/2017/02/06/cybersecurity-implications-chinese-undersea-cable-investment/.
51 It is estimated the Chinese government spent approximately $20 billion on infrastructure development across Africa in 2017, including information and
communications technology. The Infrastructure Consortium for Africa, Infrastructure Financing Trends in Africa – 2017, 54, 2018, https://www.icafrica.org/
fileadmin/documents/Annual_Reports/IFT2017.pdf.
52 Kurtlantzick, “China’s Digital Silk Road Initiative.”
53 Paul Triolo and Robert Greene, “Will China control the global internet via its Digital Silk Road?” SupChina, May 8, 2020, https://supchina.com/2020/05/08/
will-china-control-the-global-internet-via-its-digital-silk-road/.
54 Rachel Zhang, “Belt and Road Initiative: China ups investment despite coronavirus and doubters,” South China Morning Post, December 21, 2020, https://
www.scmp.com/news/china/diplomacy/article/3114824/china-sells-confident-message-its-belt-and-road-initiative.
55 For instance, see Facebook’s investment in undersea cables linked to African countries as it pursues market expansion across the continent: Ryan
Browne, “Facebook is building a huge undersea cable around Africa to boost internet access in the continent,” CNBC, May 14, 2020, updated June 2,
2020, https://www.cnbc.com/2020/05/14/facebook-building-undersea-cable-in-africa-to-boost-internet-access.html.

14 ATLANTIC COUNCIL
Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security #ACcyber

insert vulnerabilities into cables before they are even laid partnership with FiberStar, the Indonesian telecom, to
underwater. Evidence, as always, is vital to assessing this “deepen cooperation in addition to building a high-speed
risk, as is the Chinese government’s supposed cost-benefit optical fiber network.” The Huawei press release also noted
calculus on information collection; the mere existence of that Huawei had already worked with FiberStar to build
possibility is not enough. But along with Beijing’s growing an enhanced fiber-optic backbone connecting Jakarta to
leveraging of Chinese technology companies for its geo- Surabaya.57 This is not on its face unusual, given the pri-
political interests, this second risk of state control speaks vate sector’s influence on the bulk of global Internet infra-
to geopolitical and operational issues: states potentially structure and that collaboration is a common feature of
monitoring, corrupting, or disrupting the flow of data. undersea cable development. The question comes down
to the risk that a specific company—in this case, Huawei,
Any company that builds parts of cables—whether a com- one with critical foothold in global Internet architecture and
pany like Corning that makes optical fiber or a company alleged close ties to the Chinese government58—is a vec-
like TE SubCom that lays a cable underwater—could po- tor of state geopolitical influence projecting. In this case,
tentially be tapped on the shoulder by a government to the US government has reportedly been warning Pacific
build backdoors into the equipment before deployment. Island countries that Huawei Marine’s cable-building ac-
There are multiple parts of the submarine cable supply tivities pose security risks.59
chain that could each potentially be compromised in this
fashion. This kind of backdooring is distinct from the many One could argue these disputes are essentially two major
other ways in which governments could potentially tap into powers vying for espionage advantage.60 The Chinese
cables once they are deployed, from hacking into remote state-controlled Global Times itself quoted a telecom
network management systems (discussed more in the next industry writer in July 2019 as saying, “The US’s under-
section) to installing physical taps on cable lines. sea battle with Huawei is all about taking control of data
and information, which is also the backbone of networks.
The Chinese company Huawei Marine has been a focus of Washington is worried that China will gain a larger stake
such espionage concerns internationally. Huawei Marine in the submarine cable market so that Americans will not
has no identified ownership stake in any of the 475 under- be able to listen in to networks or steal data from others.”61
sea cables deployed worldwide as of this report’s writing. The Global Times’ propaganda purposes aside, espionage
The company has, however, been involved in laying numer- is a genuine reason for states to be concerned about infor-
ous undersea cables, and repairing those cables, around mation hauled over submarine cables. In 2014, for example,
the world. According to an October 2020 FCC document, after the Snowden leaks about US global espionage and
Huawei Marine has “built or repaired almost a quarter of surveillance programs, Brazil announced plans for its own
the world’s cables.”56 Examples abound of Huawei part- undersea cables “so that data can travel between Brazil
nering with telecoms in other countries to build undersea and the European Union without going through the United
cables. For instance, in April 2019, Huawei announced a States.”62 One such cable was completed in December

56 Federal Communications Commission, “Process Reform for Executive Branch Review of Certain FCC Applications and Petitions Involving Foreign
Ownership,” 82, October 1, 2020, https://docs.fcc.gov/public/attachments/FCC-20-133A1.pdf.
57 Huawei, FiberStars Signs MoU with Huawei to Jointly Build Ultra-Broadband Network, news release, April 8, 2019, https://www.huawei.com/us/
news/2019/4/huawei-fiberstar-mou-ultra-broadband-network.
58 There are many components to this debate over Huawei’s ties with the Chinese Communist Party. For example, see Gordon Corera, “Huawei: MPs
claim ‘clear evidence of collusion’ with Chinese Communist Party,” BBC News, October 8, 2020, https://www.bbc.com/news/technology-54455112;
Lindsay Maizland and Andrew Chatzky, Huawei: China’s Controversial Tech Giant, Council on Foreign Relations, August 6, 2020, https://www.cfr.org/
backgrounder/huawei-chinas-controversial-tech-giant; Li Tao, “Huawei says relationship with Chinese government ‘no different’ from any other private
company in China,” South China Morning Post, December 26, 2019, https://www.scmp.com/tech/big-tech/article/3043558/huawei-says-relationship-
chinese-government-no-different-any-other; Chuin-Wei Yap, “State Support Helped Fuel Huawei’s Global Rise,” Wall Street Journal, December 25, 2019,
https://www.wsj.com/articles/state-support-helped-fuel-huaweis-global-rise-11577280736; Raymond Zhong, “Who Owns Huawei? The Company Tried to
Explain. It Got Complicated,” New York Times, April 25, 2019, https://www.nytimes.com/2019/04/25/technology/who-owns-huawei.html; Graham Webster,
“Five points on the deeply flawed U.S. Congress Huawei report,” TransPacifica.net, October 2012, https://transpacifica.net/2012/10/five-points-on-the-
deeply-flawed-u-s-congress-huawei-report/.
59 Jonathan Barrett, “Exclusive: U.S. warns Pacific islands about Chinese bid for undersea cable project – sources,” Reuters, December 17, 2020, https://
www.reuters.com/article/us-china-pacific-exclusive/exclusive-u-s-warns-pacific-islands-about-chinese-bid-for-undersea-cable-project-sources-
idUSKBN28R0L2.
60 Bruce Schneier writes that “For years, the US and the Five Eyes have had a monopoly on spying on the Internet around the globe. Other countries want
in. As I have repeatedly said, we need to decide if we are going to build our future Internet systems for security or surveillance.” Bruce Schneier, “China
Spying on Undersea Internet Cables,” schneier.com, April 15, 2019, https://www.schneier.com/blog/archives/2019/04/china_spying_on.html.
61 Cheng Qingqing, “Huawei’s undersea cable project moves forward in SE Asia,” Global Times, June 20, 2019, https://www.globaltimes.cn/content/1155060.
shtml.
62 Danielle Kehl, Kevin Bankston, Robyn Greene, and Robert Morgus, Surveillance Costs: The NSA’s Impact on the Economy, Internet Freedom &
Cybersecurity, New America, 16, July 2014, https://static.newamerica.org/attachments/534-surveillance-costs-the-nsas-impact-on-the-economy-internet-
freedom-cybersecurity/Surveilance_Costs_Final.pdf.

ATLANTIC COUNCIL 15
 #ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

2020.63 Private companies with control of Internet infra- for security risks is not adequately resourced to mon-
structure already help states conduct espionage, and that itor the full spectrum of security and resilience risks
risk is pronounced when the entity in question is not pri- posed by certain foreign telecoms. In response, the
vately owned but state-controlled. This is doubly the case US Congress should statutorily authorize the execu-
in a country like China, where authoritarian surveillance tive branch committee responsible for these reviews,
practices—not fully comparable to surveillance carried out ensuring it has the resources and authorities it needs
in the United States—mean there is an even greater like- to screen foreign cable ownership structures for na-
lihood that Beijing would use this vector of influence over tional security risks (Recommendation 1).
the undersea cable infrastructure if desired.
■ Transparency: TeleGeography’s Submarine Cable
Recommendation Previews Map data is comprehensive, but it is also limited by its
use of public sources. The coding of cable ownership
Companies have long led the development of the Internet for this report—specifying if firms are privately owned,
globally, especially in the United States and many other state-controlled, or have an unclear ownership struc-
liberal democracies. In kind, it has been and generally re- ture (just five out of the 383 cable owners)—was sim-
mains a positive and necessary component of submarine ilarly dependent upon open sources and, therefore,
cable construction that many firms from many countries col- has many limitations. Limited transparency into sub-
laborate to fund these financially expensive and logistically marine cable ownership structures limits the ability
intensive projects. But growing exertion of authoritarian of third parties (researchers, third-party firms, etc.) to
control over Internet companies, especially from Beijing evaluate the risks of a government exerting control
and Moscow, calls into question the independence of some over that infrastructure in ways that compromise its
of the firms in these consortia, and thus increases cyberse- security and/or resilience. Increased authorities and
curity and resilience risks. Key policy issues include: resources for the US committee that screens foreign
telecoms for security risks would help to address this
■ Oversight: Federal inspection and monitoring of problem (Recommendation 1). The State Department
foreign telecoms operating in the United States is should also conduct a study on ways to better in-
essential for identifying vectors of potential author- tegrate undersea cables in cyber capacity-building
itarian influence on Internet security and resilience. and foreign assistance programs for infrastructure,
Yet the US government body responsible for moni- focused on these security and resilience questions
toring foreign-owned telecoms in the United States (Recommendation 5).

63 Renato Mota, “Submarine cable that will connect Brazil and Europe is anchored in Fortaleza,” Olhar Digital, December 14, 2020, https://olhardigital.com.
br/en/2020/12/14/noticias/cabo-submarino-brasil-europa-ancorado-fortaleza/.

16 ATLANTIC COUNCIL
Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security #ACcyber

Trend 2: Companies Using Remote

Management Systems for Cable Networks

I
n addition to who owns and builds undersea cables, the force Internet traffic intended for that region to be routed
technologies used to manage them increasingly create through other points on the global Internet network. Once
risks to cable security and resilience. More companies in control of cable companies’ remote management sys-
are using remote management systems for submarine tems, these attackers could wreak this kind of havoc on
cable networks—tools to remotely monitor and control Internet traffic flows from their keyboards, miles away.
cable systems over the Internet—which are cost-compel-
ling because they virtualize and possibly automate the Adversaries, for instance, could execute such a targeted
monitoring of cable functionality. Yet when these cable attack during a military conflict or other geopolitical cri-
management tools are connected to the global Internet, sis to intercept or disrupt large volumes of Internet traffic;
they expose undersea cables to new risks of hacking— terrorist organizations with requisite offensive cyber capa-
both for monitoring cable traffic and disrupting it altogeth- bilities, to give another example, could even more destruc-
er. This second key trend presents a more operational risk tively attempt to slow swaths of Internet traffic headed to
to Internet security and resilience than the previous trend; the United States or another country, perhaps timed with
much of the opportunity and responsibility for the US gov- some kind of kinetic attack. Potential compromise of cable
ernment to renew its engagement with allies, partners, management systems was a concern at least a decade
and companies to protect these management systems ago, when Nokia introduced submarine cable terminal
comes back to practices like software updates and secu- equipment: it had failed to clearly show the systems were
rity standards. But this risk is still entangled with the other not vulnerable to the attacks used in the Stuxnet opera-
two trends: because companies are increasingly using re- tion against Iran.66 But the planned expansion of Internet-
mote network management systems, states have incen- connected remote network management systems today
tives to hack into them to monitor traffic; and because the has made this security problem dramatically worse for the
volume and sensitivity of traffic sent on the global Internet United States, the US private sector, and US allies and part-
is increasing, intercepting or disrupting that data is more ners around the world.
attractive to governments and criminal actors—and easi-
er through these poorly secured and Internet-connected Every submarine cable must have at least two landing
technologies. points—spots at which it reaches a country’s shoreline and
where its fiber-optic signals are transmitted to users over
The US Office of the Director of National Intelligence land. Landing stations play a key part in the operation of un-
(ODNI) classifies the possibility of cyberattacks against dersea cables. They can perform many functions, including
cable landing stations as a “high risk” to national security.64 terminating international cables, supplying power to cables,
In a worst-case scenario,65 hackers could breach multiple and acting as a point of domestic and/or international con-
remote network management systems used to control dif- nection.67 Their physical security is also important, as nat-
ferent submarine cables to completely disrupt the flow of ural disasters and intentional damage can stop the cables
Internet data across that infrastructure. This could be tar- from transmitting Internet data.68 Historically, the operating
geted at the US mainland or at another geographic area centers located at or near these landing points have been
of interest to a malicious actor (e.g., a conflict zone) to ei- largely managed by on-site personnel or through tools that
ther greatly slow or corrupt Internet traffic delivery and/or are not directly connected to the Internet.69 These systems

64 U.S. Office of the Director of National Intelligence, Threats to Undersea Cable Communications, 7, September 2017, https://www.dni.gov/files/PE/
Documents/1---2017-AEP-Threats-to-Undersea-Cable-Communications.pdf.
65 This is the author’s own scenario as opposed to one described by the ODNI.
66 U.S. Office of the Director of National Intelligence, Threats to Undersea Cable Communications, 14.
67 United Nations International Telecommunication Union, “Cable Landing Stations: Building, Structuring, Negotiating and Risk,” 2, 2017, https://www.itu.int/
en/ITU-D/Regional-Presence/AsiaPacific/SiteAssets/Pages/Events/2017/Submarine%20Cable/submarine-cables-for-Pacific-Islands-Countries/Cable%20
Landing%20Stations%20SNCC.pdf.
68 For example, see a list of security and disaster mitigation infrastructure typical to a landing station: Samia Bahsoun, “Part I: Undersea Cable System:
Technical Overview & Cost Considerations,” NANOG, 6, June 2008, https://archive.nanog.org/meetings/nanog43/presentations/Demystifying_Bahsoun_
N43.pdf.
69 Remote control mechanisms were still used, however. For example, see: Mitsubishi Electric, “Optical Submarine Cable Systems: MF-1280GWS (DRY
PLANT),” May 29, 2008, http://www.mitsubishielectric.com/bu/communication/transmission/submarine/products/dryplant_b.html; United Nations
International Telecommunications Union. ITU-T Recommendation G.977. Series G: Transmission Systems and Media, Digital Systems and Networks, 25,
Geneva: International Telecommunications Union, December 2006. 25, https://www.itu.int/rec/T-REC-G.977-200612-S/en.

ATLANTIC COUNCIL 17
 #ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

were built for tasks such as ensuring signal connectivity undersea.”72 Malicious control of those systems could en-
and maintaining power flows.70 It is these operational tools, able actors to harmfully alter or disrupt Internet traffic de-
often managed by private firms, that help enable the geo- livery across key cables.
politically consequential activities on the global Internet,
from personal communications to financial transactions, The risk of cable disruption through hacking is magnified
scientific research, and the sending of government docu- by poor security practices by some of these software ven-
ments, for which data is hauled over cables. dors (e.g., poorly securing communications between the
virtualization interface and the physical infrastructure).73
Now, however, more companies that manage submarine The relative lack of diversity among remote management
cables are connecting their landing points and operating system vendors creates additional security risk through
centers to remotely controllable “network management centralization74—compromises of one technology (e.g.,
systems.” These tools are compelling to companies be- backdooring updates, discovering a new vulnerability,
cause they do not require personnel to be on site. Working etc.) could have wider effects on cables. Many remote net-
from afar, companies can monitor the data sent over cables work management systems also use common operating
and even alter fiber-optic signals, all through a virtual inter- systems like Linux or Microsoft Windows with which more
face. Yet it is not just about cost and convenience. Optical malicious actors are likely familiar, as opposed to highly
fiber technology in undersea cables has grown more so- specialized and obscure interfaces that are sometimes
phisticated over the last two decades. Thus, managing a used in such infrastructure control systems.75 And the way
cable system and a landing station now includes manag- vendors update and can control systems once deployed
ing complex signal configurations.71 Hence the demand on the customer end might introduce other kinds of risks
for more sophisticated cable management software that into this part of the cable supply chain. Malicious actors
is Internet-connected and can exert physical changes to could exploit these realities to disrupt cable signals.
fiber signals themselves.
Beyond disruption, hacks of remote network manage-
This push for cost-effectiveness and remote monitoring in- ment systems could enable malicious actors to intercept
troduces new vectors of cybersecurity risk. By introducing data flowing through landing stations. Hacking into poorly
a software-driven, “virtualized” layer of control over cable secured network management systems to intercept and
systems—one connected to the Internet—cable owners collect traffic can be relatively low-cost.76 Governments
are exposing themselves to potential hacks of submarine already turn to private companies within their borders to
cables through that technology. These hacks could dis- collect data for a range of purposes, including legitimate
rupt or degrade signals traversing the submarine cable foreign intelligence and law enforcement purposes and/
fibers. For instance, TE Subcom, a US-incorporated firm or unchecked surveillance, depending on the specific
that builds cable equipment, offers an “Ocean Control country and specific case.77 In many democracies, this
suite” that uses application programming interfaces (APIs) can create tensions with private companies that want to
to offer “extensive remote programmability and control of limit their involvement with state espionage activities and/
an entire communications network, both terrestrial and or have other obligations such as privacy, transparency,

70 Nomura Kenichi and Takeda Takaaki, “Optical Submarine Cable Network Monitoring Equipment,” NEC Technical Journal 5 (1) (2010): 33, 33-37, https://
www.nec.com/en/global/techrep/journal/g10/n01/pdf/100108.pdf.
71 Ibid.
72 LightWaveOnline.com, “TE SubCom launches Ocean Control suite for remote programmability and terrestrial and undersea cable network control,” May
10, 2018, https://www.lightwaveonline.com/network-design/article/16676184/te-subcom-launches-ocean-control-suite-for-remote-programmability-and-
terrestrial-and-undersea-cable-network-control; TE SubCom, TE SubCom announces Ocean Control suite, first offering of full network programmability
for undersea domain, press release, May 8, 2018, https://www.subcom.com/documents/Ocean_Control_Full_Network_Programmability_TE_
SubCom_8MAY2018.pdf.
73 Michael Sechrist, New Threats, Old Technology: Vulnerabilities in Undersea Communications Cable Network Management Systems, Harvard Belfer
Center for Science and International Affairs, 10, 12-15, February 2012, https://www.belfercenter.org/sites/default/files/files/publication/sechrist-dp-2012-03-
march-5-2012-final.pdf.
74 Daniel Voelsen, Cracks in the Internet’s Foundation: The Future of the Internet’s Infrastructure and Global Internet Governance, German Institute for
International and Security Affairs, 21, SWP Research Paper 14, November 2019, https://www.swp-berlin.org/fileadmin/contents/products/research_
papers/2019RP14_job_Web.pdf.
75 Sechrist, New Threats, Old Technology, 13; Kenichi and Takaaki, “Optical Submarine,” 35.
76 DJ Pangburn, “Wiretapping Undersea Fiber Optics Is Easy: It’s Just a Matter of Money,” VICE, July 22, 2013, https://www.vice.com/en/article/wnnmv9/
undersea-cable-surveillance-is-easy-its-just-a-matter-of-money.
77 The US government itself is no stranger to turning to private companies for foreign intelligence collection. See, for example, Craig Timberg and Ellen
Nakashima, “Agreements with private companies protect U.S. access to cables’ data for surveillance,” Washington Post, July 6, 2013, https://www.
washingtonpost.com/business/technology/agreements-with-private-companies-protect-us-access-to-cables-data-for-surveillance/2013/07/06/aa5d017a-
df77-11e2-b2d4-ea6d8f477a01_story.html.

18 ATLANTIC COUNCIL
Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security #ACcyber

Physical Threats to Landing Stations

Physically securing cable landing stations against potential physical disruptions to submarine cable in-
power outages, natural disasters, and malicious activ- frastructure has focused on terrorism risks, where at-
ity (e.g., manual insertion of monitoring equipment) re- tackers could seize or physically destroy landing station
mains a key part of protecting undersea cables. This infrastructure. The focus in this section remains on re-
is particularly the case in a nation-state context where mote hacks of network management systems because
intelligence services could work to compromise land- of the accelerating nature of the risk, but investments in
ing stations through human operatives, such as plant- physical security and continuity-of-operation protocols
ing monitoring equipment directly onto landing station for cable landing stations remain critically important for
infrastructure. Much national security concern around the private sector as well.

and customer protections.78 All to say, there may already systems once compromised may not be a straightforward
be technical mechanisms in place for private companies effort: “legal, cultural, and language barriers may limit the
to intercept data for governments, and third parties could ease and effectiveness of information flow in the event of a
potentially abuse those mechanisms. Governments can disruption, and depending on where cable disruption symp-
also hack directly into cable management systems to steal toms appear, public agencies without a local presence may
data.79 Yet securing undersea cable management systems struggle to coordinate a timely response.”83 It is an excep-
against malicious data theft and monitoring is even more tionally impactful case in the broader Internet infrastructure
challenging when (a) more companies’ remote manage- security conversation. All of this presents risks to the secu-
ment tools are Internet-connected and (b) many cables rity and resilience of the Internet.
and their operations centers are controlled by consor-
tia of firms.80 As the data compiled for this report show, Recommendation Previews
these owners may be spread across many countries and
are in some cases state-controlled. It is an important chal- The US government has few measures in place to ensure
lenge for Internet security and resilience, as protecting the the software control systems for key traffic hubs, even
Internet data itself also means protecting the infrastructure those located in the United States, are secure; companies
across which they travel.81 may be deploying poorly secured remote network man-
agement systems that potentially compromise the secu-
In sum, network management systems deployed by cable rity and resilience of US Internet connectivity and Internet
owners increase submarine cables’ attack surface: with re- data. The US private sector also co-owns only a portion of
mote, Internet-connected control systems linked directly global undersea cables, often with other companies. That
to the Internet’s physical infrastructure, hacks can be con- said, the US government has valuable nexus over sub-
ducted from afar and “could physically change a network marine cables given what influence the US private sector
or drop communication paths altogether.”82 Attackers need does have over cables (discussed more in the next section)
not be physically on site to undermine Internet security as well as the private sector’s control of undersea cables
and resilience. Developers of these management systems touching US borders. Taken together, this gives the US
may also not prioritize securing them due to poor mar- government an opportunity and responsibility to expand
ket incentives; like many industrial control systems, these cooperation with allies, partners, and the US private sec-
technologies are most often designed for convenience and tor to build solutions to the operational security risks of
functionality above cybersecurity. Further, restoring these remote cable management systems. This could produce

78 Susannah Larson, “Submarine Cable Network Security Panel,” PTC ’17 Submarine Cable Workshop, 6, January 15, 2017, https://online.ptc.org/assets/
uploads/papers/ptc17/PTC17_SUN_WS_Subcable%202_Stafford.pdf.
79 See, for example, Lana Lam, “EXCLUSIVE: US hacked Pacnet, Asia Pacific fibre-optic network operator, in 2009,” South China Morning Post, June 22,
2013, https://www.scmp.com/news/hong-kong/article/1266875/exclusive-us-hacked-pacnet-asia-pacific-fibre-optic-network-operator.
80 Panagiota Bosdogianni, “Submarine Cable Network Security Panel,” PTC ’17 Submarine Cable Workshop, 8, January 15, 2017, https://online.ptc.org/assets/
uploads/papers/ptc17/PTC17_SUN_WS_Subcable%202_Stafford.pdf.
81 NATO Cooperative Cyber Defence Centre of Excellence, Strategic importance of, and dependence on, undersea cables, 3, November 2019, https://
ccdcoe.org/uploads/2019/11/Undersea-cables-Final-NOV-2019.pdf.
82 Ibid., 14.
83 Ibid., 13.

ATLANTIC COUNCIL 19
 #ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

valuable effects on scaling up security across the Internet tion worldwide (discussed more in the third section),
ecosystem. Key policy issues include: should craft and publish strategies for promoting the
security and resilience of their cable infrastructure in
■ Security Baselines: Remote network management response to these risks (Recommendation 8).
systems, as with many industrial control systems, are
often poorly secured. Cable owners using these tech- ■ Threat Sharing: The submarine cable industry, de-
nologies are exposing the physical infrastructure itself spite these growing digital threats, still does not have
to possible surreptitious monitoring or outright disrup- robust mechanisms in place to share threat intelli-
tion. In response, the US government should use the gence on undersea cable hacking risks. Cable sys-
point of leverage it has available—incentivizing private tems are, meanwhile, only more attractive hacking
firms incorporated in the United States to use more targets as they become more important for key socie-
secure remote network management systems for un- tal functions—from civilian communication and public
dersea cables, founded on a set of clear cybersecu- health to government document sharing and scien-
rity baselines and best practices (Recommendation tific research—and as the data across them becomes
3). While the order is more focused on information more sensitive (discussed more in the next section).
technology, this aligns in principle with the Biden In response, US-based submarine cable owners
administration’s executive order that places priority should work with federal, state, and local authorities
on addressing the security of “critical software” in to establish public-private Information Sharing and
the supply chain.84 Amazon, Facebook, Google, and Analysis Centers (ISACs) for cyber threats to under-
Microsoft, increasingly responsible for cable construc- sea cables (Recommendation 7).

84 White House, Executive Order on Improving the Nation’s Cybersecurity, May 12, 2021, https://www.whitehouse.gov/briefing-room/presidential-
actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.

20 ATLANTIC COUNCIL
Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security #ACcyber

Trend 3: Increasing Volume and Sensitivity

of Data Sent Over Undersea Cables

T
here is more data sent over undersea cables each Although much discussion of 5G infrastructure focuses on
day, and that data is also becoming more sensi- the network’s software-driven nature, 5G does not eliminate
tive. The COVID-19 pandemic has accelerated the the need for undersea cables—on the contrary, 5G will only
former trend, shifting more living, learning, and further increase the volume of data flowing over cables. For
working online and dramatically increasing the amount of Internet content to be sent over cellular networks today, that
traffic moving over the Internet’s physical backbone.85 5G cell tower network must connect to servers and cables that
will similarly contribute to a massive increase in Internet can deliver the endpoint-housed data (like for smartphone
data routed over cables. The latter trend, increasing data users browsing TikTok or logging into a mobile banking
sensitivity, is predominantly tied with the rise of cloud com- app). In other words, because Internet content itself is not
puting—where private companies rent out storage space stored on cell company networks, once a phone makes a re-
and processing power to clients—as these companies are quest for Internet data, the cellular tower infrastructure must
increasingly moving previously offline or back-end func- at some point connect to the global Internet to retrieve it.
tions and data onto the global Internet. The effect on eco- This will not change with 5G. The fifth generation of cellular
nomic and national security is straightforward: the more network technology may use less hardware and have more
data, and the more sensitive data, that travels over under- sophisticated software functionality than its 4G predecessor.
sea cables, the more important their security and resilience But if 5G networks are going to deliver the data speed and
becomes. Errors with and disruptions to this traffic become bandwidth that experts predict, they will rely on fast and resil-
more disruptive to society as a whole, harming individuals ient submarine cable infrastructure to carry the Internet con-
as well as public and private organizations across health, tent ultimately delivered to 5G network users.90 In turn, 5G’s
commerce, defense, and transportation and logistics. higher data speed and bandwidth, and constant communi-
States exerting more control over cable owners know that cation with high volumes of Internet of Things (IoT) devices,
the growing volume and increasing sensitivity of Internet will result in even more data flowing over submarine cables.
data makes data interception and manipulation more valu-
able. Those looking to hack into cable landing stations or Simultaneously, data sent over submarine cables is increas-
remote cable management systems likewise recognize the ingly sensitive to the US economy and national security, and
growing value of this sensitive data. this second shift is tied to the accelerated growth of cloud
computing. US cloud service providers are routing more data
There are many metrics that capture the growing volume over the Internet as their customer bases grow. Many critical
of data sent over undersea cables: Hundreds of millions sectors are becoming more dependent on cloud computing
of tweets and billions of emails and other messages are by the month, including firms in financial services, energy,
sent online daily.86 In 2020, Internet users worldwide spent healthcare, shipping and logistics, and defense that pay
an average, per capita, of three hours online every day, cloud service providers to store and send their data. In prac-
and that is expected to rise by 6 percent in 2021.87 More tice, this means that more of their information is being sent
American households are subscribed to the Internet every across the global Internet instead of just back-end, intranet
year.88 One estimate says global interconnection band- systems.91 It is in many cases highly sensitive, and highly
width will grow at a 45 percent compound annual growth valuable, data. Financial service providers might store cus-
rate from 2019 to 2023,89 yielding a potentially massive tomer data in the cloud for real-time access; transportation
increase in the volume of data hauled by submarine cables and logistics companies may run their inventory manage-
in just the next few years. ment systems on a third-party cloud system.

85 TeleGeography, “State of the Network: Updates on COVID-19,” accessed January 14, 2021, https://www2.telegeography.com/network-impact.
86 Jeff Desjardins, “How much data is generated each day?” World Economic Forum, April 17, 2019, https://www.weforum.org/agenda/2019/04/how-much-
data-is-generated-each-day-cf4bddf29f/.
87 Statista, “Average daily time spent per capita with the internet worldwide from 2011 to 2021,” accessed January 14, 2021, https://www.statista.com/
statistics/1009455/daily-time-per-capita-internet-worldwide/.
88 Internet usage in the United States (New York: Statista, 2020).
89 Olu Rowaiye, “North America to Consume 41% of the World’s Interconnection Bandwidth,” Equinix, October 14, 2020, https://blog.equinix.com/
blog/2020/10/14/north-america-to-consume-41-of-the-worlds-interconnection-bandwidth/.
90 See, for example, Brian Lavallée, “5G wireless needs fiber, and lots of it,” Ciena, July 11, 2019, https://www.ciena.com/insights/articles/5G-wireless-needs-
fiber-and-lots-of-it_prx.html.
91 Justin Sherman and Tinajiu Zuo, Cloud Computing As Critical Infrastructure, Atlantic Council, forthcoming.

ATLANTIC COUNCIL 21
 #ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

Defense and intelligence contractors may also run national Bay.94 This means the US private sector has a notable influ-
security-critical services on government-approved cloud ence on the global Internet’s physical shape, considering
systems to offload the costs of managing servers in-house. the US has at least one corporate owner with stake in 22
Government agencies are moving to the cloud at varying percent of the world’s undersea cables. By extension, the
speeds and to varying degrees; not every implementation US private sector also has a notable influence on the secu-
involves an equal dependence, at present, on third-party rity and resilience of the data sent across that infrastructure.
cloud systems housing sensitive data and services. But At the same time, however, it is not a dominant influence.
cloud adoption by the defense base is growing. Every time Many cables with US ownership have several other corpo-
companies in these sectors retrieve sensitive data and ser- rate owners from other countries. Over two-thirds of cables
vices from the cloud, that information is potentially routed do not even have a US-incorporated owner. Sensitive data
over submarine cables, especially when data transfers are for critical US sectors, from public health to financial ser-
intercontinental (e.g., a company linking to a cloud server vices, is routed not just over American-owned infrastructure
overseas). Compromising this data could enable criminals, but over that owned by many firms around the world.
terrorists, and especially foreign nation-states to use it for
their own gain. The sensitivity of the data sent over the global US cloud providers are a unique point of leverage for the
Internet is also shifting alongside its rapidly growing volume. US government as they increasingly invest in undersea
cables. Unlike in China or Russia, however, where state
The accelerated growth of cloud computing is directly rel- leverage over Internet companies is used for the likes of
evant to how the US government can better work with al- BGP traffic hijacking, the US government can use this nexus
lies, partners, and companies to protect submarine cables. to incentivize better security. This is because the US “hy-
This is because these providers are not just moving more per-scalers” Amazon, Google, and Microsoft—nicknamed
data over Internet infrastructure—they increasingly own as such for their scaled-up infrastructure—have been
that infrastructure too, giving them a growing responsibil- spending substantially more money on submarine cables
ity to protect its security and resilience. As the Submarine in recent years. (They also dominate the cloud computing
Telecoms Forum’s 2020 industry report put it, “providers market, a centralization which itself presents economic and
such as Amazon, Facebook, Google and Microsoft are security risks.95) Their American incorporation and substan-
completely transforming the submarine cable market. They tial federal contracting present an opportunity for the US
are no longer reliant on Tier 1 network operators to provide government to incentivize better protections on their cable
capacity and are simply build(ing) the necessary infrastruc- systems. In tandem, these cloud providers’ responsibility to
ture themselves.”92 This accelerated investment became protect the infrastructure’s security and resilience grows.
clear in 2019, when TeleGeography noted that Facebook Figure 9 illustrates this growing cloud provider investment.
as well as Amazon, Google, and Microsoft—the three major
US cloud providers—were taking a newly active role in the The three “hyper-scalers” investing more money in sub-
changing shape of the Internet.93 marine cable development does not by itself mean more
cloud data is sent across the cables—owning an undersea
The US private sector already has a notable influence on cable is different than relying on it to carry data. However,
submarine cables. Figure 8 shows the number of undersea given that the amount of Internet bandwidth consumed
cables deployed worldwide with at least one private US by cloud service providers is growing, the corresponding
owner. increase in hyper-scaler investment in submarine cables
appears to reflect these firms’ strategic interest in resilient
US government cooperation with allies and partners physical infrastructure that hauls data quickly. Maintaining
abroad, as well as with the US private sector, is essential to a secure and resilient submarine cable network is critical
better securing this vital Internet infrastructure. One hun- to safely and reliably routing cloud service provider data.
dred and six of the 475 undersea cables (22 percent) de- Maintaining cable ownership is also an opportunity for
ployed worldwide as of December 2020 have at least one these firms to profit off growing Internet traffic demands
US private sector owner. The US government itself only has worldwide in the process.96 Not all cloud data is routed over
ownership in two cables, which are linked to Guantanamo undersea cables, but it becomes more likely as the global

92 Submarine Telecoms Forum, Inc., Submarine Telecoms Industry Report: 2020/2021 Edition, October 23, 2020, https://subtelforum.com/products/
submarine-telecoms-industry-report/.
93 Jayne Miller, “This is What Our 2019 Submarine Cable Map Shows Us About Content Provider Cables,” TeleGeography Blog, March 19, 2019, https://blog.
telegeography.com/this-is-what-our-2019-submarine-cable-map-shows-us-about-content-provider-cables.
94 These are the GTMO-1 (ready for service in 2016) and GTMO-PR (ready for service in April 2021) cables.
95 Sherman and Zuo, Cloud Computing.
96 Amazon Web Services, for example, touts its global Internet infrastructure backbone on its website: AWS.Amazon.com, “Global Network,” accessed
January 14, 2021, https://aws.amazon.com/about-aws/global-infrastructure/global_network/.

22 ATLANTIC COUNCIL
Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security #ACcyber

cloud infrastructure expands (with many servers around the Figure 8: Cables with at Least One Private US Owner
world) and many cloud service provider clients have opera- (December 2020 Snapshot)
tions based in multiple countries (and thus require Internet
data to be hauled intercontinentally).
22%
Google is by far the most active investor in undersea cables,
with ownership stake in ten different cables that should be
ready for service in 2021. It remains to be seen how many
more cables Google might invest in for 2022. It is unlikely
these investments are going to subside, based on estimates
that place global spending on cloud services at hundreds
of billions of US dollars a year and rapidly growing.97 Digital
services depend on underlying physical infrastructure, so
rising dependence on the former means rising dependence
on the latter. This is also one explanation for why Facebook,
which does not offer cloud services but runs its own Internet
platform, is investing more in cable ownership.
78%
Facebook’s investment in submarine cable development
is, notably, even more accelerated than that of Amazon or
Microsoft. Amazon currently has ownership stake in a 2020 At least one US private owner
cable and a 2022 cable, and Microsoft has ownership stake No US private owner
in just two 2021 cables, while Facebook has ownership stake
in three cables deployed in 2020 alone. The firm has made Source: Data from TeleGeography’s Submarine Cable Map
a concerted push to expand physical Internet infrastructure website visualized by author.
around the world, including as a way of growing its market
power.98 Submarine cable investments are, therefore, attrac-
tive not just to cloud service providers but to other private messaging, and more. There is not just a growing volume
Internet companies that need fast and reliable data routing of data traversing undersea cables, however; the sensitiv-
infrastructure. All the while, the more these companies in- ity of that data is also increasing. Explosive growth in cloud
vest in shaping the physical topology of the Internet and computing has led more critical sectors, from defense to
maintaining cable networks, the greater their responsibility health to finance to supply and logistics, to transition their
to protect its security and resilience. They are the ones with data and services to the cloud. In the process, more and
direct ownership stake in the infrastructure. They may also more sensitive information, vital to everything from global
control many of the data centers to and from which signifi- financial markets to public health, is transmitted over un-
cant volumes of Internet data flow. Further, there are many dersea cables. This makes securing the cables, and ensur-
benefits to having independence between private US cable ing their resilience, an urgent issue for the US government
owners and the US government compared to other coun- in cooperation with allies, partners, and the private sector.
tries where the state is heavily involved in the building and The growing centralization of new, US-connected cable
management of most Internet infrastructure—and there is a infrastructure in the hands of a few cloud service provid-
benefit to keeping it that way. But that means these private ers (Amazon, Google, and Microsoft) as well as Facebook
firms must do more to address security and resilience risks. increases the urgency of ensuring proper investment in
security and resilience. Key policy issues include:
Recommendation Previews
■ Fast Repairs: The increasing volume and sensitivity
Undersea cables underpin global Internet traffic deliv- of data routed over submarine cables means security
ery, routing data every day for financial transactions, sci- compromises and service disruptions can inflict even
entific research, government communications, personal greater harm on economic and national security.

97 Statista, “Public cloud services annual growth rate worldwide from 2020 to 2022, by segment,” accessed January 15, 2021, https://www.statista.com/
statistics/258718/market-growth-forecast-of-public-it-cloud-services-worldwide/; Gartner, Gartner Forecasts Worldwide Public Cloud End-User Spending
to Grow 18% in 2021, press release, November 17, 2020, https://www.gartner.com/en/newsroom/press-releases/2020-11-17-gartner-forecasts-worldwide-
public-cloud-end-user-spending-to-grow-18-percent-in-2021; Kimberly Mlitz, “Cloud Computing – Statistics & Facts,” Statista, March 30, 2021, https://www.
statista.com/topics/1695/cloud-computing/.
98 For example, see a Facebook blog post touting the company’s investment in undersea Internet cables: Najam Ahmad and Kevin Salvadori, “Building a
transformative subsea cable to better connect Africa,” Facebook Engineering, May 13, 2020, https://engineering.fb.com/2020/05/13/connectivity/2africa/.

ATLANTIC COUNCIL 23
 #ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

Figure 9: Current Big Tech Cable Ownership, by Year Ready for Service (December 2020 Snapshot)
12

10

0
2015 2016 2017 2018 2019 2020 2021 2022 2023

Amazon Facebook Google Microsoft

Source: Data from TeleGeography’s Submarine Cable Map website visualized by author.
Note: Cables listed in the future are coded based on their expected ready-for-service date.

Coordinating the quick repair of these cables is often effective ways possible. The FCC should focus more
difficult for private companies working with consor- resources on interagency coordination on cable out-
tia of other cable owners incorporated in a range of ages, as the range of data traversing submarine cables
countries.99 The US Congress already funded the is of concern to many agencies across the federal gov-
Cable Ship Security Program to speed up repairing ernment (Recommendation 4). This feeds into support-
damage to US national security-relevant submarine ing other objectives, such as fast repairs of cables via
cables. The program is being stood up now, but at the US Cable Ship Security Program mentioned above.
least one year into its launch, Congress should con-
duct a review of whether the program requires fur- ■ Norms: Undersea cables are already vulnerable to es-
ther funding (Recommendation 2). Internationally, pionage and cyberattack, and this is especially true with
the Department of State should conduct a study on poorly secured and Internet-connected remote cable
ways to better integrate fast cable repair into ca- management tools. If badly secured, these systems are
pacity-building and foreign assistance work globally more susceptible to compromise and with even less
(Recommendation 6). And US cable owners—includ- advanced capabilities. In response, the Department of
ing Amazon, Facebook, Google, and Microsoft— State should strengthen international norms against
should publish strategies to promote the security and nation-states damaging or disrupting undersea cables
resilience of their cable infrastructure, including plans (Recommendation 5). Because of the legal complexity
on cable repairs (Recommendation 8). of protecting international cables located outside of
a country’s territory, the frequently multiparty owner-
■ Outage Reporting: Cable outages occur for many rea- ship structures of undersea cables, and other factors,
sons, most often not malicious: weather events, ship “international State involvement is critical to the twin
collisions, and other incidents can physically damage goals of victim compensation and deterrence against
cables; power outages and other electrical or digital future depredations.”100 Especially when it comes to
problems can likewise disrupt cable operations. The authoritarian governments in Beijing and Moscow, and
FCC focused additional resources on monitoring such Internet governance “swing states” who may find the
events in 2016, but there is still more work to be done idea of cable damage or disruption compelling, the US
to ensure that cable outages are communicated—and government must act in concert with allies and partners
responses are coordinated—in the most efficient and to bolster norms against those actions.

99 There are a number of procedures available to firms to share information about cable outages and repairs with other implicated companies. See, for
example, International Cable Protection Committee, “Recommended Co-ordination Procedures for Repair Operations near Active Cable Systems,” ICPC
Recommendation No. 4, Issue: 8C, February 24, 2014.
100 Mick P. Green and Douglas R. Burnett, Security of International Submarine Cable Infrastructure: Time to Rethink? International Cable Protection
Committee, 8, 2008.

24 ATLANTIC COUNCIL
Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security #ACcyber

Recommendations

F
or all the attention paid to communications tech- the following recommendations for the US government,
nologies like satellites or 5G cellular networks, the along with the private sector and allies and partners, to bet-
vast majority of global Internet communications still ter protect the security and resilience of submarine cables:
travel through metal-encased, fiber-optic tubes laid
along the ocean floor. It is these submarine cables, de- 1. The US Congress should statutorily authorize the
ployed in the hundreds globally, that help haul everything US executive branch body responsible for monitor-
from scientific research to e-commerce to government ing foreign-owned telecoms in the United States for
communications around the world. The international deliv- security risks: the Committee for the Assessment of
ery of Internet data depends directly on this infrastructure’s Foreign Participation in the United States Telecommu-
function. Much of this infrastructure is multi-owned by con- nications Services Sector (formerly the informal Team
sortia of private and state-controlled firms. And, important- Telecom).101 This would provide it with the necessary
ly, this physical infrastructure is not set in stone. Just as the funding, review authority, and formal structure to
Internet was created and built by humans, the Internet’s better screen foreign telecoms that own cables. The
physical shape continues to be shaped by humans, as newly renamed organization is a coordinating entity
cable owners look to expand global Internet connectivity between several federal agencies, with the FCC play-
and upgrade older physical infrastructure. As societal re- ing a key role on the telecom referral and licensing
liance on the Internet grows, more investments in subma- side, and the Department of Homeland Security (DHS)
rine cables reflect a concurrently growing need to ensure and the DOJ playing a key role on the security review
the Internet’s physical backbone is secure and resilient. side. However, a June 2020 Senate report, produced
after months of investigations into the organization,
Three trends, however, are accelerating risks to the secu- found the committee had been conducting “minimal
rity and resilience of undersea cables. First, authoritarian oversight” of Chinese state-owned telecoms in the
states are reshaping the Internet’s physical topology and United States in ways that “undermined the safety
digital behavior through companies, introducing new pos- of American communications and endangered our
sibilities of espionage and disruption, and reshaping the national security.”102 Resource constraints were com-
Internet infrastructure to favor their Internet governance pelling the participating agencies to devote more
models. Second, more cable owners are linking cable land- time, money, and personnel to interagency work on
ing stations to remote network management tools, which the Committee on Foreign Investment in the United
exposes cables to hacking and disruption. And third, the States (CFIUS) than the telecom security review com-
volume of Internet data sent daily grows, as does its sen- mittee.103 Because it did not have formal authorities
sitivity; thus, society is more reliant on cables being secure and structure, the group also “had no formal, written
and resilient, and there are more incentives for states and processes for reviewing applications or monitoring
other actors to intercept, disrupt, or manipulate the deliv- compliance with security agreements,” and if it did
ery of this valuable information. not choose to enter into a security agreement with
a foreign carrier, it lacked other means of getting in-
But even with the influence the US private sector has on sight into the carrier’s operations.104 The US Congress
global cable development, the private sector cannot go should mitigate this problem by statutorily authorizing
it alone. Poor market incentives for robust security—com- the executive branch committee, just as it did in 2007
bined with new threats and an internationally collaborative with CFIUS, to give the organization more resources
system of cable construction and management—mean the and authorities to more expansively screen foreign
US government must also better engage with allies and cable ownership for national security risks. If the US
partners to protect the security and resilience of this sub- government wants to be more proactive in assess-
marine cable infrastructure. To this end, this report makes ing the national security and resilience risks to the

101 Team Telecom, a previously ad hoc group, was transformed into an official executive branch committee as a result of a 2020 executive order. See, Trump
White House, “Executive Order on Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications
Services Sector,” April 4, 2020, https://trumpwhitehouse.archives.gov/presidential-actions/executive-order-establishing-committee-assessment-foreign-
participation-united-states-telecommunications-services-sector/.
102 United States Senate Permanent Subcommittee on Investigations, Threats to U.S. Networks: Oversight of Chinese Government-Owned Carriers, 2, June
2020, https://www.hsgac.senate.gov/imo/media/doc/2020-06-09%20PSI%20Staff%20Report%20-%20Threats%20to%20U.S.%20Communications%20
Networks.pdf.
103 Ibid., 43-44.
104 Ibid., 3-4.

ATLANTIC COUNCIL 25
 #ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

Internet’s physical backbone, it must invest more time whether additional funding for more vessels would
and resources into conducting those reviews, and it bolster submarine cable security and resilience for
must give more authorities to the committee to do so, the United States.
including legally requiring a periodic reassessment
of foreign carriers and allowing the organization to 3. The US executive branch should create and promote
inspect foreign carriers with which it has no existing the use of security baselines and best practices for
security agreement.105 This expanded review process cable remote network management systems. More
should include a more intensive focus on ownership cable owners are deploying Internet-connected in-
structures of cable owners and cable consortia, as dustrial control systems to remotely manage com-
more authoritarian governments work to reshape plex cable infrastructure. These systems could be
the Internet’s physical topology and digital behavior remotely compromised to disrupt or deny the delivery
through sometimes opaque ownership structures and of Internet data across cables, a risk compounded by
influence. It should also include considering the se- the poor market incentives for developers of these
curity risks of remote network management systems technologies to legitimately prioritize cybersecu-
deployed by cable owners. And the expanded secu- rity. As such, the National Institute of Standards and
rity review process should consider not just the direct Technology (NIST) should create a set of security
owner of a particular cable but all of the providers and standards and best practices for vendors that build
subsidiary firms that interact with the cable or its data cable remote network management systems, and for
en route. the submarine cable owners that ultimately deploy
those technologies at cable landing stations. NIST’s
2. The US Congress should conduct a study, starting no deep technical expertise and widely respected frame-
earlier than one year into the program’s launch, on work-creation process makes it well suited to craft
the Cable Ship Security Program that was authorized a list of security standards and best practices for
in the National Defense Authorization Act (NDAA) the private sector. Then, the US executive branch,
for 2020.106 The Department of Transportation is particularly large and influential agencies like the
currently in the process of standing up the program Department of Defense, should consider adopting
with two vessels, so that government-authorized, those security baselines and best practices into pro-
privately owned ships are on standby to repair dam- curement requirements for any companies doing
aged submarine cables relevant to US national se- business with the federal government that also own
curity.107 This program, therefore, helps ensure that undersea cables carrying US, and likely US govern-
alongside commercial investment in cable resilience, ment, data. If the US government is going to have
the US government is taking steps to repair dam- more of its data routed over the global Internet via
aged submarine cables more quickly than they might the public cloud in the coming years, it should be
otherwise be if left entirely up to the private sector. invested in protecting the security and resilience of
Far from a purely national security issue, though, the the remote technologies that manage the underlying
Cable Ship Security Program also promises many infrastructure because their compromise could have
economic and public benefits for the United States serious effects on economic and national security.
in the way of sped-up repairs—and as such, there
are many stakeholder departments and agencies 4. The Federal Communications Commission should
across the federal government with equities in the invest more resources in promoting and maintaining
program. The program is beginning with two vessels, federal interagency cooperation on resilience threats
but it is possible the US government may ultimately to submarine cables. While this has been an FCC ef-
require more. Congress should, therefore, conduct a fort for several years now,108 the growing threats to
review of the Cable Ship Security Program beginning undersea cable security and resilience make this in-
no earlier than one year into its full launch, exploring ternal federal coordination an even higher priority.

105 Ibid., 9-10.

106 Rob Wittman, “The greater risk to national security you’ve never heard of,” Defense News, January 30, 2020, https://www.defensenews.com/battlefield-
tech/c2-comms/2020/01/30/the-greatest-risk-to-national-security-youve-never-heard-of/. Specifically, see the 2020 National Defense Authorization Act
Section 53202: “The Secretary, in consultation with the Operating Agency, shall establish a fleet of active, commercially viable, cable vessels to meet
national security requirements. The fleet shall consist of privately owned, United States-documented cable vessels for which there are in effect Operating
Agreements under this chapter, and shall be known as the Cable Security Fleet.”
107 Notice by the Maritime Administration, “Request for Applications To Be Considered for Enrollment in the Cable Security Fleet,” Federal Register, January
5, 2021, https://www.federalregister.gov/documents/2021/01/05/2020-29159/request-for-applications-to-be-considered-for-enrollment-in-the-cable-
security-fleet.
108 Federal Communications Commission, Improving Outage Reporting for Submarine Cables and Enhanced Submarine Cable Outage Data, 29-30, July 12,
2016, https://transition.fcc.gov/Daily_Releases/Daily_Business/2016/db0712/FCC-16-81A1.pdf.

26 ATLANTIC COUNCIL
Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security #ACcyber

The FCC should focus on such measures as infor- cable, or what constitutes illegitimate government
mation sharing on resilience threats and continued action against undersea cables (e.g., excluding non-
reassessments of the effectiveness of outage report- disruptive espionage); and also establish baseline
ing requirements, which were expanded in March understandings of how countries view cable protec-
2020.109 The agency should also work with state and tion in existing agreements (e.g., whether the United
local authorities to integrate cable resilience best Nations Group of Governmental Experts’ language on
practices into permitting decisions, which would cre- critical infrastructure applies to cables). This also must
ate stronger incentives for cable owners to invest in include communicating the potential costs of states
protecting cable resilience.110 FCC action here can engaging in cable disruption.
help identify risks, take mitigating steps as neces-
sary, and forge better coordination mechanisms with 6. The Department of State should also conduct a
the private sector (including through ISACs discussed study on ways to better integrate undersea cables
below). Preventing disruptions to cable operation can into cyber capacity-building and foreign assistance
support the delivery of Internet data and thus eco- programs for infrastructure worldwide, focused on se-
nomic and national security. curity and resilience questions. Disruptions of under-
sea cables abroad can still undermine US economic
5. The Department of State should pursue confi- and national security by cutting or slowing Internet
dence-building measures to strengthen international connectivity to other parts of the world, and even hin-
norms against nation-states damaging or disrupting dering data flows to the United States. These cable
undersea cables. The political will for any kind of disruptions can also undermine human rights, the free
international legal treaty to protect submarine ca- flow of information, and economic and national se-
bles is limited: It is difficult to imagine Beijing and curity in ally and partner countries. The Department
Moscow signing onto any agreement that would of State should, therefore, conduct a study on ways
tie their own hands vis-à-vis disruptively interfering to make this issue a more integral part of its cyber
with physical cable infrastructure, whether for stra- capacity-building and foreign assistance work with
tegic, conflict, or domestic repression purposes. The allies and partners. Options might include working
United States could pursue such legal agreements with other governments to establish cable repair pro-
in bilateral or limited multilateral capacities, such as grams in their own countries, working with other gov-
within the NATO bloc, which could communicate a ernments and their private sectors to understand key
commitment from global, open internet countries risks to cable resilience, and working to ensure other
to not disrupting submarine cables. Nonetheless, governments are making fast repair and resilience re-
the greatest risks of nation-state-caused cable dis- quirements a key part of authorizing undersea cable
ruptions—which could undermine human rights, the construction within their jurisdictions. Boosting resil-
free flow of information, and economic and national ience in cable infrastructure can promote a more se-
security—do not come from within the NATO bloc, cure and global Internet for all.
and constraints on potential malicious behavior must
focus outside the United States’ closest alliances and 7. US-based submarine cable owners should work
partnerships. Confidence-building measures are thus with federal, state, and local authorities to establish
an additional mechanism through which the United public-private ISACs as threats to their submarine
States could work to bolster norms against damaging cable infrastructure grow.111 Industry-specific ISACs
or disrupting cables. The Department of State, and across sectors like health, energy, and finance have
allies and partners, could place pressure on Beijing become integral mechanisms through which compa-
and Moscow, as well as less-discussed “swing states” nies share cybersecurity threat information with other
in Internet governance that may be inclined to dis- firms through established and confidential channels.
rupt cables. This process could generally mirror the Though many submarine cable owners are members
confidence-building measures used for other cyber of these and other ISACs, no ISAC exists specifically
issues: start by working with other countries to un- for threat sharing among submarine cable owners.
derstand definitions of key terminology—for instance, Yet as more submarine cable owners deploy remote
what constitutes “damaging” or “tampering with” a network management systems, directly connected to

109 Federal Communications Commission, “Improving Outage Reporting for Submarine Cables and Enhanced Submarine Cable Outage Data,” Federal
Register, 85 FR 15733, March 19, 2020, https://www.federalregister.gov/documents/2020/03/19/2020-03397/improving-outage-reporting-for-submarine-
cables-and-enhanced-submarine-cable-outage-data.
110 See, for example, Federal Communications Commission, Final Report – Clustering of Cables and Cable Landings, Communications Security, Reliability,
and Interoperability Council Working Group 4A, August 2016, https://transition.fcc.gov/bureaus/pshs/advisory/csric5/WG4A_Final_091416.pdf.
111 US Office of the Director of National Intelligence, Threats to Undersea, 9.

ATLANTIC COUNCIL 27
#ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

the Internet, to manage complex cable infrastructure, driving force behind cable security reviews. Other
they are introducing new levels of cybersecurity risk: factors can hinder threat sharing, such as a perceived
malicious actors could hack into these systems to dis- lack of a business case for doing so, but this may be
rupt cable signals. There are also many risks posed one way to help encourage it.
to cables that are distinct from those posed to other
parts of those owners’ businesses (e.g., cloud plat- 8. Amazon, Facebook, Google, and Microsoft, whose
forms, cellular networks). US-based submarine cable investment in submarine cables worldwide is rap-
owners should, therefore, establish ISACs where they idly growing, should craft and publish strategies for
can share cybersecurity threat information with one protecting the security and resilience of their cable
another to collectively protect submarine cable se- infrastructure. Information historically sent on back-
curity and resilience and to increase their available end systems in energy, health, financial, defense, and
intelligence for making corporate cybersecurity de- transportation sectors is increasingly transmitted to
cisions. They should work as well with federal au- and from the public cloud. These four US companies
thorities, including the FCC and DHS, particularly the are also increasingly investing in building and main-
Cybersecurity and Infrastructure Security Agency taining the submarine cables which route that and
(CISA), as well as state and local officials, to ensure other Internet data. As such, they have an elevated
the government also has requisite threat information responsibility to protect these systems’ security and
to make determinations about particular cables that resilience: they have a direct ownership stake in the
pose unique security risks or cables whose compro- infrastructure and profit from it. Their increased focus
mise would seriously undermine US economic and on cable security and resilience should include such
national security. That said, a key issue with threat measures as greater investment in securing remote
sharing is liability. CISA’s liability protections for infor- network management systems, greater investment
mation sharing cover private firms giving information in physically securing cable landing stations, more
to DHS, but the federal government should consider comprehensive plans for quickly repairing and restor-
expanded liability protections such that private com- ing cables in the event of damage or disruption, and
panies can also share cable threat information with, building and maintaining robust cable threat-sharing
at a minimum, those in the FCC, DOJ, and intelligence partnerships with one another, as well as with the US
community that (in addition to DHS) are presently the government and its allies and partners.

28 ATLANTIC COUNCIL
Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security #ACcyber

Conclusion

S
hould the US government invest more in protect- national security risks. All the while, authoritarian regimes,
ing undersea cables’ security and resilience, the particularly in Beijing and Moscow, will continue funding
private sector’s deployment of remote network submarine cable development projects globally, gradu-
management systems would have better security ally reshaping the Internet’s physical topology to encour-
baked in from the get-go, making it more difficult for adver- age Internet traffic to move through their own borders
saries and other threat actors to spy on or even complete- and through other midpoints their security agencies can
ly disrupt the delivery of Internet traffic. The US executive intercept. And should cables be damaged or disrupted,
branch group responsible for screening foreign-owned ca- delayed repairs will undermine Internet traffic delivery be-
bles touching the United States would have more person- cause the US government hasn’t invested sufficiently, in
nel, resources, and authorities to adequately review new cooperation with US industry and allies and partners glob-
and existing infrastructure projects for national security ally, in quickly fixing that infrastructure and restoring the
risks. Authoritarian governments intent on reshaping the flow of Internet traffic.
Internet’s physical topology in their strategic favor—to route
more data through their borders, enhance their surveillance As the Internet comes under unprecedented authoritar-
capabilities and control of key Internet chokepoints, and ian assault, and societal dependence on the web grows in
so on—would face a more concerted effort from the US the absence of robust and ecosystem-wide cybersecurity,
government, the US private sector, and allies and partners the US government has an opportunity and responsibil-
globally to combat efforts to increase direct state control ity to reinforce the global Internet’s positive potential by
over Internet architecture. Disruptions to or failures in cable better protecting the submarine cables that underpin it.
systems, for their part, would be repaired quickly as a result Alterations to the Internet’s physical topology shape the
of US government-supported cable repair programs for the Internet’s digital behavior, and threats to the security and
Internet backbone touching the United States. resilience of submarine cables likewise impact the secu-
rity and resilience of the data transmitted over that infra-
Alternatively, the current trajectory of undersea cable de- structure. With much of the global cable infrastructure in
velopment can continue without measures to better pro- the hands of private and state-controlled companies, often
tect cable security and resilience. Companies will continue in consortium-style arrangements, there is no one actor
deploying remote network management systems without in charge. Yet a different future is possible, one where
robust security baked in, enabling a range of threat ac- security and resilience are more central decision factors
tors, particularly foreign intelligence services, to tap into in the design, construction, and maintenance of under-
and spy upon traffic passing through cable landing sta- sea cables; where the US government works more pro-
tions—and potentially even disrupt Internet signals alto- actively with industry, allies, and partners to ensure the
gether in conflict-like scenarios. The US government will global Internet runs reliably and securely, even in the face
continue to under-resource the organizations responsible of failure; and where robust security for core Internet ar-
for inspecting foreign telecom cables for national security chitecture is itself a compelling alternative to authoritarian
risks, both slowing down the time it takes for those enti- visions of a state-controlled sovereign network. The US
ties to clear cable projects and increasing the likelihood of government should seize on this opportunity and embrace
overlooking cables touching the United States that pose this responsibility.

ATLANTIC COUNCIL 29
 #ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

About the Author

Justin Sherman is a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative, where
his work focuses on the geopolitics, governance, and security of the global internet. He is also a
research fellow at the Tech, Law & Security Program at American University Washington College
of Law, a cyber policy fellow at the Duke Tech Policy Lab, and a contributor at WIRED Magazine.

Acknowledgments
The author would like to thank Trey Herr, Shane Stansbury, Samm Sacks, Andrew Grotto, Nicholas Andersen, Laura Bate,
David Hoffman, Ian Ralby, Bill Woodcock, and several other reviewers who requested anonymity for their feedback on
earlier versions of this report. The author would also like to thank Laura Bate, Nicholas Andersen, Ian Ralby, and several
others who requested anonymity for valuable discussions about the issues. Finally, the author would like to thank Trey
Herr, Simon Handler, Will Loomis, and the rest of the Atlantic Council team for their support.

30 ATLANTIC COUNCIL
 Board of Directors

CHAIRMAN Ralph D. Crosby, Jr. *Michael J. Morell HONORARY DIRECTORS

*John F.W. Rogers *Ankit N. Desai *Richard Morningstar James A. Baker, III
Dario Deste Georgette Mosbacher Ashton B. Carter
EXECUTIVE CHAIRMAN *Paula J. Dobriansky Dambisa F. Moyo Robert M. Gates
EMERITUS Joseph F. Dunford, Jr. Virginia A. Mulberger James N. Mattis
*James L. Jones Thomas J. Egan, Jr. Mary Claire Murphy Michael G. Mullen
Stuart E. Eizenstat Edward J. Newberry Leon E. Panetta
PRESIDENT AND CEO Thomas R. Eldridge Thomas R. Nides William J. Perry
*Frederick Kempe Mark T. Esper Franco Nuschese Colin L. Powell
*Alan H. Fleischmann Joseph S. Nye Condoleezza Rice
EXECUTIVE VICE CHAIRS Jendayi E. Frazer Ahmet M. Ören Horst Teltschik
*Adrienne Arsht Courtney Geduldig Sally A. Painter William H. Webster
*Stephen J. Hadley Meg Gentle Ana I. Palacio
Thomas H. Glocer *Kostas Pantazopoulos
VICE CHAIRS John B. Goodman Alan Pellegrini
*Robert J. Abernethy *Sherri W. Goodman David H. Petraeus
*Richard W. Edelman Murathan Günal W. DeVier Pierson
*C. Boyden Gray Amir A. Handjani Lisa Pollina
*Alexander V. Mirtchev Frank Haun Daniel B. Poneman
*John J. Studzinski Michael V. Hayden *Dina H. Powell McCormick
Amos Hochstein Ashraf Qazi
TREASURER Tim Holt Robert Rangel
*George Lund *Karl V. Hopkins Thomas J. Ridge
Andrew Hove Gary Rieschel
DIRECTORS Mary L. Howell Lawrence Di Rita
Stéphane Abrial Ian Ihnatowycz Michael J. Rogers
Todd Achilles Wolfgang F. Ischinger Charles O. Rossotti
*Peter Ackerman Deborah Lee James Harry Sachinis
Timothy D. Adams Joia M. Johnson C. Michael Scaparrotti
*Michael Andersson *Maria Pica Karp Ivan A. Schlager
David D. Aufhauser Andre Kelleners Rajiv Shah
Barbara Barrett Henry A. Kissinger Kris Singh
Colleen Bell *C. Jeffrey Knittel Walter Slocombe
Stephen Biegun Franklin D. Kramer Christopher Smith
*Rafic A. Bizri Laura Lane Clifford M. Sobel
*Linden P. Blue Jan M. Lodal James G. Stavridis
Adam Boehler Douglas Lute Michael S. Steele
Philip M. Breedlove Jane Holl Lute Richard J.A. Steele
Myron Brilliant William J. Lynn Mary Streett
*Esther Brimmer Mark Machin *Frances M. Townsend
R. Nicholas Burns Mian M. Mansha Clyde C. Tuggle
*Richard R. Burt Marco Margheri Melanne Verveer
Teresa Carlson Michael Margolis Charles F. Wald
James E. Cartwright Chris Marlin Michael F. Walsh
John E. Chapoton William Marron Ronald Weiser
Ahmed Charai Gerardo Mato Olin Wethington
Melanie Chen Timothy McBride Maciej Witucki
Michael Chertoff Erin McGrain Neal S. Wolin
*George Chopivsky John M. McHugh *Jenny Wood
Wesley K. Clark Eric D.K. Melby Guang Yang *Executive Committee
Beth Connaughty *Judith A. Miller Mary C. Yates Members
*Helima Croft Dariusz Mioduski Dov S. Zakheim List as of July 13, 2021
#ACcyber Cyber Defense Across the Ocean Floor: The Geopolitics of Submarine Cable Security

The Atlantic Council is a nonpartisan organization that ­promotes

constructive US leadership and engagement in i­nternational
­affairs based on the central role of the Atlantic community in
­meeting today’s global c­ hallenges.

© 2021 The Atlantic Council of the United States. All rights

reserved. No part of this publication may be reproduced or
transmitted in any form or by any means without permission
in writing from the Atlantic Council, except in the case of brief
quotations in news articles, critical articles, or reviews. Please
direct inquiries to:

Atlantic Council

1030 15th Street, NW, 12th Floor, Washington, DC 20005

(202) 463-7226, www.AtlanticCouncil.org

C4 ATLANTIC COUNCIL