Subsea sabotage should spark review of critical infrastructure security

Two major undersea cables connecting Nordic and Baltic countries were mysteriously severed a few months ago. The incident has raised concerns about the vulnerability of critical communication infrastructure and potential geopolitical implications
Main Top Image
Image created using Chat GPT-4o

In late December 2024, Finnish forces seized a Russia-linked ‘spy ship’ after it dragged its anchor across several subsea internet cables, damaging them. The incident follows the severing of two undersea cables in the Baltic Sea in mid-November 2024, which ignited alarm in European capitals, fearing sabotage. Germany, Sweden, and Finland all suspected that a vessel near the cables, the Chinese-flagged Yi Peng 3, was involved in the stoppages.

Troubling patterns

What is most worrying about this episode is that it fits an unsettling pattern of more frequent targeting of critical undersea infrastructure. This type of sabotage seems to have become an integral component of Russias hybrid warfare in the Baltic Sea and the High North. The most famous incidents are the Nord Stream 1 and 2 pipeline explosions in 2022. But they are not the only ones. The Balticconnector gas pipeline was ruptured in October 2023, and two data cables linking Finland and Estonia also stopped working in the same month. There have also been reports of undersea cables being severed near Svalbard, and Russian spy ships have allegedly surveyed wind farms in the North and Baltic Seas for vulnerabilities. In November 2024, first, the 1,172-kilometre cable that connects Finland to Central Europe via Germany, the ‘C-Lion1’, stopped working, then, a few hours later, a new cable connecting Sweden to Lithuania also stopped transmitting.  

The Yi Peng 3’s suspected involvement in the November cable damaging hints at troubling development: private Chinese assets being incorporated into the Russian state’s hybrid warfare. The Balticconnector incident also involved a Chinese-flagged vessel, the Hong Kong-registered Newnew Polar Bear.This might reflect an emerging loose partnership between Beijing and Moscow in carrying out subversive activities that blur the line between state and non-state action.

Critical infrastructure

The urgency of addressing the vulnerabilities of undersea cables cannot be overstated. They carry 95% of international communications and are the backbone of the modern digital revolution. Spanning 1.2 million kilometres across the world’s oceans, they are as critical to global connectivity as advancements in computing power and artificial intelligence. The ownership, operation, and manipulation of these cables can grant states geopolitical power by giving them access to trade and military secrets. This is why they have increasingly become targets in hybrid warfare, as evidenced by the recent cable disruptions in Europe. 

However, just as cybersecurity has evolved from the unrealistic goal of achieving zero attacks to focus on resilience instead, the cable industry must similarly abandon the myth of total security. To this end, a practical approach that emphasises redundancy, rapid recovery, and strategic deterrence is essential.

Protecting undersea cables

Policy and regulation will be central to any long-term solution. The European Union’s efforts to enhance cybersecurity, such as the Network and Information System 2 (NIS2) Directive and the Digital Operational Resilience Act (DORA), provide a model for securing undersea infrastructure. These frameworks mandate rigorous risk management, operational safety standards, incident reporting, and executive accountability, creating a standard that can be adapted to the specific challenges of cable security. 

The goal must be to harmonise undersea cable security amongst like-minded nations to minimise the risk of sabotage. Initiatives such as NATO’s Hybrid Space/Submarine Architecture Ensuring Infosec of Telecommunications (HEIST) and the joint naval patrol in the Baltic Sea, which was announced two weeks ago, are certainly an important step in the right direction. 

However, international law should also hold private shipping companies – and their executives – liable for negligence, given that apparently private vessels were involved in the recent sabotage incidents. The EU should sanction both individuals and entities for non-compliance with agreed procedures, processes, and regulations. Failure to comply must result in bans, financial penalties, and the suspension of licences to operate in certain geographies. In this way, aligning the cable industry with existing cyber resilience measures will bolster defences and ensure accountability across the sector.

International cooperation is equally important. Governments, private stakeholders, and regional bodies must come together to develop and, more importantly, enforce strategies for protecting these vital assets. Telecommunications giants, technology firms, and even insurers have a role in this effort. The underlying objective should be to develop a simple yet comprehensive framework for protecting cables. Such a framework would define and allocate responsibilities based on the stakeholders’ capabilities. It would also establish a clear coordination mechanism and a structure for exchanging best practices. In an ideal scenario, a binding international treaty would be the preferred option. However, the prospect for doing so is, and will likely remain, slim in today’s geopolitical climate, as evidenced by the lacklustre progress on establishing a global treaty on cyber warfare. 

Expanding the number of undersea cables is a logical next step. More infrastructure is needed to meet rising demand and ensure that disruptions can be swiftly addressed. As digital economies expand and technologies like cloud computing and the internet of things continue to grow, the volume and strategic value of global data cables are set to increase significantly. Global data traffic grows at a rate of roughly 20% annually, while global bandwidth doubles every 18 months, consistently pushing existing networks to their limits. 

Compounding this dynamic are rising geopolitical tensions and climate change. Both factors increase the likelihood of damage to undersea cables, necessitating access to alternative cable routes. Initiatives such as the EU-Japan collaboration on an Arctic cable project to connect Asia with Europe or Meta’s ‘around the world subsea cable’ exemplify the types of forward-thinking partnerships and projects required to enhance resilience in this area. These projects will bypass conflict-prone areas in their drive towards more redundancy and use the latest technologies to increase situational awareness around these cables. 

Creative uses of cutting-edge technology, such as remote sensing techniques, would also play a crucial role in securing undersea infrastructure. Distributed acoustic sensing (DAS) on subsea cables enables real-time monitoring by detecting acoustic, thermal, and vibration disturbances, significantly enhancing operators’ ability to identify anomalies and threats. This method is not risk-free. For instance, increased reliance on ‘smart’ cables would inevitably increase these networks’ vulnerabilities to cyberattacks and hacking. 

But, a more widespread deployment of advanced remote sensing systems along critical cable routes can go a long way in facilitating quicker responses to sabotage. The mere presence of these sensors, moreover, could act as a potential deterrent by eliminating would-be attackers’ anonymity. Currently, the lack of advanced warning and monitoring capabilities allows saboteurs to go undetected.

Strategic assets

The Baltic Sea incidents are a stark reminder that undersea cables are not merely technical hardware but strategic assets central to national security, economic stability, and global connectivity. As geopolitical tensions rise and hybrid threats become more frequent and sophisticated, resilience must become the guiding principle. Expanding infrastructure, leveraging technology, fostering collaboration, and enforcing robust regulations are no longer optional; they are imperative. In an era where insecurity is the new normal, the goal must shift from the illusion of invulnerability to the pursuit of uninterrupted operations and, thus, practical resilience.

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.