A report from the Public-Private Analytic Exchange Program has found that the government and private sector organizations need a better understanding of the vulnerabilities associated with undersea cable services.
Commercial undersea cable communications carry over 97% of all intercontinental electronic communications. They facilitate internet reach, phone access critical to international trade and official government communications. This underseas network is susceptible to accidental and malicious threats though, and this report explores potential risks and the steps that are been taken to mitigate them.
The Public-Private Analytic Exchange Program, which conducted the report, is sponsored by DHS’s Office of Intelligence and Analysis on behalf of ODNI. The program facilitates collaboration between the intelligence community and private sector industry experts to explore national security issues.
The report found that the majority of undersea cable disruptions are caused by accidents and natural events but terrestrial portions of cable networks are more vulnerable and have been actively targeted. The types of submarine cable that are most vulnerable to cyber attacks are overland and last mile and near shore.
It also found that although the US has access to a relatively large number of undersea cables, providing communications redundancy and emergency failovers, many small nation states and island nations (including allies) have few cable access points and are, therefore, more vulnerable to attacks or accidents, which could still cause disruption for the US. It raises concerns that the relative ease in locating cable routes and termination points could lead to the targeting of the submarine network by bad actors, and that adversaries with access to cargo ships could launch simultaneous attacks on single cable points.
Interviews also suggested that there is a lack of proactive communication between law enforcement, the Coast Guard, telecoms operators and landing station operators in emergency preparedness planning. It also identified that few businesses dependent on international internet activity were aware of recovery resources, communication process, or contractual obligations they would be subject to in the event of a serious outage.
The study recommends that businesses, as well as local and state governments should assess dependencies on international communications and those of third party vendors, to determine whether disruptions to cable communications would impact their critical operations, and establish continuity plans if so. It also recommends that customers and service providers should create or improve their own security
review guidelines and requirements and ask questions to better understand the contractors, manufacturers, supply chain operations and limitations, and network resilience requirements for their systems and service contracts.
The study also points out that liaison between the US government and the private sector needs to be improved, particularly with regards to areas of jurisdictional overlap.
In conclusion, the report says that: “It became apparent from the AEP interviews conducted that many end users of these services (especially small, medium sized organizations and local and state governments) are not well-informed on the vulnerabilities of the multifaceted
undersea cable network. Yet, these organizations are dependent on international communications more than ever before.”
Read the full report here