Sunday, May 07, 2023

The Disconnect on Undersea Cable Security

By Joseph B. Keller Sunday, May 7, 2023

A sign warns boaters of an underwater cable that crosses the Lane Cove River in Linley Point, New South Wales, Australia. Photo credit: ~~ItsJegh~~/Wikimedia; CC BY 2.0

Editor’s Note: The fiber-optic submarine cable sector is a vital, but often ignored, part of the world’s critical infrastructure. Many members of Congress and the U.S. government, however, see the risks to subsea cables quite differently than cable owners and manufacturers. My Brookings colleague Joseph Keller examines this disconnect, suggesting ways that the policy community can protect and advance this critical industry.

Daniel Byman

***

Geopolitical tension is climbing steadily in the fiber-optic submarine cable sector. Cables are an invaluable critical infrastructure that transmit 99 percent of all intercontinental digital traffic and more than $10 trillion worth of financial transactions each day. The U.S. Congress is in the process of passing legislation to curb foreign cable construction, highlighting a key difference in the perception of security risk to subsea cables between U.S. government officials (and security analysts) and industry owners, operators, and manufacturers.

Industry stakeholders have prioritized common security risks endangering commercial competition, revenue, and network integrity but have been less engaged on the potential for cyberattacks and other vulnerabilities that could be exploited by malicious actors. By contrast, U.S. officials and the intelligence community have focused almost exclusively on the acute national security threats posed by tampering and espionage, without lending comparable weight to infrastructure protection and resilience. These independent and contrasting motivations may imperil the global information chain and hinder technological innovation, presumably mirroring the often inharmonious ambitions of government and private industry.

To avoid future constraints on global telecommunications caused by this disconnect, stakeholders must bridge the gulf between them. Developing public-private partnerships, building consensus around shared standards of submarine cable risk and protection, and increasing U.S. prioritization of federal subsea communications cable activities will reduce potential disruptions—an essential foundation for international stakeholder collaboration supporting a resilient wide area network.

Geopolitical Pressure Prompts Cable Security Concerns

In April 2020, the Trump administration signed an executive order formalizing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector, informally known as Team Telecom, which was officially tasked with bolstering the Federal Communications Commission’s (FCC’s) capacity to evaluate foreign participation in U.S. telecommunications activities. The order punctuated the government’s efforts to address national security concerns associated with licenses for the landing and operation of undersea cables on U.S. soil.

The United States avoids both direct and indirect association with China around telecommunications. Regulators view preventing interconnection with foreign adversaries as an essential measure in defending communications and data transmitted through cables from adversaries. They contend that shared cable infrastructure with foreign ownership and untrusted equipment tied to China introduces risks to citizens’ privacy and the potential for foreign intelligence agencies to intercept sensitive information. U.S. security officials have required concessions on business agreements on national security grounds to eliminate partnerships with Beijing-backed players, referencing the threats posed by their involvement.

The committee’s initial mandate was to evaluate applications for new cable systems that would connect to the United States from another country and instances in which foreign ownership exceeds 10 percent, and it has recommended denying applications with ties to political regimes deemed in misalignment with U.S. values. Since the committee’s establishment just three years ago, the number of permit applications has surged and the committee’s practices have become increasingly mired in bureaucracy. Team Telecom now reviews all applications even in situations without foreign ownership and takes much longer to process recommendations. At its inception, estimates cited the expectation of a 120-day process, but now multiple stages of questions and screening can occur even before that 120-day clock begins, extending decision timelines by more than nine months. The burden of compliance weighs heavily on the applicant and often at a significant financial cost. The committee justifies this more thorough inspection by stating that it further protects data transmitting over undersea cables, a concern that is seen largely as being driven by increasing friction between the United States and China.

Team Telecom specifically targets Chinese-owned submarine cables and equipment, taking steps to block or reroute Chinese cables, restrict ownership of cables by Chinese companies, and prohibit use of some Chinese equipment and services. The committee has recommended that licensees diversify cable interconnection points across Asia to avoid a direct linking to Hong Kong, among other decisions. Other Chinese telecom operators have felt compelled to withdraw their involvement from submarine cable projects, sensing an impasse produced by escalating opposition.

In March, the U.S. House of Representatives passed the Undersea Cable Control Act, which, if passed by the Senate, would prohibit the export of cable technologies and equipment to China in an attempt to prevent foreign adversaries from acquiring the means to build and operate subsea communication cables. The legislation may fragment the internet ecosystem—China recently announced plans to develop a $500 million subsea cable system that would circumvent connections with the United States to link Asia, the Middle East, and Europe. It and other similar proposals may perpetuate economic and political roadblocks between the United States and China, with implications for other countries and to the potential detriment of international connectivity.

Industry Safeguards Against Expected Hazards

Industry stakeholders have expressed concerns about cable protection and resilience, but they don’t perceive the same security risk to cables as policymakers in Washington. The subsea cable industry landscape includes a broad cast of characters: state governments, industry associations, fiber manufacturers, small private cable companies, local telecom companies, and cloud service providers such as Google, Amazon, and Meta. These communities steer the planning, funding, building, and maintenance of 1.4 million kilometers of cable globally.

Leaders in the fiber-optic cable sector acknowledge the vulnerabilities of cables and want to safeguard their investments and deliver for their customers. Data consistently shows that cable disruptions have been caused almost exclusively by natural susceptibilities and accidents involving humans. Fishing- and anchoring-related activities pose the main threat, accounting for approximately 70 percent of the more than 200 cable faults each year (though this varies by geography and region).

International frameworks and standards have shaped this industry perception by focusing predominantly on guarding the physical integrity of cables. The International Cable Protection Committee (ICPC) suggests best practices in protection and security of undersea cables. The United Nations has proposed good practices for responsible state behavior and protection of critical infrastructure against attack, and the Organization for Economic Cooperation and Development (OECD) offers guidance for the governance of infrastructure. These organizations have not dedicated much public effort to concerns about cyber vulnerabilities.

Government Regulators Versus Bad Actors

Meanwhile, the U.S. national security community and intelligence researchers have outlined extensive and valid risks to subsea cables from malign actors. Their analyses point to the threat of authoritarian influence, vulnerabilities to cyberwarfare, and the need to join allies in countering potential dangers posed by Russia and China. The federal government acknowledges threats to undersea telecom cables and has developed a series of actions to protect against security vulnerabilities. But some observers still believe that the United States has fallen short in fortifying the undersea communications cable system.

Undersea cable networks are now seen as a principal component of U.S.-China technological competition, which has been reinforced by declining diplomatic relations that, for some observers, foreshadows a new cold war. The protection and resilience of the global internet could become collateral damage in this great power competition. At the same time, it appears that little to no dialogue occurs among U.S. security, regulation, and industry communities. Avoiding policies and practices that stunt or fragment global connectivity will be a challenging task in this competitive geopolitical environment, but it will be next to impossible without clear and open discussion among these stakeholders.

Bridging Security Echo Chambers

Complications stemming from a lack of engagement between U.S. government regulators and industry actors are bound to reach a breaking point. With the growing global population, the digitization that has resulted from the coronavirus pandemic, and a booming business ecosystem, the number of cables is expected to double by 2030. What’s missing at this moment is a shared sense of common ground, and this lack of consensus and collaboration may jeopardize global network expansion. Overly stringent regulation and protocols can impede investment projects. Instead, engagement and collaboration must unite industry and government.

To support the advancements of a global internet, the United States must recognize its weakening centrality in international cable capacity and expand relations with submarine cable communities across the globe. There are concrete steps that U.S. regulators and policymakers can take toward this end.

Convene an interdisciplinary group of government regulators, security experts, and industry leaders. A joint task force, with regular interaction and dialogue, should be created as a forum for stakeholders across industry, security, and regulatory sectors. The Cybersecurity and Infrastructure Security Agency’s Joint Cyber Defense Collaborative (JCDC), which brings together cyber practitioners worldwide, may serve as a model for building a security-minded group that encompasses subsea owners, operators, and manufacturers in order to improve U.S. cable security and operations. JCDC convenes organizations and operators from across the public and private sectors, including state, local, and international government participants. Additionally, it operates with existing information-sharing hubs and groups to ensure the rapid dissemination of actionable information across the broader community. Independent of, but connected to this cross-sector group, the Communication Security, Reliability, and Interoperability Council—a federal advisory committee—has advised the FCC to convene an interagency working group to improve oversight and coordination of cables and tech. Appointing a clear point of contact on both the industry and federal sides would also simplify communication between parties.

Collaborate on enhanced security measures, developing shared risk management and mitigation frameworks. It’s necessary for stakeholders to define and agree on approaches to manage and mitigate risk to undersea cables. Collectively, U.S. regulators and industry representatives must draft a mutually agreeable set of cable risks and vulnerabilities with corresponding best practices for cable network protection and resilience. Activities could include conducting regular audits of cables with industry and security experts, offering education and security training for submarine networks, and establishing an information sharing and analysis center for subsea cable networks similar to the organization that monitors financial services networks. Stakeholders should circulate promising research and foundational best practices from the ICPC, OECD, and UN, and this guidance could be integrated by U.S. federal agencies like the National Institute of Standards and Technology for cable protection and security baselines.

Demonstrate deeper commitment to industry actions to provide security for undersea cables. Prioritizing resources, improving bureaucratic efficiency, and increasing the predictability of federal cable operations will facilitate industry progress and innovation while preserving security protocols. Team Telecom has acquired a reputation for being inflexible and lacking industry perspective, and the U.S. security review procedure comes across as a “black box” to many—including the Senate Homeland Security and Governmental Affairs Committee, which called the process “opaque” and some decisions “arbitrary.” Reforming these review processes can improve the transparency of cable permitting and licensing. Team Telecom should hire staff with technical knowledge, as the evaluation process would benefit greatly from individuals with engineering proficiency. Greater regulatory clarity would also repair the erosion of trust, improve predictability, and decrease anxiety that is harming U.S. competitiveness. Delays in timelines for approval undercut efforts to create a rigorous yet efficient pipeline for cable permitting. Congress also has a role to play. It must better prioritize fiber-optic cable activities and should consult industry experts when drafting legislation. Congress can also delegate authority to a lead agency to coordinate cable security with industry leaders, establish a formal regulatory framework to improve cable security, increase U.S. investments in cable repair vessels and the U.S. Cable Security Fleet, and support cyber research to advance cable protections.

***

Subsea cables are a growing U.S. national security risk, but collaboration among stakeholders will help confront the challenges that keep policymakers and industry stakeholders up at night. The U.S. government aspires to balance diplomatic, economic, and national security interests with the international growth of a robust and resilient submarine cable ecosystem. They can’t do it alone. Industry actors—from local governments, to private cable companies, to cloud computing giants—will be necessary partners in achieving these interrelated objectives.

No comments:

Post a Comment