Similar to what happened with 5G networks, the Commission’s new report recommends phasing out risky providers of subsea cables
The well-documented subsea cable sabotage in the Baltic Sea by a Chinese vessel last October, plus cable anomalies in the Nordics spurred the EU Council to task the Commission to make some recommendations to protect Europe’s subsea cable infrastructure.
Earlier this week, these recommendations arrived in the form a report on the cybersecurity and resiliency of Europe’s communications infrastructures and networks – essentially joint work from EU Member States, with the support of the European Commission and ENISA, the EU Agency for cybersecurity.
A key recommendation is to reduce risks, vulnerabilities and dependencies on high-risk suppliers, and this means creating transparency on the landscape of suppliers and used for fixed networks, fibre technology, submarine cables, satellite networks and other important ICT suppliers.
According to Euractiv, the Commission suggests creating a “Submarine Cable Infrastructure Expert Group” that would be tasked with “putting forward a Cable Security Toolbox” like the EU Toolbox on 5G cybersecurity which in effect led to the decision to replace Huawei kit in many EU MNOs. Having a toolbox for cables could have big implications for Huawei’s HMN Tech, which could be equally restricted or banned from rolling out submarine cables. The report points out the EU only has one indigenous cable builder, ASN.
The report said national “competent authorities” in the Member States should exchange information about suppliers, and together with ENISA and in consultation with BEREC, should prepare an aggregated mapping of the supplier landscape for fixed (fibre) networks, satellite networks, submarine cables, and other important ICT suppliers. This would allow for a discussion about if there is a need to look at the risk profile of suppliers in these sectors and potential risks of dependencies.
Euractiv points out the Commission wants to task the expert group, working jointly with the Commission, with setting up a prioritised list of “Cable Projects of European Interest” based on the following criteria: enhanced resilience of infrastructure, supply chain security, geostrategic importance, and public necessity.
Cable ownership
The report recommends Member States assess resilience of international interconnections and clarify mandate, specifically which national authorities have the mandate to supervise these international interconnections and who has the mandate to supervise the cable operators. To complement those developments, Member States should map foreign jurisdiction obligations imposed upon operators which have submarine cables on their territory.
In general, according to the report, it seems that there is a lack of information and understanding about the criticality, resilience, and redundancy of core Internet infrastructure, including submarine cables. For instance, as regards submarine cables, there is little information about their capacity, if the current network architecture is sufficiently redundant, if there is failover capacity when an incident happens, if there is sufficient repair capacity, if submarine cable operators are taking appropriate security measures and so on. The Commission pointed out works has already been done in December 2022 but more needs to be done.
A further recommendation was that Member States should exchange good practices about the resilience of submarine cables, for instance within the NIS Cooperation Group and with the CER authorities. Good practices from the energy sector for the protection of submarine power cables should be considered. Based on this exchange of good practices, ENISA should develop technical guidelines for national competent authorities in the Member States to support them in supervising the security of submarine cables and landing stations.
Threats and vulnerabilities
Some Member States rely on a few main international backbone connections and have limited and suboptimal solutions to redirect traffic. A coordinated sabotage action could have a significant impact on the functioning and continuity of the networks.
The report said a large-scale coordinated attack on submarine cables which would damage several cables at once could be difficult to mitigate and may have long-lasting impact. Firstly, repairing submarine cables is difficult when they are in deep waters or under the ice. Secondly, the number of cable repair ships is limited, and their availability-on-demand is not guaranteed. Power cuts could also affect submarine cables which rely on repeaters.
At national level, the responsibility for protecting these submarine cables is not always clear and typically involves several different national authorities, including the telecom regulator, the cybersecurity agency, but could also include the coastguard or the military. The intent of any attacker is to cause large-scale network outages, affecting Internet connectivity of an entire region in the EU that depends mostly on submarine cables. The submarine cable attack take place in international waters, where it is unclear who has legal jurisdiction. The incident lasts several days, because repair is slow and there is a limited number of repair vessels.
Another identified risk is where a state actor interferes with a supplier or a consortium operating several (land and submarine) cables and landing points, which are critical for international connections of some EU Member States. The state actor exercises pressure on the supplier of these cables to gain access to sensitive data transmitted over the cable, for the purpose of espionage. While tapping of submarine cables on the seabed is difficult, tapping at the landing points is feasible.
Wider network recommendations in the report
The report covered a gamut of threats and mitigations for telco networks. Other recommendations included: creating transparency on the landscape of suppliers and managed service provider or managed security service provider used for fixed networks, fibre technology, submarine cables, satellite networks and other important ICT suppliers; and implement the recommendations related to suppliers in the second Progress Report on the EU Toolbox implementation.
Other recommendations included involving the sector in cyber exercises and operational collaboration and foster information sharing and improve situational awareness about threats for operators. Although no amount was mentioned, operators should also be provided with funding support for technical measures against cyber-attacks in their networks. This may link to extending physical stress testing of critical infrastructure to include digital infrastructure. National authorities are also urged to exchange best practices among national authorities about physical attacks on digital infrastructure. All the recommendations should be carried out sooner rather than later.
This most recent report follows on from the 5G recommendations made to Member States in 2022. On 9 March 2022, the informal Council meeting of Telecom Ministers organised in Nevers (France) resulted in a joint call to reinforce the EU’s cybersecurity capabilities. Point 4 of the call asks relevant national authorities, such as the Body of European Regulators for Electronic Communications (BEREC), ENISA, and the NIS Cooperation Group to make recommendations to EU Member States and the Commission based on a risk assessment to reinforce the resilience of the EU’s communications infrastructures and networks.