Three Threat Domains for Submarine Cables
Submarine cable systems face threats across three critical domains: physical, logical, and geopolitical.
- Physical threats include accidental damage and deliberate sabotage, particularly at vulnerable shallow depths and landing stations where attackers can tamper with optical signal paths.
- Logical threats emerge from outdated remote access controls, lack of multi-factor authentication, and weak VLAN segmentation that can enable east-west lateral movement within networks.
- Geopolitical threats arise when cables running through strategic chokepoints face state-level interference and lawful interception requirements that can compromise traffic integrity.
The challenge is compounded by shared vendor platforms lacking end-to-end encryption and role-based access controls. A single vulnerability—whether an unsigned firmware update or unsecured vendor API—can trigger regional-scale outages or traffic manipulation.
Navigating Complex Regulatory Landscapes for Submarine Cables
Submarine cables by nature cross multiple jurisdictions, creating a complex compliance environment. In the Americas, the FCC's recent Notice of Proposed Rulemaking signals a new era where cybersecurity is treated as a national security risk, requiring mandatory risk management plans and annual compliance certifications. However, global enforcement remains uneven.
While regions like Europe maintain stringent regulations similar to U.S. standards, other areas may have less developed or inconsistently enforced cybersecurity requirements. Adi's advice: don't wait for local regulations to catch up. Instead, embed security into every system layer and maintain strong partnerships with trusted vendors and local governments. The goal should be staying ahead of regulatory requirements rather than merely meeting minimum compliance standards.
Breach Response: From Crisis to Controlled Recovery
The mindset around security breaches must shift from prevention-focused to resilience-focused thinking. "You cannot prevent every breach," Adi emphasizes, "But you can control the damage." A solid post-breach strategy starts with preparation: detailed incident response plans, well-defined stakeholder roles, regular tabletop exercises, and tested backup systems.
The difference between a manageable breach and a full-scale crisis often comes down to preparation and communication. Clear roles prevent confusion about who communicates with customers and media, while transparent internal communication keeps stakeholders informed at every step. Companies that detect threats early, isolate quickly, and recover with minimal disruption demonstrate true cyber resilience.
The AI-Quantum Future of Cybersecurity
Looking ahead, AI presents both opportunities and challenges. While bad actors leverage AI for more sophisticated phishing campaigns and adaptive malware, defenders can use AI to analyze vast telemetry data and detect patterns humans might miss. However, this creates an ongoing arms race where offensive capabilities currently seem to have the advantage.
Quantum computing represents a longer-horizon but critical threat that could potentially break all current encryption methods. The "harvest now, decrypt later" approach means attackers are already stealing encrypted data in anticipation of quantum capabilities. Organizations must begin quantum risk assessments now, understanding where critical data resides, how long it needs protection, and what cryptographic systems they rely on.
Building a Security Culture
Cybersecurity must evolve from a technical silo to a boardroom-level responsibility. Security resilience requires shared accountability across the entire organization, with every executive understanding that cyber risk equals business risk. For submarine cable operators, this is particularly crucial since they're selling secure transport—trust is the foundation of their entire business model.
Securing submarine cables requires not just technical solutions but a fundamental shift in how we think about cybersecurity: as an enabler of business rather than just a cost center, and as a shared responsibility rather than an IT problem.
