The physical dimensions of cyber security are as important as the virtual ones, but are often overlooked. Australia is actively working towards building its cyber resilience; the ability to anticipate, withstand, and recover from cyberattacks. But there is a significant hole in the protection of our physical cyber infrastructure.
Scattered across the ocean floor in intricate webs, submarine cables transfer high data volumes between onshore nodes. Five main international cables connect Australia to cyberspace and global voice networks. They carry 99% of Australia’s total internet traffic, dwarfing the capacity of satellites. Submarine cables are vital to our communications, economic prosperity, and national security. They also tend to break. A lot.
In most regions of the world this isn’t unexpected, or particularly worrying. Submarine cables aren’t much thicker than a garden hose and for the most part sit untethered and unprotected on the sea floor. Inadvertent breakages from ship anchors, nets and natural phenomena such as undersea earthquakes occur frequently, averaging at least one a week. To mitigate this risk, international agreements between cable operating companies are extensive, repair ships are quickly deployed and traffic is usually rerouted through other cables.
Unfortunately, the situation for Australia is more complicated. Sitting in the Southern Hemisphere, we’re largely isolated from the busy network of Transatlantic and North Asian Cable lines. We’re also unable to use overland fibre optic cables from other countries, leaving us reliant upon just a handful of international undersea cables.
The physical placement of these cables also creates risks. The majority of the cables are gathered closely together within ‘protection zones’, located off Perth (PDF )and Sydney. While protection zones are an effective means to warn responsible boat users of the presence of cables, they also create vulnerabilities. Several key cables gathered together present a greater chance of simultaneous cable breakages, whether accidental or deliberate. And such accidents aren’t without precedent.
In December 2008, near the notoriously crowded Alexandria cable station off the Egyptian coastline, an anchor cut three of the four cables connecting Europe to the Middle East. These three cables carried over 90% of the total internet and voice traffic between the two continents. Internet speeds ground to a trickle, and there were knock-on effects across the region. Fourteen countries lost some degree of connectivity, India lost up to 80% and the Maldives 100%, completely cutting them off from the global data network. APEC modelling indicates that if Australia were to lose 100% of its connection, this would cost the economy over $152 million every day until the cables were repaired, which can take anywhere from a few days to a few months.
While the majority of cable breakages are accidental, several cables have fallen victim to deliberate targeting. The state-backed sabotage of undersea cables during World War Two was commonplace. Australia itself participated, with the Royal Australian Navy hindering Japanese communications by cutting telegram cables off Indochina. The U.S. even managed to wiretap Soviet undersea cables in the 1970s during the Cold War.
But fast forward 40 years and decades of technological advancements, and non-state actors now pose the greatest threat to cable security. Piracy and the cutting of cables for scrap is an ongoing issue, but politically motivated attacks aren’t out the realm of possibility. The U.S. has already conducted war-gaming for such a scenario.
This critical infrastructure warrants effective protection and physical monitoring, particularly because Australian cables are organised so neatly together. And under current legislation, harsh penalties exist for tampering with submarine cables within protection zones. But the AFP, which has responsibility for ensuring compliance with these laws, operates on a reactive complaint-based model, performing no active preventative monitoring. They distanced themselves from this role in a submission to an Australian Communications and Media Authority (ACMA) report on the submarine cable protection regime:
The AFP’s responsibility for the enforcement of prohibitions and restrictions does not extend to the monitoring of the protection zones to prevent or supervise the safekeeping of the submarine cables in Australian maritime zones. The AFP is not physically equipped with the resources to monitor the protection of cables in Australian waters.
The Australian Maritime Safety Authority and the Fisheries Management Authority perform some surveillance of cable protection zones. But the cable owners and operators who responded to the same ACMA report unanimously indicated that current protection zone monitoring arrangements were unsatisfactory.
In contrast, New Zealand finds itself in a similar strategic position, but is far more conscious of protecting its physical cyber infrastructure. New Zealand has a total of ten cable protection zones compared to Australia’s three, providing more options to cable laying companies and reducing the risk of simultaneous breakages. Protection officers and Maritime Police not only patrol their zones with ships and helicopters, in some cases they operate for up to 24 hours a day.
The risk created by Australia’s dependency upon a few highly concentrated submarine cables jeopardises our cyber and communications resilience. We already have comprehensive legislation to help protect these cables, but by spreading them out and preventatively monitoring the protection zones, we would significantly lower the risk to Australia’s communication infrastructure.
Jessica Woodall is an intern at ASPI. Image courtesy of Wikimedia Commons.