National Security 101: Can Anyone Steal Data From Undersea Cables?

undersea cable submarine

A submarine communications cable (or undersea cable) is a cable laid on the sea bed between land-based stations to carry telecommunication signals across stretches of ocean and sea. A large chunk of it passes by the Straits of Malacca which is also one of the busiest shipping lanes in the world these days. Image source: Submarine Cable Map.

Today, the fastest undersea cables can transfer data at speeds upward of 25 terabytes per second. Undersea cables make instant communications possible, transporting some 95 per cent of the data and voice traffic that crosses international boundaries.

Read these first:-

Definition of Cabotage

The issue of cabotage was on the front pages in recent times and before we dive into it deeper, let’s get the right definition of cabotage first.

Cabotage is the transport of goods or passengers between two places in the same country by a transport operator from another country. It originally applied to shipping along coastal routes, port to port, but now applies to aviation, railways, and road transport as well.

Cabotage rights are the right of a company from one country to trade in another country. In aviation, it is the right to operate within the domestic borders of another country.

Most countries do not permit aviation cabotage, and there are strict sanctions against it, for reasons of economic protectionism, national security, or public safety. One notable exception is the European Union, whose member states all grant cabotage rights to each other.

Cabotage laws apply to merchant ships in most countries that have a coastline so as to protect the domestic shipping industry from foreign competition, preserve domestically owned shipping infrastructure for national security purposes, and ensure safety in congested territorial waters.

(Source)

So at the end of the day, it is just another form of protection policy to protect the local industries from the better equipped, better quality service foreign players.

undersea cable repair ship

Undersea cable repair requires specialised ships which require more investment from the industry players. Back in December 2020, it was reported that there are no Malaysian flagged vessels that can undertake repairs of undersea cables according to the best practices recommended by the ICPC (International Cable Protection Committee). Image source: Engineering News

Cabotage Exemption for Undersea Cable Repairs

So countries having their own variation of cabotage laws and policies are nothing new.

Then in March 2019, the Pakatan Harapan Transport Minister, YB Anthony Loke based on requests from Telekom and Time decided to make an exemption for undersea cable repair vessels. The reason for it was obvious – Malaysia only had 1 such vessel that was capable to undertake the undersea cable repairs and it was not enough to make the repairs fast enough for the users.

Having only 1 vessel meant a longer repair time which is not good for the fast-moving data management industry.

Much of the grouses concerning the minister had to do with the unhapppiness of tech giants Google, Facebook and Microsoft at Wee’s exercising of his powers under Section 65U of the Merchant Shipping Ordinance 1952, which in a nutshell revoked an exemption from the country’s cabotage policy involving submarine cable repair vessels.

This reversed a decision by former Minister of Transport Anthony Loke Siew Fook — part of the previous Pakatan Harapan government — who had approved an exemption for submarine cable repair vessels in March 2019, after complaints of delays in the repair of undersea cables by the tech giants.

The delays, which the tech giants say average 27 days, stem from claims that the Malaysia Shipowners’ Association (MASA) was looking to protect its members. Briefly, MASA has the right to block the use of a foreign vessel if there is a local company — a MASA member — which has a vessel capable of undertaking the required task. This has resulted in much back and forth and time wasted, which the tech companies find unacceptable.

The tech companies’ stand is that most of the world’s coastal countries do not treat submarine cable installation or repair as cabotage, and most countries define cabotage as the transport of cargo or passengers between two domestic coastal points.

Submarine cable installation and repair, however, does not involve the transport of cargo or passengers, but the installation and repair of long-term infrastructure on the sea floor. The cable and repair material is deployed, rather than transported to another port.

Since the tech companies feel that undersea cables should not be governed by cabotage, they also believe that any vessel from any country can be used to undertake repairs.

(Source)

So it made a lot of sense for the exemption of the existing cabotage policy by the Pakatan Harapan government. Then under the new Government, this exemption was reversed by the new Transport Minister which led to strong objections from the key industry players and implications:-

His move has caused immediate impact with two major global giants Facebook and Google deciding to divert their cables to Singapore and Indonesia instead of Malaysia, the repercussions could lead to substantial lost in FDI to the country.

In the case of submarine cable repair, there is one Malaysian company in the business which has four cable ships and two barges for shallow water cable laying. All its vessels are DP1 class and this has been the key point of dispute resulting in long delays for arbitration as the cable owners want DP2 class vessels.

Hence, the industry is shocked by the abrupt decision on the reversal of cabotage exemption without meaningful stakeholders’ consultation to protect a single company. It creates risks to Malaysia’s critical digital infrastructure and growing digital economy by making it less attractive for infrastructure investment.

(Source)

undersea cable tapped NSA

A photo of the South America (SAM-1) NSA/GCHQ undersea cable at the Atlantic Ocean that is probably tapped by the NSA / US. Image source: WIRED

Alleged security implications

The key reason for the reversal of the exemption, according to some reports, is to nurture and promote local players to invest and actively participate in DP2 or DP3 vessels. Then the Chairman of MASA quoted national security as a reason for the revocation of the exemption.

The benefits of Malaysia’s cabotage policy for submarine cable repairs outweigh the shortcoming, especially in terms of protecting the country’s digital sovereignty, says the Malaysia Shipowners’ Association (Masa).

Its chairman Datuk Abdul Hak Md Amin said relying on foreign vessels to perform submarine cable maintenance every time was more likely to expose the country to possible data security threats.

“We have our own (digital) sovereignty to look into (even if) we have our own maintenance vessels. What more when our cable is out and the foreign vessels that come in (to do the repair) might take possession of our secured data. We don’t know.

(Source)

This statement immediately raised some brickbats in the news and social media as illogical and not making sense.

Firstly, the undersea cables belong to the large tech companies themselves and they are the one who is engaging the undersea cable repair vessels:-

In the past, submarine cables were owned by telecommunications companies, which formed consortiums to reduce costs, but now, with internet giants Google, Facebook, Amazon Web Services, Microsoft and Netflix making up 70% to 80% of global internet traffic, these companies have been directly investing in cables.

(Source)

So it is their own data running on their own cables that are being repaired by vessels engaged by them – so where is the notion of data security being compromised?

Secondly, there has been considerable improvement in data encryption over the years that makes data tapping highly difficult:-

The conditions required to break HTTPS cannot be achieved by passively observing traffic over an undersea cable.

There are several effective attacks against SSL/TLS but pretty much all of them require the attacker to actively interfere with the transmission.

To perform a MITM attack against actual encrypted traffic the attacker would also need access to a CA certificate (which many governments do), although there are other (more noticeable) attacks such as SSL stripping.

(Source)

And also this was reported back in 2017:-

Ericsson and Telstra have announced achieving the encryption of data while in transit over a 100Gbps link between Australia and the United States by using telecommunications equipment and software provider Ciena’s 100Gbps wire-speed ultra-low latency encryption solution.

Using optical encryption technology, the companies claimed the ability to secure data while in transit over 21,940km between Melbourne and Los Angeles without impacting speed, reliability, and latency.

According to the three companies, data can now be securely encrypted at both the network layer and the application layer, which could be used by organisations with high-security obligations including defence, government, finance, healthcare, and datacentre operations.

The companies were also able to secure the data across multiple vendor submarine cables, including the Japan-US Unity subsea cable system, the Australia-Japan Cable (AJC), the Asia-America Gateway (AAG), and the Endeavour subsea cable system.

(Source)

And further, it is difficult to hide data tapping these days:-

This is an optical time-domain reflectometer. When I run this on my fibre optic cable, I can see where “the end” is. I can see where all the “taps” and “breaks” are. That’s how, if I’m operating a sub-sea cable when it breaks, I know where to send the boat.

As soon as there’s any indication that a cable is misbehaving, you fire up the OTDR. If someone’s fucking with it, you know about it.

There are about a dozen marine cable laying and/or repair ships, total. At any given point in time, a savvy marine cable operator (such as, formerly, yours truly) knows where they all are within a few hundred kilometres. Why? Well… if you have a break, you need a fix, and if you need that *right now*… you have to get the boat there, at about 15 knots. And you potentially have to divert for supplies too. So location matters.

It’s theoretically possible for some top nation to fund a submarine cable molesting ship just for the purposes of applying mid-span taps. However, once you did that… how the fuck are you going to exfiltrate that data? Because, you know, you’re the middle of the ocean, and under a klick and a half of water…

If you actually think people “tap subsea cables”… you watch too many spy thrillers.

(Source)

And it is also risky and expensive that it is not worth tapping the data from undersea:-

According to open-source reports, the modified Seawolf-class submarine USS Jimmy Carter is almost certainly able to tap the submarine communication cables.

In the USS Jimmy Carter, there is a constructed multi-mission platform, which enables the use of a Remotely Operated Underwater Vehicle (ROV). ROV can be used for installing tapping devices to submarine communication cables.

Even if this is technically possible; some experts consider this kind of intelligence collection too risky and expensive.

(Source)

undersea cable security data

Data security and protection starts from the time you start using your computer in the forms of strict passwords, two-factor authentication and ensuring that the websites that one goes to is genuine and secured. You don’t have to wait till it goes to the undersea cable to get the data. Image source: Better Online

Final Say

It is a known matter that undersea cables have security risks as the location of these cables are well known and for a reason – to avoid others from damaging them by accident.

Further, the South East Asian countries facing the constant intrusion from the China military, undersea cable damage and data tapping is a real threat.

Russia and China have developed capabilities in these areas. Russian submarine activity near undersea cables is well-documented: The Yantar, a Russian spy ship, carries mini-submersibles that can either sever or tap them. Russian activity often clusters around crucial, yet hard-to-reach cables because these are difficult to repair.

Chinese officials view control of undersea infrastructure as part of a broader strategic competition for data. One official Chinese Communist Party outlet explained that “although undersea cable laying is a business, it is also a battlefield where information can be obtained.”

Huawei Marine, a Huawei subsidiary, is a major player in the undersea cable industry. The company has built or repaired almost a quarter of the world’s approximately 400 submarine cables. But American officials worry that cables laid or serviced by the company may be accessed by the Chinese government.

(Source)

But the crux of the issue when it comes to cabotage laws is not on the country’s national security (because the country does not own the cables) but rather on the speed of repairs that need to be done. Undersea cables although is robust is still exposed to the elements and thus prone to damages. Once this happens, it has a huge impact on the speed and quality of the communication and internet.

The financial and equity sectors rely on the speed of the internet for international financial transactions. If you had watched the 2018 movie, The Hummingbird Project, you will understand why speed matters. In the movie, the main characters would lay fiberoptic cables from the Kansas electronic exchange to the New York Stock Exchange and they commit to shaving 1 millisecond of the connection time to 16 milliseconds to outbid their competitors.

Imagine it only takes 16 milliseconds to take the lead!!

Now if the undersea cables are damaged and it takes time to repair them, think of the implications to businesses. This is why the exemption was granted by YB Anthony Loke in 2019.

If one talks about data security and one able to tap the data, it does not take a genius to know that one does not need to dive into the deep blue sea for tapping the data. A data leak can start from the very start at one’s personal workstations and poorly designed unsecured websites that require a lot of personal information. Leaks of personal information from Telcos is almost standard these days so much so we think rogue Telco staff selling it on daily basis.

So when one talks about security taking precedent over speeding up the cable repairs, it is a mismatched priority. More damage to the country is done from undersea cables that are damaged than from some foreign element tapping highly encrypted data from the deep sea.

Please Leave Your Thoughts on the Post

%d bloggers like this: