The Underwater Battlefield: Protecting Submarine Critical Infrastructure
In 2021, in his book “To Rule The Waves” Brookings Institution researcher Bruce Jones observed that “it is on the oceans that the great struggles of our day — for military power, for economic dominance, over our changing climate — are playing out”.
At the time, few Europeans could have imagined that just a few years later these struggles would play out right in Europe’s very own waters. Over the past two years, there have been major sabotage attacks on European submarine critical infrastructure in the Baltic Sea. In September 2022, the Nord Stream 2 gas pipeline was blown up. In October 2023 and November 2024, two Chinese-flagged vessels damaged vital submarine data cables as well as a gas pipeline. The most recent instance, in December 2024, saw an oil tanker that is part of Russia’s “shadow fleet” damage a vital submarine power cable connecting Estonia and Finland as well as several data cables.
These are “gray zone” attacks typical of the present moment that NATO secretary-general Mark Rutte aptly characterized in a major speech in Brussels on December 12, 2024, pointing out, “No, we are not at war. But we are certainly not at peace either.” And sabotage attacks on critical submarine infrastructure are very much part and parcel of the “coordinated campaign to destabilize our societies” that Rutte diagnosed: “They circumvent our deterrence and bring the front line to our front door.”
This confronts European policymakers with the triple challenge of attribution, deterrence, and resilience. Who exactly is behind these attacks (and in particular: What roles do Russia and China play)? Can the NATO allies re-establish deterrence? How can they improve resilience? The good news is that the past three years have seen an improvement in terms of efforts at attribution with each of the major attacks. The bad news is that investments in deterrence and resilience fall well short of what is needed.
Critical and Vulnerable
Submarine critical infrastructure could hardly be more critical for both our data and our energy needs. Over 95 percent of global data traffic passes through over 500 undersea fiber optic cables with a total length of roughly 1.4 million kilometers. This communication infrastructure, which is important for the economy, citizens, the public sector, and the military alike, is largely in private hands. It is traditionally owned by telecommunications companies.
Today, more and more data companies such as Google, Meta, and Amazon are the main players. Their hunger for data cables is only growing in the age of artificial intelligence. Modern undersea cables are very powerful and several times faster at transporting data than satellites. At the same time, they are very vulnerable. They have only the diameter of a garden hose and mostly lie unprotected on the seabed. Landing sites, where often several cables come ashore close together, are at best weakly guarded.
Ten years ago, Robert Martinez, a former top official at the Pentagon, complained in an article in Foreign Affairs that countries were investing billions in cybersecurity, but had largely neglected the security of the internet’s physical infrastructure. In recent years, the European Union, NATO, and the German government have paid significantly more attention to the issue. However, Germany and Europe are still insufficiently prepared for the risks of outages of undersea data transfers due to targeted attacks, accidents, and natural disasters.
The sea is also home to a number of critical infrastructures for Europe’s energy supply. Take Germany: Natural gas from Norway transported through pipelines is now the largest source of gas supplies. Offshore wind farms are an increasingly important part of the energy mix, connected to the grid by undersea power cables. The most important trend though is that Europe increasingly relies on “interconnectors,” subsea power cable cables that connect countries enabling more flexible and efficient markets and access to renewable energy across borders.
In the Mediterranean, the “Great Sea Interconnector” project will link Greece and Cyprus (and ultimately also Israel) and with 900 kilometers of cables will set the record for the longest and deepest cables ever laid for power cables. In the Baltic Sea, there are a number of interconnectors, including the damaged Estlink 2 cable connecting Estonia and Finland. These interconnectors are of particular importance at this present moment given that the three Baltic states are set to disconnect from the Soviet-era joint BRELL power grid with Russia and Belarus on February 8. This will end the reliance on Russian operators for controlling the frequencies and balancing the grid. The Estlink 2 power cable will likely take months to repair. Estonian representatives provide reassurance that the transition away from the Russian grid would not be jeopardized even if the remaining Estlink 1 cable got damaged. Still, it is not without reason that the Estonian navy now conducts patrols to guard Estlink 1.
Attributing Sabotage
When it comes to sabotage against critical infrastructure in European waters, Russia, by default, is the prime suspect on account of both intentions and capabilities. In September 2024, the US military explicitly warned of Russian sabotage activities against undersea cables. Russia has invested heavily in the capabilities of the Russian military’s “Main Directorate for Deep-Sea Research” (GUGI) and operates a large fleet of ships, submarines, and underwater drones that could carry out attacks against critical infrastructure on the seabed.
In addition, Russia uses civilian ships (“research vessels,” cargo ships, fishing boats) for military purposes. A study based on routes automatically transmitted by ship transmitters indicates that in the North Sea alone, more than 200 Russian ships have displayed suspicious behavior in the last 10 years, often in the vicinity of critical infrastructure. In the majority of cases, there will be plausible explanations for the behavior (such as bad weather), but it is clear that Russia is “continuously developing its underwater warfare capabilities,” as Rear Admiral Christian Meyer of the Germany Navy put it in a statement in June 2024 to a hearing in Germany’s parliament, the Bundestag.
Critical undersea infrastructure such as data or power cables are an attractive target for “gray zone operations” below the threshold of armed conflict. In the words of Rear Admiral Meyer, it is relatively easy “to do damage without getting caught.” The vast expanse of the seas makes monitoring difficult. And even if suspect vessels were to be caught red-handed: Much critical infrastructure is located outside territorial waters where international law provides fewer options to go after suspect ships.
Improved Efforts
It is welcome news that over the past years intra-European cooperation on attribution efforts has improved and interpretation of options under international law has become more robust. The investigation following the Nord Stream pipeline attacks provides an example of how things should not happen. That’s not the fault of the German prosecutors who have mounted a very serious effort to investigate the explosions. However, Polish authorities seem to have sabotaged the investigation by allowing the prime Ukrainian suspect to get off the hook despite an arrest warrant. Polish Prime Minister Donald Tusk dismissed reports on the possible collusion between Polish authorities and the Ukrainian suspects: “To all initiators and patrons of Nord Stream 1 and 2. The only thing you should do is apologize and keep quiet.” That is the wrong reaction. Concluding that the Nord Stream pipeline projects were fatally misguided should not lead you to protect suspects and sabotage intra-European cooperation on the rule of law.
Fortunately, the more recent cases have shown a steady improvement of cooperation on attribution. That the suspects behind the three most recent sabotage cases hail from Russia and China, and not from key European ally Ukraine, has certainly helped. But there has been genuine learning and improvement from one case to the next.
In October 2023, Finnish authorities quickly suspected the Chinese cargo ship Newnew Polar Bear after the damage to two submarine data cables and the Balticconnector natural gas pipeline. However, they did not take any swift action. The ship was allowed to continue to sail to Russia and then on to its Chinese port of registry uninterrupted. During a stopover in the Russian port of Arkhangelsk, it was sighted with an anchor missing.
The Finnish authorities’ technical examination of an anchor found on the seabed clearly identified it as belonging to the Newnew Polar Bear. At the same time, traces of paint from this anchor were found on the damaged pipeline. The evidence of the Chinese cargo ship’s role damaging critical infrastructure on the seabed by dragging its anchor was overwhelming. In August 2024, the Chinese authorities announced that the damage was indeed caused by the Newnew Polar Bear, but that it was an accident due to severe weather conditions. Beijing did not allow the Finnish authorities to conduct any direct investigations of the ship or its crew. The investigators have yet to publish a final report. However, there are good reasons to doubt the official Chinese explanation.
In November 2024, authorities reacted more decisively when another Chinese vessel, the Yi Peng 3, was suspected of having cut two submarine cables by dragging its anchor, one between Sweden and Lithuania and the other between Germany and Finland. This time, Europeans prevented the ship from simply continuing on its way to China. The vessel was stopped in the Kattegat between Denmark and Sweden and guarded for weeks by German, Danish, and Swedish navy and coast guard vessels.
According to Finnish Defense Minister Antti Häkkänen, clear lessons have been learned from the Newnew Polar Bear case. One loophole was, in his words, the “quite orthodox” interpretation of international maritime law, according to which you cannot stop a ship in international waters. This allowed the Newnew Polar Bear to escape and delayed the investigation. Häkkänen said that representatives of various European countries have come to a clear conclusion that this is unacceptable when “the critical infrastructure of some countries has been destroyed and seriously damaged” and the perpetrators must be identified. Early on, investigators ruled out the possibility that the Yi Peng 3 accidentally damaged the cables. German Defense Minister Boris Pistorius stated: “Nobody believes that these cables were cut by mistake.” He added: “Therefore, we have to conclude — without knowing specifically from whom this comes — that this is a hybrid action.”
While the Chinese vessel was held in the Kattegat, the countries affected by the suspected sabotage, led by Germany, engaged in intense political negotiations with China. Initially, the Swedish government asked the ship to return to Swedish territorial waters. There, the Swedish authorities would have more direct rights of access and could examine the suspicious ship without the approval of China, its country of origin. These access rights do not apply in the Exclusive Economic Zone (EEZ) where the ship was stopped.
As a compromise, on December 19, the Chinese government allowed nine Germans, six Swedes, three Finns, and one Dane to board the Yi Peng 3 alongside 14 Chinese officials. The conclusions of the investigators who boarded the Chinese vessel have not yet been made public. As part of the political deal with China the Yi Peng 3 was allowed to leave the Kattegat and continue its journey.
A lot of questions remain unanswered regarding the suspected sabotage conducted by the two Chinese vessels. What would be Beijing’s motivation to carry out sabotage in the Baltic Sea? For sure, using civilian ships to damage submarine cables is a staple feature of Chinese statecraft in its own region. A few years ago, China probably intentionally severed the data cables connecting the Matsu, an offshore island of Taiwan, to the internet with civilian ships. This is part of the intimidation campaign against Taiwan. And in early January 2025 Taiwan suspected a Chinese owned vessel of cutting a subsea data cable off its northern coast that connects Taiwan with the US west coast.
The intentions of Beijing vis-à-vis Taiwan are clear. But what message would a Beijing orchestrated sabotage campaign in the Baltic Sea send? It seems politically counterproductive. After all, it would strongly confirm what Beijing vehemently denies: being a direct military threat to Europe, not just by enabling Russia’s war machine but also directly through sabotage.
For sure, in recent years (for example during the COVID-19 pandemic), Beijing has taken many excessive and seemingly self-defeating actions that have turned Europe against Beijing. But critical infrastructure sabotage in the Baltic Sea ordered from the very top of the Chinese party-state might be too much of an irrational shot in the foot even by Beijing’s standards, not least since China otherwise claims that Europe can trust Chinese providers for the critical infrastructure 5G. It seems more plausible, and this, according to the Wall Street Journal, is also the investigators’ hypothesis, that Russian intelligence and military played a central role. Moscow could have persuaded the captain of the Chinese ship to carry out the sabotage. Possibly, lower levels of the Chinese intelligence apparatus could have coordinated with their Russian counterparts without orders from higher up. But maybe even more plausibly, Moscow enlisting the Chinese vessel could have happened without advance knowledge or active participation of the Chinese party state apparatus.
Holding Vessels to Account
It is in the most recent case of the Eagle S oil tanker damaging data cables linking Finland and Estonia as well as the Estlink 2 power cable in late December 2024 that Europe has mounted the most decisive immediate response. That is mostly due to Finland’s determination to hold the suspect vessel to account. As the Wall Street Journal reported: “Heavily armed elite units of the Finnish border guard and police dropped from two military helicopters onto the deck of the tanker that authorities say is part of Russia’s sanctions-busting effort known as the shadow fleet and took control of the ship.“ That the ship was in Finnish territorial waters provided a solid legal foundation for this step.
Finnish authorities have investigated the ship and crew as they hold it in a Finnish port. Seven sailors are formally under investigation and banned from leaving the country. Although part of the Kremlin’s shadow fleet to evade the Western imposed oil price cap and other sanctions, Russians are not formally part of the vessel. The aging Eagle S is Cook Island flagged, registered in the United Arab Emirates and operated by an Indian company based in Mumbai. According to reports, the crew are mostly from India and Georgia. Of course, Russia has every motive to have coerced or bribed the crew to conduct sabotage by dragging its anchor as evidenced by miles long drag marks uncovered by Finnish investigators. But even with the ship and crew being held it is challenging to get decisive proof for this without confessions on the part of the crew or clear human or signals intelligence linking the Kremlin to the operation.
Even if cooperation and decisiveness have improved, the results of investigating the recent sabotage cases are sobering. Most questions remain unanswered, and it is unclear whether perpetrators will pay a significant price. This highlights the dilemma of dealing with gray zone operations, especially when nominally private entities such as merchant ships are used to carry them out: attribution is difficult, and so is effective prosecution.
Improving Deterrence
Both must be greatly improved if deterrence of sabotage against submarine cables is to work more effectively. Attackers must expect to be detected and to pay a high price. Germany is a case in point. The German navy must show a “permanent presence in domestic waters,” according to Rear Admiral Meyer, “so that a potential opponent must consider the probability of being clearly detected in his plans.”
In peacetime, the main responsibility for security and safety lies with the police. It is necessary to consider whether and how the various police services of the German federal government and the five coastal states can be more closely bundled under the leadership of the Federal Police, including the existing Maritime Security Center. It is also being discussedwhether it should be made easier to involve the Bundeswehr (i.e., the German navy) in supporting police tasks in maritime security and which other legal gaps need to be closed with a view to better protecting critical infrastructure at sea.
Germany has invested in capabilities for a maritime real-time situational awareness, including networks of stationary and mobile sensors and AI-based systems for detecting anomalies. These must be further strengthened and connected, in cooperation with Germany’s international partners. The increased use of unmanned systems can help here. NATO is considering the use of a fleet of underwater drones to monitor critical subsea infrastructure. The German navy also talks about the principle of “manned systems when necessary, unmanned systems when possible.” Acquiring a substantive fleet of unmanned subsea vehicles is an absolute necessity that so far unfortunately has not been prioritized in German defense procurement despite the systems being offered, including by German defense companies.
The good news is that NATO has invested significantly in dealing with threats to submarine critical infrastructure. Germany and Norway pushed for NATO’s Maritime Centre for Security of Critical Undersea Infrastructure that was established in May 2024. In late December 2024, following the Eagle S incident, NATO announced that it was enhancing its presence in the Baltic Sea to “maintain vigilance, increase situational awareness, and deter future incidents.” There is also a clear path for targeting the Russian shadow fleet effectively by combining European and US sanctions. That is urgent also due to the massive environmental risks posed by the aging tankers in the fleet passing through European waters.
At the same time, consideration should be given to what obligations should be imposed on the largely private operators of data cables (and other critical infrastructure at sea) with a view to ensuring security. As cybersecurity expert Daniel Voelsen points out in a recent study, limited resources for protection should be concentrated on critical nodes, especially for Germany and Europe. This also requires international cooperation, as the Suez Canal and Singapore, for example, are important chokepoints for connections to Europe. It is also important to ensure that critical digital and energy infrastructure connecting Europe is not operated by untrustworthy Chinese providers, including in the field of undersea cables.
Better attribution of attacks is one key element in creating a more effective deterrent, the imposition of costs is another. In the case of gray zone attacks, this does not necessarily have to be done publicly. Mark Sedwill, national security adviser in the UK at the time of the Skripal nerve agent attacks in October 2020, later reported that in response, the UK had not only carried out a large-scale, internationally coordinated diplomatic expulsion, but had also taken “a series of other discreet measures.” These were taken according to the principle of “play to our strengths and focus our attention on their vulnerabilities.”
Resilience and International Cooperation
In addition to better deterrence of sabotage, it is important to invest in greater resilience. Not only will increased deterrence not be able to prevent all sabotage attacks, the majority of the approximately 100 incidents of damage to undersea data cables that occur each year are not the result of sabotage, but of accidents and natural disasters. One example of the latter is the damage to data cables between Finland and Sweden caused by construction work, which briefly made headlines at the beginning of December. Another example is the disruption of Tonga’s internet connection caused by underwater volcanic eruptions.
Diversification and redundancies are key steps toward greater resilience. More cable connections are definitely in the public interest so that critical infrastructure is less prone to failure. However, since most of the cables are privately operated, there are many open questions as to who pays for creating the necessary redundancies.
Another measure for greater resilience is the expansion of capacities for cable-laying and repair ships. Worldwide, there are only around 80 ships that can lay and repair cables as a very useful study by Sophia Besch and Erik Brown details. The AI boom in particular has led to high demand for new, modern cables from the large US digital corporations, which, due to limited capacity, is leading to waiting times for the laying of new cables. It is worthwhile for cable ship operators to utilize their capacity to the maximum through laying activities. It is far less economical to maintain large capacities for repairs.
That is why the US government pays the company Subcom around $10 million a year to have access to two repair ships in an emergency. The US Navy itself has only one cable ship, which is currently being refurbished. In addition, the majority of the cable fleet is outdated and not enough new ships are being put into service. The crews also struggle to find enough new recruits for the difficult work. It is in the interest of Germany and Europe to ensure the renewal and expansion of the cable ship fleet and to provide incentives for this.
This is also true with regard to repair capabilities for submarine power cables where resources seem to be stretched even more thinly as demand skyrockets. What is already insufficient in times of peace will certainly not be nearly enough in the event of increased tensions or outright war. Here it is important to invest in much more resilience. Germany and Europe should also do their part to ensure that financially weak and remote part of the world become more resilient. Tonga, for example, is only connected by one international cable, and the nearest repair ships are far away. The damage caused by the failure of the cable after the eruption of the underwater volcano was correspondingly extensive and long-lasting.
Both China and the US have recognized — and are acting on — the strategic importance of the complex industry behind the investment, construction, operation, and maintenance of critical submarine cable infrastructure. Europe should do the same and strengthen its companies. The French state signed an agreement with Nokia in June 2024 to acquire Alcatel Submarine Networks (ASN), a leading global former private French company. This is a good sign that Europe is becoming more aware of the strategic importance of this industry.
Beyond this, Germany and Europe should invest in international cooperation for the protection of submarine cables. It is good that the protection of critical maritime infrastructure is increasingly a central focus in the EU and NATO. Germany should take a long-term approach to promoting the adaptation of UNCLOS, the United Nations Convention on the Law of the Sea, to better protect submarine cables. Within the UN context, the International Advisory Body for Submarine Cable Resilience offers an important new forum to complement the International Committee on the Protection of Cables (ICPC).
It is important not to stress test critical submarine cable infrastructure simply with a view to gray zone attacks. The recent cases of sabotage are at the very low end of the intensity ladder. Europe’s enemies are just testing the waters. In the event of a full-scale war involving NATO allies, we need to prepare for very different magnitude of attacks. European resilience must be designed with these wartime scenarios in mind. Incidentally, this would be nothing new. One of the first acts of Great Britain in World War I was to cut four of the five subsea telegraph cables connecting the German Reich — and tap the only one left for espionage.
This article was originally published by Internationale Politik on January 8, 2025. The research for this article was condusted in the context of a project on the security of undersea cables funded by the German Federal Foreign Office. Erik Brown and Amanda Kraley supported the project.