Article

The growing risks lurking under the sea

This article was first published by Oliver Wyman here.

 

Geopolitical risks from the Russian invasion of Ukraine are growing. Events in recent weeks have highlighted the unpredictable nature of the conflict; in the face of battlefield losses, Russian President Vladimir Putin continues to escalate hostilities through large-scale mobilization, the annexation of additional Ukrainian territory, and most pertinently, threats to Western infrastructure.

Putin has stated – or threatened – that “any critically important object of transport, energy, or utilities infrastructure is under threat no matter where it is located or by whom it is managed.”

The explosions that ruptured the Nord Stream 1 and 2 submarine gas pipelines at the end of September underscore the risks to Western Europe’s critical infrastructure. Much focus has been on potential attacks on energy infrastructure because they would exacerbate existing economic and political crises. Significantly, however, gas and oil pipelines are not the only potential critical infrastructure targets.

Undersea communication cables that drive the internet are also extremely vulnerable.Undersea communication cables are unprotected, unregulated, and physically highly vulnerable — and Russia has the capability to interfere with or destroy them. The cables are vulnerable at multiple points, including on deep ocean floors and where they come ashore. For more than five years, defense and security officials at the highest level on both sides of the Atlantic have repeatedly called out this risk. In January this year, UK Chief of Defence Admiral Sir Tony Radakin laid out a stark warning that Moscow could “put at risk and potentially exploit the world’s real information system, which is the undersea cables that go all around the world.”

In recent times, key Russian military underwater assets have been identified in the vicinity of critical European and North American cable routes. These assets have reportedly recently attacked deep undersea cables used by the military in Europe, but consequences of a potential coordinated attack on undersea cables are not limited to the military.

What an attack could do

Economic disruption following a major attack on undersea internet infrastructure is currently competing for the very top position of national risk registers. A large-scale attack on this infrastructure would cause a particularly wide spectrum of organizations to suffer business-critical consequences over an extended period of time. The impact risk would likely be disorderly and chaotic, as different cables have different ownership and control structures as well as diverse usage profiles — but would likely include loss of critical services and major slowing of traffic. National security leaders are increasingly worried about the disruption a successful attack could wreak on the global and national economies, in addition to the potentially devastating impact it could have on individual companies.

Many large companies and public sector organizations are particularly vulnerable to the disruption a major degradation of communication would entail, especially those dependent on the high-speed flow of huge volumes of data to sustain critical business services. Widespread communication outages could disrupt industries on an unprecedented scale, severely impacting core customer services. Equally, other essential activities and critical internal infrastructure, including access to cloud data, offshore services, and the management of internal IT networks and security could be severely compromised. To put it simply, such an event would lead to major disruption of many industries and public services with potentially unprecedented macroeconomic consequences.

Most organizations are not prepared

Nevertheless, many organizations have a limited understanding of the potential impact that a major degradation of transatlantic internet communications would have. Most are not prepared for such a crisis and, concerningly, few have developed adequate playbooks to ensure business continuity covering such an event.

There are many questions boards and executive teams should be asking: Do we know the potential risks we face in the event of major internet degradation? What key services might we lose? What would be the impact of a major slowdown in internet communications? How long might business critical services be interrupted for? For how long could we safeguard critical business processes? What are the recovery and reconciliation implications of such an event? What help would we need from government/regulators? Is our insurance protection sufficient?

How companies can get on the front foot

There are three main steps companies can take to prepare now for problems that could arise down the road.

Assess the risks. As a matter of urgency, organizations need to assess the technical and related risks that the loss of communications infrastructure capacity would present to their entire spectrum of operations and how this would impact their operating models, customers, and other key stakeholders.

Develop a robust response strategy. Companies need to think carefully through their response strategies and the associated requirements — a complex process that requires a great number of technical and organizational questions to be answered in detail. Ideally, the strategy should address not only the primary impacts of an outage, but also the second- and third-order effects that would manifest across the business.

Prepare a playbook. Organizations should prepare a playbook for different communications crisis scenarios and then be prepared to test responses through wargames, rehearsals, and practical drills. Such a playbook should contain detailed guidance and instructions for a response to a major incident. The ideal playbook has six main stages. First, identify and classify: confirm that an incident has taken place and collect as much information as possible. Second, assess the incident’s severity and identify an appropriate response path. Third, contain: take steps to limit the damage. Fourth, remediate: establish operational viability and maintain business continuity. Fifth, recover: return to an operationally ready state. And finally, measure: collect critical management information at each step of this incident-management lifecycle to foster effective coordination and provide a defensible journal in anticipation of legal recourse.

Careful management and communication are key

Such a crisis would require careful management of and effective communication with crucial stakeholders such as employees and customers. The technical response must, therefore, be accompanied by a carefully written, detailed, and pre-approved communications plan as part of the playbook. The purpose of such a plan would be to provide clarity regarding who will communicate what, to whom and when, and through which appropriate channels. If the internet is degraded, other forms of communication with stakeholders will be required.

Ultimately, it is the responsibility of boards and executive management teams to ensure that the organization is as aware and prepared as it can be and understanding the ways that it can practically mitigate the risk and impact of such potentially catastrophic events.

Get in touch

Oliver Wyman specializes in risk management and advising clients on operational resilience. We would be happy to share further perspectives on the threat of a state-led attack on undersea communication cables and the appropriate proven crisis response strategies that organisations should have in place.