How secure is Europe’s subsea cable network?
The story of the plucky Irish fishermen facing off against the might of Russia made plenty of headlines this week. CNN descended on the little town of Castletownbere in West Cork for a report on “fisherman diplomacy” as local fishermen said they were concerned about the dangers posed to fish stocks by the Russian fleet. However, another potential danger is likely to have exercised the minds of European leaders - that of the threat to the undersea cable infrastructure connecting Europe with the Americas.
The exercise was due to take place over the Goban Spur, an undersea shelf about 150 miles southwest of Ireland. Two crucial underwater cables pass through the area, connecting the European and American continents and forming an essential part of the global telecommunications network, with a third to be commissioned later this year. Security experts and military figures suggested the real focus of the naval exercises was these cables - whether for genuine intelligence-gathering purposes, or simply as another saber rattle in the ongoing mania in Ukrainia:
“They have recce'd [carried out reconnaissance] them, they have known about the cables for years,” said Dr Edward Burke, associate professor of International Studies at the University of Nottingham. He said the positioning of Russian ships over the cables as part of their navy exercise was “a campaign of incremental escalation”, showing they were aware of the vulnerability of the cables and this country's inability to do anything to prevent them being cut. “Russia realises Ireland's vulnerability is Nato's vulnerability,” he said.
So how secure are these cables, and what would the impact be if they were disabled? The short answer? “Not very” and “major.” The Atlantic Council sum up the importance of the international cable network:
The vast majority of intercontinental global Internet traffic—upwards of 95 percent—travels over undersea cables that run across the ocean floor. These hundreds of cables, owned by combinations of private and state-owned entities, support everything from consumer shopping to government document sharing to scientific research on the Internet.
In purely financial terms, the figures are staggering - undersea cables carry about €9 trillion of financial transfers daily - and sensitive diplomatic and military communications also pass through the cables. Disruption can have a very real effect on military capacity; cable breaks between Egypt and Italy in 2008 led to a dramatic 90 percent decrease in US drone activity in Iraq. But, despite their importance, the cables are not particulary well protected, with the same Atlantic Council report outlining an array of potential threats.
As the White House increasingly focuses on cybersecurity threats to the nation and the global community, including from the Chinese and Russian governments, it must prioritize investing in the security and resilience of the physical infrastructure that underpins Internet communications….for all that US society may invest in securing digital systems, the cables that carry those systems’ data and services remain vulnerable to surveillance, signal manipulation, and even serious damage or other disruption.
Last year, the Center for Strategic and International Studies suggested two primary means by which Russia could physically attack the cables. First is the use of the Losharik spy submarine, a deep-sea vessel that can dive down thousands of meters to target cables at extreme depths, make repairs more difficult to enact.
The second, and perhaps more familiar given it was sighted in the Atlantic back in August 2021, is the use of the Yantar spy ship. It carries advanced surveillance equipment, including a underwater drone and two manned subs that can dive to about 6,000 meters, according to the BBC, again making it possible to tamper with cables at extreme depths. Russia also claims the Yantar has equipment that can tap the cables.
And there isn’t just an at-sea threat - often, the landing points of these cables are not particularly secure either. In February 2020, there were reports that Ireland’s police service An Garda Síochána believed Russian intelligence operatives were monitoring and investigating cable landing sites along the Irish coast to check for vulnerabilities, perhaps another sign that Russia sees Ireland as a potential weak link in the European security chain.
In short, the threats are very real - and we haven’t even covered the threats posed to privacy and individual security by European countries like France, who have tapped the cables to carry out mass surveillance.
The threats posed to cables are part of the reason why there is such a focus on bolstering maritime and cyber capabilities in the Strategic Compass, the EU’s new military strategy document that I wrote about a couple of weeks ago. Indeed, the EU has already taken steps towards protecting its critical infrastructure at sea, according to European Union Institute for Security Studies, which describes in a 2020 report five maritime projects specifically focused on undersea surveillance and protection.
How fragile, then, is this digital world we all inhabit. If you do want to read more about the topic, check out future British Prime Minister (well, maybe) Rishi Sunak’s 2017 paper for Policy Exchange on the threats posed to undersea cables here. It’s a very readable study that covers the major issues. For a more in-depth and more recent study, check out the Atlantic Council’s “Cyber defense across the ocean floor” report from September 2021 here.
New Europol mandate overrides data protection authority’s order to delete data
The Presidency of the Council of the European Union, currently held by France, and the European Parliament agreed a new mandate for Europol on Tuesday, giving the police agency the legal basis for storing and processing vast amounts of personal data, overriding a previous ruling from the European Data Protection Supervisor Wojtek Wiewiorowski that large amounts of it must be deleted. The agreement sparked an angry response from Wiewiorowski, who said the agreement directly challenged his role:
Last, but definitely not least... the possibility that legislation is used to retroactively clear breaches already sanctioned by the EDPS constitutes a direct threat to its role as a supervisory authority. The retroactive effect of the proposed legal provisions is not only questionable in light of the foundational principle of legal certain stemming from EU law. It also appears to be directly aimed at overriding, and depriving it of its effects, the EDPS' deletion order notified to Europol, thus undermining the EDPS' statutory role.
Earlier this month, the EDPS ordered Europol to delete vast amounts of its huge store of personal data that it was found to have gathered unlawfully. “Such collection and processing of data may amount to a huge volume of information, the precise content of which is often unknown to Europol until the moment it is analysed and extracted - a process often lasting years,” said Wieworiorski in his decision. “A six-month period for pre-analysis and filtering of large datasets should enable Europol to meet the operational demands of EU Member States.”
However, it became clear quite quickly that his decision would not be accepted lightly, and Commissioner for Home Affairs Ylva Johansson quickly rode to Europol’s defence:
Law enforcement authorities need the tools, resources and the time to analyse data that is lawfully transmitted to them. In Europe, Europol is the platform that supports national police authorities with this Herculean task. is not only a global leader in the use of technology for law enforcement, but also in protecting fundamental rights like personal data. Striking the right balance between the right to protection of personal data
and the protection of citizens from serious crime is at the heart of the new regulation that I proposed last year. It is now very important to conclude the negotiations swiftly, and adopt and implement the strengthened mandate for Europol.
Within the month, the new mandate was pushed through, effectively voiding the EDPS order, and giving Europol the freedom once more to hoover up vast amounts of personal data - and to retain what it had already gathered.
One of the few people to get a direct insight into the system is Dutch activist Frank van der Linde, who was added to a terrorism list by Dutch authorities, who then shared the data with Europol. Despite being removed from the list by Dutch authorites, van der Linde remained on Europol’s list. He discovered this fact, report the Guardian, “only when he saw a partially declassified file at Amsterdam city hall.”
Van der Linde was surveilled for years, and arrested mulitple times as a result of this listing. “The ease of getting on such a list is horrific,” Van der Linde told the Guardian. “It’s shocking how easily police share information over borders, and it’s terrifying how difficult it is to manage to delete yourself from these lists.”
Most of us, however, have no idea whether our data is held by Europol, and have no real avenue of finding out. Whether Wieworiorski will take further action remains to be seen, but it is unlikely that this will be the end of the matter. Twenty-three civil society organizations, including Privacy International and the EDRi, already voiced their opposition to the new mandate at the end of January, so expect further challenges down the line.
ICYMI
EU declare nuclear and gas green in final draft of new eules, sparking outrage
Taking account of scientific advice and current technological progress, the Commission considers that there is a role for private investment in gas and nuclear activities in the transition. The gas and nuclear activities selected are in line with the EU's climate and environmental objectives and will allow us to accelerate the shift from more polluting activities, such as coal generation, towards a climate-neutral future, mostly based on renewable energy sources.
European Defence Agency accepts it must tighten rules after ex-CEO jumps ship to Airbus
via EU Ombudsman
The European Defence Agency (EDA) has accepted our recommendations concerning how it handled applications by its former Chief Executive to take positions at Airbus… The Ombudsman recommended that in future the EDA should forbid its senior staff from taking up positions where there is a clear conflict of interest. It should also set out criteria for forbidding such moves and any applicants for senior posts should be informed about the criteria.
EU to boost support to Libyan Coast Guard before summer
via European Parliament’s foreign affairs committee
“The EU thinks it is essential to continue supporting Libya by delivering equipment and increasing the capacity of the coast guard and the area of border management. In this context, [EU officials] were in Italy earlier this month to discuss with our Italian counterparts about the delivery of three new search-and-rescue vessels and two refurbished patrol boats,” said Commission official Henrike Trautmann during a meeting of the European Parliament’s foreign affairs committee.
Tenders and contracts
A tender put out last October for bids to supply 13 patrol boats to build the capacity of the Turkish Coast Guard, with funding to be provided by the European Commission’s Instrument for Pre-Accession Assistance, closed on Friday without the award of a contract. I’m seeking clarity on whether there were no suitable bids, or if the Commission decided against supplying the vessels.
Elsewhere, the University of Antwerp has been awarded €480,000 to conduct a study on the state of vaccine confidence in the EU. “Especially important will be to know how confidence has changed towards childhood vaccines for young people,” reads the notice. The funding is to be provded by the EU4Health programme.
Follow the FOIAs
Olivier Hoedeman of the Corporate Europe Observatory has waged a running battle with the European Commission to obtain documents regarding meetings between the EU’s Vaccines Procurement Steering Committee and the Joint Negotiation Team and representatives of the pharmaceutical industry. Hoedeman’s initial request was made in September 2020.
Over time, a small portion of the documents was eventually provided, but the vast bulk remain unreleased. On January 10, Hoedeman received a response from Wolfgang Philipp, the acting director of the EU’s Health Emergency Preparedness and Response (HERA) authority, proposing to reduce the scope “to 125 documents out of the 365 documents initially identified.” Needless to say, Hoedeman was dissatisfied with this proposal, detailing his disagreements in an email sent on Friday, February 4.
A complaint has now been submitted by Hoedeman to the European Ombudsman about the failure of the Commission to provide the relevant documents. Follow the FOIA and read the exchanges here.
Next week…
A joint hearing by the Subcommittee on Security and Defence and the Committee on International Trade on the impact of FDI screening rules that were brought into effect in 2020 and on the potential threats posted by Chinese investment in Europe’s security and defence sector will be held next Monday, February 7, at 4.45pm CET.
The Subcommittee on Security and Defence will also host Florence Parly, France’s Minister of the Armed Forces, for a debate on the French presidency’s priorities for EU security and defence, which will be of interest amid the ongoing tensions with Russia over Ukraine.
EU Industry Days, the annual industrial policy conference, is also beginning next week, and will focus on the green transition. Check out the programme of events here, with many available to stream online.