Submarine cables carry over 99% of international data traffic and face unprecedented cybersecurity challenges that extend far beyond traditional network security.
In this episode of the TeleGeography Explains the Internet podcast, Ferris Adi, Chief Information Security Officer at Trans Americas Fiber System, recently shared insights on the evolving threat landscape and strategic approaches to protecting these vital assets.
Here are some key takeaways from the conversation.
Subscribe to get more episodes:
Apple | Amazon | Spotify | Stitcher | TuneIn | Podbean | RSS | YouTube
Three Threat Domains for Submarine Cables
Submarine cable systems face threats across three critical domains: physical, logical, and geopolitical.
- Physical threats include accidental damage and deliberate sabotage, particularly at vulnerable shallow depths and landing stations where attackers can tamper with optical signal paths.
- Logical threats emerge from outdated remote access controls, lack of multi-factor authentication, and weak VLAN segmentation that can enable east-west lateral movement within networks.
- Geopolitical threats arise when cables running through strategic chokepoints face state-level interference and lawful interception requirements that can compromise traffic integrity.
The challenge is compounded by shared vendor platforms lacking end-to-end encryption and role-based access controls. A single vulnerability—whether an unsigned firmware update or unsecured vendor API—can trigger regional-scale outages or traffic manipulation.
Navigating Complex Regulatory Landscapes for Submarine Cables
Submarine cables by nature cross multiple jurisdictions, creating a complex compliance environment. In the Americas, the FCC's recent Notice of Proposed Rulemaking signals a new era where cybersecurity is treated as a national security risk, requiring mandatory risk management plans and annual compliance certifications. However, global enforcement remains uneven.
While regions like Europe maintain stringent regulations similar to U.S. standards, other areas may have less developed or inconsistently enforced cybersecurity requirements. Adi's advice: don't wait for local regulations to catch up. Instead, embed security into every system layer and maintain strong partnerships with trusted vendors and local governments. The goal should be staying ahead of regulatory requirements rather than merely meeting minimum compliance standards.
Breach Response: From Crisis to Controlled Recovery
The mindset around security breaches must shift from prevention-focused to resilience-focused thinking. "You cannot prevent every breach," Adi emphasizes, "But you can control the damage." A solid post-breach strategy starts with preparation: detailed incident response plans, well-defined stakeholder roles, regular tabletop exercises, and tested backup systems.
The difference between a manageable breach and a full-scale crisis often comes down to preparation and communication. Clear roles prevent confusion about who communicates with customers and media, while transparent internal communication keeps stakeholders informed at every step. Companies that detect threats early, isolate quickly, and recover with minimal disruption demonstrate true cyber resilience.
The AI-Quantum Future of Cybersecurity
Looking ahead, AI presents both opportunities and challenges. While bad actors leverage AI for more sophisticated phishing campaigns and adaptive malware, defenders can use AI to analyze vast telemetry data and detect patterns humans might miss. However, this creates an ongoing arms race where offensive capabilities currently seem to have the advantage.
Quantum computing represents a longer-horizon but critical threat that could potentially break all current encryption methods. The "harvest now, decrypt later" approach means attackers are already stealing encrypted data in anticipation of quantum capabilities. Organizations must begin quantum risk assessments now, understanding where critical data resides, how long it needs protection, and what cryptographic systems they rely on.
Building a Security Culture
Cybersecurity must evolve from a technical silo to a boardroom-level responsibility. Security resilience requires shared accountability across the entire organization, with every executive understanding that cyber risk equals business risk. For submarine cable operators, this is particularly crucial since they're selling secure transport—trust is the foundation of their entire business model.
Securing submarine cables requires not just technical solutions but a fundamental shift in how we think about cybersecurity: as an enabler of business rather than just a cost center, and as a shared responsibility rather than an IT problem.
Craving More Cable Content?
The Economics of Submarine Cables
Watch episode 1 in this cable series below, or check out the key takeaways here.
The Future of Submarine Cable Maintenance: Trends, Challenges, and Strategies
How do we understand and address the challenges facing the submarine cable maintenance sector? That's what Mike Constable of Infra Analytics and TeleGeography’s Lane Burdette and Alan Mauldin lay out in this landmark report. Download the report here.
Shore Things: A Data-Driven Look at Submarine Cable Landing Stations
Where are submarine cable stations located? What is the average number of cables per CLS? This analysis by Lane Burdette summarizes the data from TeleGeography’s new cable landing station (CLS) database. View and save the report.
Transport Networks Research Service
Data and analysis on long-haul networks and the undersea cable market, with forecasts of international bandwidth supply, demand, prices, and revenues. Take a look at the platform here.
IP Networks Research Service
Data and analysis on international internet capacity, traffic, service providers, and pricing, with forecasts of IP transit service volumes, prices, and revenues by country and region. Check out how it works.
