On 21 May, the Polish navy intercepted a mysterious vessel in the Baltic Sea performing suspicious manoeuvres near a power cable which connects Poland and Sweden. The vessel was part of Russia's 'shadow fleet,' an ageing collection of poorly maintained oil tankers and other vessels, often with opaque ownership and improper insurance, which enable the Russian government to evade economic sanctions imposed by the West and pursue various forms of illicit trade. This particular vessel had previously been sanctioned by the European Union. After the Polish navy chased the ship away, it returned to a Russian port.
This incident is only the most recent of a string of incidents affecting Europe's critical undersea infrastructure (CUI) that started in the wake of Russia's full-scale invasion of Ukraine in February 2022. This has drastically increased the interest of policymakers and the public in CUI, which previously lay overlooked and unnoticed. But effectively protecting this vital network is no easy task.
While submarine telecommunications cables are the most-often recognised forms of CUI, the waters around Europe are also filled with several thousand kilometres of oil and gas pipelines, and electricity cables, as well as lots of associated infrastructure such as offshore substations and cable landing stations. Interference with these assets could cause widespread economic loss, which RAND Europe researchers investigated in a new Perspective article on CUI. Disruption to a subsea telecommunications cable can cost more than 24 million euros per day and often take up to three weeks to fix, resulting in an overall cost of at least 504 million euros.
Disruption to a subsea telecommunications cable can cost more than 24 million euros per day and often take up to three weeks to fix, resulting in an overall cost of at least 504 million euros.
Meanwhile, the cost of disruption to an electricity interconnector is around 12 million euros per day, but the repair time can extend up to 60 days, meaning the overall cost of disruption could be in the region of 720 million euros. However, the heaviest economic impacts would be found in disruption to oil and gas pipelines, both of which can take up to 9 months to repair. The full costs of disruption of these pipelines easily reaches into the tens of billions of euros.
It is no secret that this undersea infrastructure is currently vulnerable. Most CUI has no specific defence mechanisms or protective measures. Its main defence is its remote and hard-to-reach location, but somewhat ironically, this remoteness is also the reason why it is so difficult to comprehensively protect CUI. The scale and widespread geographic distribution of CUI means that monitoring the entire network and continuously maintaining a physical defensive presence is both logistically and financially impractical.
Because of its strategic importance and inherent vulnerability, CUI is an attractive target for grey-zone activities—hostile actions against a state that take place below the threshold of all-out war. Attacks on CUI also have a high degree of plausible deniability. In many cases, it is very hard to definitively prove that a CUI was sabotaged, and for around 20 percent of known CUI disruptions, a definitive cause is never found. Even if there are strong suspicions that a particular vessel was involved, the crew can claim that the damage was accidental.
CUI faces escalating and evolving threats. Accidents and negligence remain the most common form of disruption. For example, fishing-related damage alone accounts for over 40 percent of known disruptions to CUI. However, the Perspective lays out how hostile state and nonstate action can become increasingly prominent. A key driver of this trend is the convergence of advances in robotics, sensors, materials, artificial intelligence, propulsion and energy systems, and autonomous systems, which has enabled the increased capability, widespread deployment, and reduction in cost of drone technologies. While previously only a small number of highly capable actors had the capabilities to interfere with CUI, these technologies are increasingly available to less powerful states, criminal groups, and terrorist organisations as well.
A key challenge for CUI protection is that so many different actors, both in the public and the private sector, are involved in commissioning, building, operating, maintaining, monitoring, and regulating CUI. In addition, in many cases CUI assets pass through multiple jurisdictions, as they connect one country to another. The number of actors involved hinders effective coordination and accountability and can lead to certain parts of CUI being covered by multiple initiatives through a duplication of efforts or conversely being overlooked altogether.
It is a common first reaction to look at national naval forces and ask them to take a lead in protecting CUI. In Europe, naval forces have indeed been stepping up, for instance by procuring new capabilities specifically designed to deal with CUI protection. In 2023, the United Kingdom launched the vessel Royal Fleet Auxiliary (RFA) Proteus, a Multi-Role Ocean Surveillance Ship (MROSS) that has the capacity to repair cables and serve as a mothership for uncrewed underwater vehicles (UUVs). Given the cross-border nature of CUI, national navies must work together. The Joint Expeditionary Force (JEF), which includes Denmark, Estonia, Finland, Iceland, Latvia, Lithuania, the Netherlands, Norway, Sweden, and the United Kingdom, has taken a leading role through the activation of Response Option NORDIC WARDEN, which involves joint patrols and data-sharing. The larger NATO alliance has followed suit with operation BALTIC SENTRY.
The burden for protecting CUI cannot solely be placed on the armed forces, which face an increasing number of tasks they are asked to cover with limited resources.
However, the burden for protecting CUI cannot solely be placed on the armed forces, which face an increasing number of tasks they are asked to cover with limited resources. Deploying assets for the protection of CUI means diverting these resources away from other key activities. Instead, other government departments intimately linked to a specific type of CUI should also take part in the protection of that type of CUI. For example, national ministries in charge of telecommunications should take responsibility for the protection of subsea telecommunications cables and allocate part of their budget to this effort.
The private sector also has an important role to play. Most CUI is built, owned, and operated by private companies, and they should be the first line of defence against attacks on CUI. Companies should deploy advanced monitoring techniques for their CUI. If they find any anomalies, they should share this information with the relevant authorities. Companies should also engage in coordination efforts, risk assessments, and strategic planning exercises with private sector–facing authorities such as NATO's Critical Undersea Infrastructure Coordination Cell.
After decades of negligence, European countries have woken up to the importance of CUI. While the renewed attention is welcome, the sense of urgency and the desire to be seen to act has led to a proliferation of activities, primarily focused on a military response. However, this is not a sustainable long-term solution by itself. Only if all the different players take responsibility, work together, and coordinate efforts can we effectively protect this vital foundation of the European economy.
