Since November 2022, the dataflow on all five of Vietnam’s undersea internet cables has been disrupted, slowing internet speeds and forcing the country into periodic reliance on land cable connections to China and Cambodia. The failures are from a mixture of technical issues, including unintentional physical damage to cables in waters near Malaysia and Hong Kong. Drastically slowed internet access impedes economic activity, lowers investor confidence, and impacts sectors from healthcare to education.
Although isolated disruptions to internet access are relatively common, the vulnerability of critical undersea infrastructure is increasingly noticeable as societies become ever more reliant on connectivity. The high-profile sabotage of the Nord Stream pipelines has received significant attention, and there have been a number of notable disruptions in the Pacific in recent years. For example, in February of this year, both cables connecting the Taiwanese island of Matsu to Taiwan were damaged by two passing Chinese vessels, reportedly by accident, and the Pacific Island state Tonga was cut off from the internet for five weeks after a volcanic eruption in 2022.
Vietnam’s experience shows that multiple cables can be damaged simultaneously, necessitating a robust response plan. The cables were damaged outside of Vietnamese waters, highlighting the importance of regional action in building resilient infrastructure for Southeast Asia’s fast-growing population.
The Association of Southeast Asian Nations (ASEAN) needs to develop a comprehensive framework and plan of joint action to ensure the energy and information security of all member states going forward. It must develop resilient infrastructure networks that can withstand physical damage, while also ensuring the security of the computer systems that manage operations. As ASEAN states digitize and become increasingly interlinked with each other and the surrounding regions, a centralized plan is necessary to protect these heretofore underappreciated sectors of state security.
More than 95 percent of internet traffic moves through undersea cables. Large amounts of oil and gas move through undersea pipelines, and more and more undersea cables transport electricity generated by sustainable methods like wind and solar. ASEAN started the process of regulating these vital connections with the 2019 ASEAN Guidelines for Strengthening Resilience and Repair of Submarine Cables, but the current recommendations focus only on the legality of repair work. While this is an important issue, ASEAN would be well-served to expand its gaze to proactive security and resiliency measures.
Most damage to subsea cables is unintentional. Anchors, fishing nets, and natural hazards like earthquakes and landslides are the most common sources of “faults,” as this damage is known. There are more than 400 submarine cables in the world, but only roughly 60 cable repair ships, so when faults occur, repairs are often delayed.
The South China Sea hosts dense undersea infrastructure and busy sea lanes where undersea infrastructure is particularly exposed. Twenty-six cables land in Singapore, with more transiting through the nearby waters, requiring strict anchoring regulations in the Straits of Malacca to prevent faults. Singapore’s recently released Digital Connectivity Report plans to double the country’s capacity for cable landings by 2033, but there are few details available on how this expanded cable network will be secured, particularly outside of Singaporean waters. As Singapore expands its data centers and clean energy industry, it will become more vulnerable to disruption, as will all ASEAN states that rely on these cables for their own digital and green economies.
As Southeast Asian economies digitize, the economic effects of slowdowns and outages will increase. There is also the threat of terrorism or hostile state action against undersea infrastructure as more sectors of society, including the military, become dependent on these flows of data and energy.
Cables in deep areas of the high seas are the most vulnerable to intentional disruption by states with submarines, but landing stations are the most exposed to more clandestine activities. While physically tapping a cable is prohibitively difficult and expensive, it is much easier to mirror information from a landing station, in which a third-party duplicates and redirects data traffic without the knowledge of the intended recipient. Data can also be rerouted so that it passes through waystations in adversary states, where information can be collected before the data travels onward to its destination. The flow can also be cut off entirely by cyber or physical attacks on these buildings.
Landing stations are increasingly managed by “remote network systems.” Instead of in-person operatives working offline at the landing stations, these new systems manage the day-to-day operations of the cables remotely. This leaves them much more vulnerable to cyberattacks than stations with in-person management.
The rise of cloud computing has moved firms’ data from more secure offline storage to centralized data centers. But as most data moves through undersea cables, this data is now only as secure as the cables and landing stations are. Exposed transport links can lead to compromised or delayed data, increasing operational costs and inhibiting economic activity. Finance is now highly digitized, and the shift of healthcare and other forms of personal information online rapidly accelerated during the COVID-19 pandemic.
A Path Forward for ASEAN
To ensure both state and human security, ASEAN states need to create a comprehensive plan for how they will expand their undersea infrastructure networks and protect them from current and emerging threats.
First, the existing regulatory and legal framework should be strengthened in a manner befitting such a critical sector. Measures to prevent accidental faults should be continued and worldwide best practices should be studied and disseminated within ASEAN. Member states should look to develop state capacity as well. Governance within states has been fragmented between various agencies or levels of government, so a cohesive ASEAN framework can provide guidance on the essential policies. Navies can look to states like the United Kingdom, which plans two “Multi-Role Ocean Surveillance Ships” to secure its underwater infrastructure, to assess the pros and cons of specialized naval platforms.
Second, ASEAN should develop an outlook to multiply links between the region’s network and India, China, Japan, Australia, the United States, and Europe, with an emphasis on repetitive cable networks that can withstand disruption and reduce overreliance on any one external hub. While most cables and cable ships are privately owned, ASEAN states should develop strong regulations for their construction and incentivize the development of redundant, and therefore resilient, capabilities. Policies would also do well to encourage diverse ownership so that cable systems are not dominated by a very limited number of corporations or nations.
Third, the bloc should establish a plan of action for cybersecurity to protect state and business secrets and raise investor confidence in the region. Keeping sensitive data from malicious state and non-state actors should be a key focus of ASEAN as both a security and business community. ASEAN states like Malaysia, Thailand, Singapore, and Vietnam are promoting their growing digital capabilities, and a robust plan that protects data as it moves internationally is necessary for investor confidence.
Cable faults will occur. The focus must be on building resilient infrastructure and institutions that can withstand intentional and unintentional damage by a variety of actors, and a regional approach will enable ASEAN to effectively tackle this transnational vulnerability.