Understanding Threats to Critical Undersea Infrastructure: A Conceptual Framework
This section develops a basic framework for thinking about protecting CUI. The purpose is to help NATO planners—particularly those in the new center—to understand the vast problem space and prioritize some initial efforts over others. The following section draws on this framework to develop several recommendations.
The four elements of the framework for protecting CUI are outlined below.
- Infrastructure type: What counts as CUI? Which parts are most critical or most vulnerable?
- Threat type: What are the main threats to undersea CUI?
- Tasks: What is NATO’s role in protecting CUI?
- Geography: Where should limited resources be prioritized and focused across the Euro-Atlantic area?
1. Infrastructure Type
Maritime infrastructure is vital to basic societal functions such as trade, food and energy supplies, security and defense, communications, transport, tourism, and environmental management. The most important infrastructure is usually considered “critical,” meaning without it, society could not function for long. But critical infrastructure differs between nations given that some economies depend on fishing or tourism while others rely more on maritime trade, energy infrastructure, or data cables. What counts as CUI, therefore, is often more of a political decision than a technical one. There is no one-size-fits-all definition: it depends on the nation and region in question.
Maritime infrastructure is often categorized by sector. One classification system lists five types: transport, energy, communication, fishing, and marine ecosystems.[30] Of these, four have substantial elements of underwater infrastructure. Above-water transport is often precluded, while commercial submersibles—such as remotely operated vehicles (ROVs) or autonomous underwater vehicles (AUVs) used in pipeline maintenance—are considered part of the energy infrastructure they serve.
Maritime infrastructure security policies traditionally focus on maritime transport (e.g., ports) and energy (e.g., gas and oil infrastructure) over other types.[31] However, the infrastructure picture is changing rapidly. Undersea cable projects have proliferated in recent years, while offshore renewable energy technologies like wind and tidal systems will increase to help nations meet global carbon emissions targets.[32] Future proliferation of AUVs—driven by new oil and gas exploration, military applications, reduced manufacturing costs, and improvements in AI and automation technology—could present both new types of CUI under the category of transport and new threats. As the recent NATO-EU task force on critical infrastructure summarizes,
These challenges are compounded for undersea energy infrastructure, which is extensive and more difficult to survey and protect. Moreover, the network of undersea energy infrastructure in the Euro-Atlantic area is expected to grow as offshore energy platforms become more numerous.[33]
Meanwhile, fishing and marine ecosystems are increasingly important to some nations as fishing stocks decrease and marine habitats are degraded by pollution and the effects of climate change.
Beyond rapid change, there are several challenges associated with coordinating CUI protection, including interdependence, the physical characteristics of the subsea domain, and the complex, transnational nature of undersea infrastructure.[34] Meanwhile, fishing and marine ecosystems are increasingly important to some nations as fishing stocks decrease and marine habitats are degraded by pollution and the effects of climate change. This suggests a key challenge for NATO will be prioritizing between CUI sectors, which are critical to different NATO allies. This assessment will be driven to some extent by the next element of the framework: the threat picture.
2. Threat
Although most definitions of critical infrastructure depend on how vital it is to the functioning of society, in practice governments tend to designate infrastructure as critical if it is vulnerable to harm. While pipeline sabotage has driven the headlines, the range of threats to CUI is much broader. The threat picture has also changed in recent years.
Maritime security threats have been driven by the rise of terrorism, international piracy, human trafficking, and the “blue economy,” defined by the World Bank as “the sustainable use of ocean resources for economic growth, improved livelihoods, and ocean ecosystem health.”[35] Protection of maritime and undersea infrastructure has typically focused on physical attacks from terrorism and blue crime (i.e., transnational organized crime at sea).[36] However, the threat environment has changed markedly over the last decade—and drastically since 2022. After invading Ukraine, Russia became “the most significant and direct threat to Allies’ security,” according to NATO’s new Strategic Concept—a threat that includes the ability to “target our civilian and military infrastructure.”[37]
NATO’s new concept also points to hybrid threats to critical infrastructure and reaffirms their inclusion under Article 5.[38] The maritime domain has been viewed as particularly vulnerable to hybrid threats.[39] Attacks on underwater infrastructure have been a particular concern.[40] Recent events appear to confirm these fears, with several incidents such as the Nord Stream pipeline explosions in the Baltic Sea or severed subsea cables near Svalbard that appear to follow the hybrid playbook of deniable attacks on undersea infrastructure. These incidents highlight the difficulty of dealing with ambiguous hybrid threats, which are difficult to distinguish from accidental damage. For example, around 70 percent of undersea cable faults are caused by fishing vessels or ship anchors, alongside natural causes or even shark bites.[41]
Hybrid aggressors can also use the cover of fishing, private, or research vessels, which are difficult to track. The rapid proliferation of AUVs will exacerbate the problem. Specialized vessels for the task also exist, such as Russia’s dedicated fleet of submarines, designed for infrastructure sabotage and manned by the Russian navy and the Main Directorate for Deep Sea Research (GUGI).[42] Research vessels operated by GUGI are suspected of mapping networks of undersea infrastructure across Europe.[43]
For all these reasons, many assessments suggest a new era of hybrid threats is emerging and poses “a particular challenge” to protecting undersea infrastructure.[44] As the NATO-EU task force puts it, “The seabed is a field of growing strategic importance, due to increasing reliance on undersea infrastructure and the particular challenges in protecting it from hybrid threats and physical damage.”[45]
3. Tasks
The final element of the framework comprises the tasks and missions NATO may have to carry out to protect CUI. The most important role, short of war, is deterrence, which holds the promise of avoiding armed attacks altogether. Beyond deterrence, military forces perform a wide range of roles relevant to protecting CUI.
One example is counterpiracy. During Operation Ocean Shield—NATO’s contribution to international efforts to combat piracy off the Horn of Africa during 2008–16—the role of NATO forces spanned surveillance, interdiction, escort, and deterrence.[46] Cooperation with international bodies and the private sector was also vital to mission success, which contributed to the cessation of attacks after 2012.[47]
Another relevant example is protecting national infrastructure. The U.S. National Infrastructure Protection Plan outlines threats to national infrastructure and a framework of missions to protect them.[48] These are divided into two tasks: counterthreat missions and preparedness missions.[49]
- Counterthreat missions identify and counter threats and hazards: identify, deter, detect, disrupt, and prepare.
- Preparedness missions reduce vulnerabilities and mitigate the consequences of damage: prevent, protect, mitigate, respond, recover.
More broadly, several existing frameworks for countering hybrid threats may be applied to protecting CUI. NATO’s strategy is to “prepare, deter, defend,” while the European Union’s approach is based on “awareness, resilience, and response.”[50] Another framework is proposed by the 14-nation Multinational Capability Development Campaign (MCDC): “detect, deter, and respond.”[51] This framework is used to examine NATO’s role in protecting CUI regarding all three functions below. [52]
Detect
Countering any threat requires first detecting and identifying it. Detection is even more important for hybrid threats, which rely on deniability or ambiguity to delay, complicate, or prevent reprisal. However, the variety and complexity of hybrid threats make detection challenging.[53]
For protecting CUI, the main focus is on enhancing maritime domain awareness (MDA).[54] MDA systems are “one of the core solutions in maritime security” but are focused on civil transport, fishing, and leisure.[55] To rectify this, a 2018 report by CSIS advocates a renewed focus on undersea MDA to combat hybrid threats.[56] Specific recommendations include establishing dedicated analytic centers (with teams focused on hybrid threats), training courses, a common classified data picture, and an operational framework that integrates surface and subsurface sensors. Another recent analysis recommends closing gaps in the surveillance of small boats, leisure craft, and underwater vehicles through “investments in new underwater sensors and drones which can enhance the overall picture of the domain.”[57] The recent EU-NATO Task Force also recommends enhancing “maritime situational awareness.”[58]
One detection challenge is that malign activity often appears, by design, as an accident, whereas some suspected attacks could actually be accidents (most damage to cables and pipelines is accidental). This means NATO does not have the luxury of ignoring apparent accidents. Here, a conceptual distinction between monitoring (known threats) and discovering (new, unknown threats) can help establish situational awareness and distinguish signal from noise in the realm of detection.[59] This task is also well suited to advances in AI and machine learning.[60]
Deter
Deterring hybrid threats to CUI is difficult but not impossible.[61] The most promising strategy is deterrence by denial, which reduces the prospects of successful attack by hardening the target and strengthening resilience to damage.[62] Denial in this context comprises two functions: prevention and resilience (see Figure 3). Preventing attacks is part of NATO’s core business and is achieved through a combination of detection (see above) and physical presence. For example, NATO’s Cold War deterrence strategy of basing substantial “shield forces” in central Europe was designed to physically prevent a Soviet attack.[63]
Resilience measures are designed to help CUI systems withstand or quickly recover from any damage sustained. Much of this amounts to good practice in the design and management of critical infrastructure systems.[64] Such measures are therefore generally low cost and less reliant on detecting threats; best practices for resilience are based on understanding and mitigating one’s own vulnerabilities, regardless of whether they have been targeted. This is why resilience measures have become foundational to counter hybrid strategies.[65] However, resilience building is a long-term strategy that will take years to deliver given the vast size and complexity of Euro-Atlantic CUI.
Respond
Moreover, resilience is not a strategy on its own; deterrence by punishment also has a role.[66] When it comes to punishing low-level aggression, celerity beats severity most of the time, putting a premium on credible response options that can be deployed quickly and reliably.[67] These measures may not threaten vital interests but merely assure an aggressor will always face some costs for threatening CUI, however minor. This means simple measures such as enhanced presence or surveillance around key sites can work to deliver what has been referred to as “deterrence by detection.”[68] More creative measures also play a role, such as attribution disclosure, legal interventions, or targeted sanctions (e.g., against implicated vessels, companies, or individuals).[69]
That credible responses are required suggests the utility of a preapproved playbook to counter hybrid threats to CUI.[70] Too often such measures are ad hoc or post hoc, or not sufficiently tailored to the specific demands of protecting CUI.[71] If military forces are part of the response (e.g., to provide surveillance or bolster presence), then a forward, flexible posture is required to ensure force elements are in the area of responsibility or held at high readiness to deploy to quickly generate effects.[72]
It is important to note that given the limited resources of allies, any increase in demand to protect CUI will likely require trade-offs with other tasks and missions. Any contribution to protecting CUI is important but not all-important. NATO’s unique role—and the focus of the strategic concept—remains deterring armed attack above the threshold of war, not protecting against all forms of hybrid aggression.[73] Protecting CUI should therefore not be overemphasized in NATO’s overall posture or capability development at the expense of conventional deterrence and defense.
4. Geography
The final element of the framework is geography. NATO is named after an ocean: the North Atlantic. But the alliance’s undersea infrastructure picture is more complex. NATO’s maritime areas of responsibility comprise the following:[74]
- High North region (including the Norwegian Sea, Greenland Sea, Barents Sea, and Arctic Ocean)
- Baltic Sea
- North Atlantic (including the North Sea, Irish Sea, English Channel, and Bay of Biscay)
- Mediterranean Sea (east and west)
- Black Sea
- North Pacific Ocean
Within these areas, the seascape of undersea infrastructure is extensive and complex. Figures 1–2 show the extent of underwater energy infrastructure (Figure 1) and subsea data cables (Figure 2) across Europe.