Full Report
WASHINGTON – The global internet breaks underwater roughly 150 to 200 times a year. For decades, the telecom industry has treated these outages as the inevitable cost of doing business in a crowded ocean – attributing the vast majority of damage to fishing nets, dragging anchors or natural disasters. But new data from the Taiwan Strait suggests…
Analysis Summary
# Incident Report: Highlighting Gray-Zone Sabotage of Subsea Cables
## Executive Summary
This report summarizes analysis indicating that the high volume of 'accidental' subsea cable cuts, traditionally attributed to fishing or anchors, may now be serving as camouflage for targeted sabotage, specifically identified by an improbable spike in damage within the Taiwan Strait. The primary impact is the degradation of critical global connectivity under the guise of routine accidents, exploiting industry prioritization of fast repairs over forensic investigation. The recommended response centers on mandatory forensic investigation and enhanced physical monitoring technologies.
## Incident Details
- **Discovery Date:** Ongoing analysis highlighting a statistical anomaly based on data from early 2025.
- **Incident Date:** Statistically improbable spike noted in January 2025 (and throughout the period analyzed).
- **Affected Organization:** Global Telecommunications Industry / Organizations reliant on subsea infrastructure.
- **Sector:** Telecommunications, Critical Infrastructure, Global Connectivity.
- **Geography:** Taiwan Strait (primary area of observation).
## Timeline of Events
### Initial Access
- **Date/Time:** Occurrences noted throughout the period, with a significant spike in January 2025.
- **Vector:** Physical severance of subsea cables, masquerading as accidental damage (e.g., fishing nets, dragging anchors).
- **Details:** The volume of reported incidents in the Taiwan Strait in January 2025 exceeded the total volume for all of 2024 and 2023 combined, suggesting intent.
### Lateral Movement
*Not applicable to physical sabotage.*
### Data Exfiltration/Impact
- **Details:** The primary impact is the degradation or complete loss of internet availability and connectivity, leveraging the "availability" risk higher than data interception.
### Detection & Response
- **How it was discovered:** Statistical analysis of reported cable faults revealed an "improbable spike" contradicting historical norms, flagged by experts (Alex Botting).
- **Response actions taken:** Currently limited. The standard industry response is immediate repair due to the high cost of downtime, which inadvertently preserves the camouflage for sabotage. Analysis suggests a shift toward mandated forensic investigation is necessary.
## Attack Methodology
- **Initial Access:** Physical disruption/cutting of subsea fiber optic cables.
- **Persistence:** Not applicable to kinetic cyber/grey-zone attacks.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Exploits the industry's economic incentive to prioritize rapid restoration over forensic investigation, providing "plausible deniability" by categorizing sabotage as status quo "accidental" faults (70% of faults are categorized this way).
- **Credential Access:** Not applicable.
- **Discovery:** Not applicable (physical reconnaissance presumed).
- **Lateral Movement:** Not applicable.
- **Collection:** Not applicable (The threat focuses on availability, not espionage/tapping, which is deemed too logistically difficult).
- **Exfiltration:** Not applicable.
- **Impact:** Denial of Service/Connectivity degradation via physical destruction of infrastructure.
## Impact Assessment
- **Financial:** High costs associated with immediate repair; downtime is considered more costly than investigation, creating an incentive structure that aids the adversary.
- **Data Breach:** Not the primary concern; focus shifted away from data interception (tapping) due to logistical complexity and cost.
- **Operational:** Significant risk to global connectivity, particularly as AI data centers become increasingly reliant on this infrastructure ("A data center without connectivity is just a warehouse").
- **Reputational:** Risk associated with demonstrating vulnerability of core global infrastructure to state actors.
## Indicators of Compromise
- **Network indicators - defanged:** Sudden, localized service degradation along known subsea cable routes, specifically a statistical anomaly in reported physical faults.
- **File indicators:** Not applicable.
- **Behavioral indicators:** Unusually high frequency of "accidental" cable cuts in strategic geographic chokepoints (e.g., Taiwan Strait).
## Response Actions
- **Containment measures:** Currently insufficient, as immediate repair negates forensic recovery.
- **Eradication steps:** Not applicable for physical sabotage events unless the actor is identified and stopped.
- **Recovery actions:** Immediate repair of physical damage remains the primary recovery step.
## Lessons Learned
- The telecom industry's economic prioritization of rapid service restoration over investigation creates a significant national security blind spot, enabling gray-zone sabotage to hide in 'noise.'
- The threat model has shifted: physical destruction (availability) is a more potent and plausible threat than complex data interception (tapping).
- The rise of AI dependency on data centers amplifies the strategic value of connectivity denial.
## Recommendations
- Implement mandatory, standardized forensic investigation protocols for all subsea cable faults, even routine ones, to eliminate plausible deniability for hostile actors.
- Increase deployment and integration of advanced physical monitoring technologies such as "fiber sensing" (detecting physical contact using light signals) combined with acoustic sensors to fingerprint vessels involved in suspicious activity.