Seismic Shifts, Solar Storms and Stalled Systems: The Urgent Need to Rethink Cyber-Resilience

As “blue screens of death” froze computers from Austin to Australia on 19 July, triggering what is believed to be the world’s largest IT outage and cyber incident, for those monitoring the resilience of our cyber and cyber-physical systems, it was just one more in a series of outages that reminds us of the fragility of our complex communications infrastructure. With attention diverted to the latest large-language-model updates and releases, and policy conversations focused on the very narrow apex of our technology use, such as governing AI’s existential risks, the infrastructure that makes this all possible is often taken for granted. That is, until it is unavailable.

Our communications infrastructure is surprisingly robust in supporting the weight of the applications and traffic we place on it. Yet throughout the stack, from the seabed to the skies, we are witnessing a rise in increasingly creative malicious activity from state and non-state actors, inadvertent or careless accidents, and ecological events beyond our control that poses a threat to its integrity. The social and economic impacts of outages are magnified as we increasingly integrate advanced digital tools throughout our interactions, from the provision of public services to the running of small businesses on Instagram.

Irrespective of the source of threat, the outages of recent months are stark reminders of the interconnectedness of our systems and the vertical and horizontal domino effects of outages. Governments and businesses must ensure that rapid digitalisation and the integration of advanced digital tools are paired with a holistic plan for security and resilience at national and international levels.

Deep Dive

More than 97 per cent of the world’s internet traffic is carried through a complex web of fibre-optic cables that lie on the seabed. There are currently around 600 active and planned cables, spanning an estimated 1.4 million kilometres, that form the basis of the global communications network. They have always been at risk of damage from fishing trawlers, dragging anchors and faults, but over the past two years there seems to have been a marked increase in both deliberate and accidental events impacting the integrity of the cable network. In February, four cables were damaged during Houthi attacks in the Red Sea, leading to a 25 per cent reduction in internet traffic between East and West. In March, ecological activity impacted four cables, resulting in outages and a 25 per cent reduction in connectivity throughout West Africa. And in May, damage to cables led to severe disruptions in Kenya, Tanzania, Rwanda and Uganda, forcing the US Embassy in Tanzania to close for two days.

While outages to date have been disruptive rather than devastating, the vulnerabilities they expose cannot be ignored, particularly as we increase our reliance on the network. For several reasons, there is a need for significant resilience planning for potential loss-of-cable outages, especially for islands such as the UK or Taiwan. First, repairs can take months. The cables hit by Houthi militants in February are only now being repaired after a complex negotiations process eventually facilitated access to the infrastructure. Subsea cables are notoriously difficult and time-consuming to fix, with repairs also often dependent on local politics and challenging processes for obtaining permits.

Second, the number of threat actors recognising the impact of cable interference is increasing. Previously the preserve of state or state-associated actors, recent discussions on Houthi Telegram channels, highlighting the strategic importance of the cable network, show the accelerating risk of deliberate disruption. And while cable traffic may be picked up by another provider, increasingly this is now a cable owned by one of the large tech companies. Google has invested in around 26 cables and Microsoft, Amazon and Meta are following suit as they continue to expand throughout the communications stack. In the short term this may not seem significant; however, in the coming months and years, as tech companies consolidate their positions at every level of our digital infrastructure, countries will have to address a key question: how comfortable are they outsourcing their baseline resilience to private companies?

Looking Heavenwards

In recent crises, particularly the war in Ukraine, the question of fibre-optic compromise has been resolved by turning to the satellite ecosystem, and most frequently to Space X’s Starlink, whose satellites make up 6,206 of the 8,300 operational satellites currently in orbit. With proper planning, this can deliver tremendous value for long-term connectivity in hard-to-reach areas, as shown by recent projects that the Tony Blair Institute has carried out with Starlink in Rwanda and Malawi.

However, the burgeoning global satellite ecosystem is currently facing its own resilience challenges, which must be addressed to set up this infrastructure for long-term success. In May, a geomagnetic storm forced more than 5,000 satellites to re-manoeuvre after they lost altitude – an action that significantly increased the risk of satellite collisions. Although its satellites weathered the storm, Starlink reported degraded service that led to slower download speeds. In some cases, this left farmers who used precision techniques unable to continue planting crops as GPS signals were compromised, with significant economic impacts and potential knock-on effects for commodity prices. Similar challenges have been encountered in conflict areas over the past few years as satellite-reliant services are impacted by electronic jamming. And as Russia’s cyber-attack on satellite provider Viasat in 2022 attests, the satellites themselves, as well as their receivers, ground stations and data, are increasingly at risk from state and non-state malicious cyber actors.

Paradoxically, the solution for strengthening satellite systems as a backup for resilience – more commercial satellites – also increases the threat to those systems. With an estimated 100,000 satellites set to launch by 2030, in one of our most under-regulated environments, the risks to space assets are likely to increase exponentially. In June, a “dead” Russian satellite broke up into more than a hundred pieces, creating a debris swarm and causing the astronauts on the International Space Station to take cover. While this explosion did not cause any material damage, the risks of a Kessler Effect-type accident (in which a collision leads to a cascade of collisions) increase significantly as the orbital pathways become more crowded. With 20 per cent of the UK economy dependent on satellite communications and a study in 2019 estimating the daily cost of GPS loss to the US at $1 billion – a number that is likely to be significantly higher today – the need to address the resilience of the satellite ecosystem itself, as well as its role in supporting the entire communication stack’s resilience, is increasingly critical.

Everything Everywhere All at Once

Source: TBI

While the impact of cable outages previously has been limited to certain regions or, at worst, has slowed intercontinental traffic, the outage of 19 July demonstrated in practice a new set of anticipated risks. Earlier large-scale cyber-attacks caused significant economic impact across the world, including the 2017 WannaCry attack, which impacted systems in 150 countries with an estimated impact of $4 billion, and the 2017 NotPetya attack, which hit global shipping giant Maersk, crippling ports and leading to an estimated loss of $10 billion globally. However, 19 July’s outage, which resulted from a series of missteps in the release of an antivirus update, and the subsequent distributed denial of service (DDoS) attack on Microsoft on 31 July – which was amplified, instead of mitigated, by antivirus defences – have underscored the potentially catastrophic ripple effects of outages on our interconnected systems.

Although the CrowdStrike flaw on 19 July affected only 1 per cent of Windows PCs globally, was quickly detected, and the update shut down within one hour, the cost of the outage is estimated at $5.4 billion, largely impacting Fortune 500 companies. The ripple effects of cyber-outages, however, are much wider, from holiday cancellations to stress on health-care systems. Further, malicious actors quickly seized opportunities for short-term gain and hacktivism, or posed as legitimate CrowdStrike support to gain access to systems with longer-term exploitation in mind, exposing broader risks.

Connecting Convergent Cyber Risks

Following globally significant events including the Covid-19 pandemic, large-scale supply-chain attacks such as Solar Winds and Colonial Pipelines, and Russia’s invasion of Ukraine there has been a resurgence of interest in foresight planning, understanding systemic risks and building policy with these in mind. The UK Government Office for Science and the US Cybersecurity and Infrastructure Security Agency are among those planning for the future by compiling “futures tools” for policymakers and by examining risks to critical infrastructure. However, recent events have demonstrated that lessons have not been sufficiently learned; there is still a lack of rapidly implementable resilience solutions available at local, sectoral, national and international levels.

The Global Digital Compact due to be agreed at the UN’s Summit of the Future in September has little mention of global digital-infrastructure resilience, and most countries focused on digitalisation are challenged in implementing national-level cyber-security solutions, let alone thinking about wider, interconnected, convergent risks. But as the AI revolution really takes off and countries weigh down their digital infrastructure with increasingly sophisticated tools, they must equally rapidly weigh up their approach to resilience and their preparedness to weather future cyber-storms.

This article was originally published by the Tony Blair Institute for Global Change.