Subsea cables can be cut with an anchor. GPS can be jammed with a device bought online. A single software update can ground half the world’s flights. This is proof that the networks binding our economies together are powerful yet perilously fragile.
Just after midnight in early September, the Red Sea shuddered in a way only network engineers could hear. Somewhere along the seabed off Jeddah, multiple fibre-optic cables were damaged in quick succession. Within hours, traffic that normally darted invisibly between continents began to crawl, dashboards across the Gulf timed out, calls stuttered and cloud services lagged. Microsoft flagged routing changes and higher latency as carriers scrambled to re-path data around the breakage. Investigators would later confirm multiple cable outages that degraded connectivity across the Middle East and South Asia, with airports, banks and businesses badly hit.
It was the clearest reminder this year that our digital lives hang from a few strands of glass lying in the dark. And it set the tone for a season of disruption: European airports forced into manual mode by a cyber-intrusion at a key check-in provider, and persistent GPS interference that left ships and, at times, aircraft reporting “impossible” positions. Taken together, they reveal a brittle backbone beneath the glossy surface of the “always-on” world.
Cables, clouds – and chokepoints
The Red Sea outages stopped short of a blackout, instead draining the network’s headroom and slowing the global flow of data. When chokepoints fail, traffic has nowhere else to go but the long way round. Queues form, latency climbs, and supposedly “elastic” cloud services begin to feel very physical indeed.
“The Red Sea cable cuts exposed the physical limits of cloud abstraction: when chokepoints fail, performance crumbles,” says Santiago Pontiroli, Lead TRU Researcher at Acronis. “For enterprises, subsea routes must be treated as risk assets, and resilience means multi-region, multi-provider designs that avoid shared corridors. Data sovereignty must also be reframed. It’s not just about compliance, but about ensuring critical data remains available even when regional cables or geopolitics disrupt the cloud.”
That warning matters in a region where traffic converges through a handful of maritime narrows. The Red Sea episode showed the downside: shared bottlenecks.
Airports on paper
Two weeks later, Europe learned a related lesson – this time in terminals. From Sep. 20 to 22, a cyberattack against Collins Aerospace’s passenger-processing systems pushed Heathrow, Brussels and Berlin airports into a weekend of queues, cancellations and manual check-ins. Airports propped iPads on counters, staff hand-wrote boarding passes and schedules were trimmed to match what paper and patience could support. Investigators and the EU’s cybersecurity agency said the outage stemmed from a third-party ransomware intrusion targeting the provider’s software; British police later made an arrest in a related probe. Whatever the final attribution, the fragility was unmistakable: many carriers, many airports – one dependency.
Pontiroli’s takeaway applies here, too. “When centralised platforms fail, continuity depends on whether organisations can degrade gracefully instead of going dark,” he says. That means keeping local or edge capacity for essential tasks, “a backup way to log in that doesn’t depend on a single cloud identity provider,” and manual fallbacks that staff have actually rehearsed. “These steps won’t prevent outages, but they make sure a cloud failure doesn’t take everything down at once.”
The map is lying
The third shock came from space – or rather, from the faintest radio whispers that knit space to Earth. GPS, the invisible map of modern life, has become a contested signal.
In early April 2024, vessel-tracking services briefly showed around 117 cargo ships “jumping” inland to the coordinates of Beirut-Rafic Hariri International Airport – a cartographic absurdity caused by intense GPS jamming and spoofing in the Eastern Mediterranean, with serious knock-on effects for maritime safety, insurance and regulatory compliance.
“GPS is both remarkable and fragile,” says Luca Ferrara, General Manager – AQNav at SandboxAQ. “The signals are broadcast from satellites over 20,000 kilometres away and reach Earth with about the same power as a 25-watt lightbulb glimpsed from across the Atlantic. That fragility is precisely why they can be disrupted so easily. A jammer, no larger than a walkie-talkie, can overwhelm them, while spoofing attacks … are even more dangerous.”
The risk goes beyond maps. Timing from GNSS (global navigation satellite systems) timestamps financial transactions, synchronises data centres and keeps telecom networks in lockstep. “Without GPS, not just consumer convenience, but entire economies would be at risk,” Ferrara says. That is why he argues for diversity at the sensor layer as well: quantum-enhanced clocks and geophysical navigation that detect magnetic-field variations – “a passive and unjammable process that would increase resiliency greatly” – alongside classic inertial systems, and, crucially, a policy shift to treat navigation resilience as a national priority before a large-scale disruption forces the point.
The monoculture tax
If September’s incidents showcased external shocks, last year delivered a spectacular self-inflicted one. On 19 July 2024, a defective update from CrowdStrike shipped to millions of Windows machines around the world. Within minutes, blue screens blossomed from Sydney to San Francisco and airlines, hospitals and banks fell back to manual. Experts have since described it as the largest IT outage in history, with insurers tallying billions in losses for major firms alone.
The software bug was simple, but the architecture was not, because one company’s security program sat at the heart of almost every system.
“The CrowdStrike incident was less a software bug and more a catastrophic failure of our collective risk architecture,” says Ivan Milenkovic, Vice President of Cyber Risk Technology, EMEA at Qualys. It “brutally exposed the ‘monoculture tax’, the hidden premium we pay for the perceived efficiency of standardisation.” By concentrating power in a handful of vendors, “we haven’t simplified security; we’ve built a global-scale single point of failure.”
The deepest irony: “the very tool meant to protect the system became the agent of its destruction”. Failure was automated and instantaneous, recovery “manual, arduous, and agonisingly slow”.
According to Pontiroli, the solution is to stagger updates and keep a fallback plan. “Change control and staged rollouts are not optional for kernel-level software … resilience requires safety rails like ring-fencing critical sectors, opt-out mechanisms, progressive deployment, and the ability to roll back updates rapidly.” He notes that platform owners have since moved to reduce reliance on kernel-mode drivers for security tooling and to improve orchestrated updates across the ecosystem – measures aimed at shrinking the next blast radius.
Christopher Hills, Chief Security Strategist at BeyondTrust, frames the bigger truth bluntly. “Nothing is ever 100 per cent.” Controls reduce risk but also introduce new exposure, whether through automation or AI. The task isn’t perfection, he argues, but deciding how much risk you will accept, tolerate and absorb while still operating effectively – and then executing the basics flawlessly.
Failing better
All four experts return to a single principle: assume things will break and plan to keep going anyway.
Pontiroli stresses that continuity now means staying operational even when core systems are down. “Continuity now means the ability to keep operating at a reduced but functional level while core systems are down … designing for graceful degradation,” he says. For airports, that could mean well-practised manual check-in and local copies of key apps; for banks and factories, edge capacity, local DNS, temporary logging and queueing that let work continue when links falter. The goal is not to prevent every outage, but to avoid all-or-nothing failure.
Milenkovic urges a move from checklist compliance to what he calls systemic resilience. Traditional disaster-recovery plans were built for fires and floods, he argues, but today’s reality is “perpetual, low-grade disruption.” The aim is not to “bounce back to normal” after a hit, but to operate under duress with systems that gracefully degrade, suppliers chosen for diversity rather than convenience, and operations that can adapt as threats shift.
Ferrara warns against “fake resilience.” “Two different systems that rely on the same underlying GPS signal, or the same subsea route, or the same cryptographic assumptions, are not independent at all. They share a single point of failure dressed up as variety.” Real robustness, he says, comes from diversity at every layer – different signals, routes and algorithms – so shocks cannot cascade through hidden common links.
Hills brings it back to identity. Zero Trust on its own is no longer enough. He advocates combining it with Least Privilege and moving towards verification proofing: limiting standing access, granting high-risk privileges only just-in-time, and assuming that authentication can be spoofed. Security, he argues, now requires “multiple chains of evidence to catch impostors.”
Quantum, quietly urgent
One more threat sits just over the horizon, and it is as mundane as it is existential: cryptography. “It is the quiet foundation of trust in our digital world,” Ferrara says – securing online banking, flight-control messages and software updates. Quantum computing threatens to crack much of today’s public-key cryptography far faster than classical machines. The real twist is that adversaries can capture encrypted traffic now and decrypt it later, turning sensitive records into time bombs as quantum systems mature.
Ferrara argues for cryptographic agility – inventories of algorithms and keys, detection of weak or non-compliant use, and the ability to swap standards as the landscape shifts – so that organisations aren’t caught flat-footed at the quantum threshold.
At the sensor level, quantum also offers a path to un-spoofable navigation and better clocks, giving fleets and aircraft a way to ride out GNSS loss without broadcasting anything an adversary could jam. Tests have already shown quantum-derived approaches can meet aviation standards, Ferrara notes; the question is whether governments will treat navigation resilience with sufficient seriousness before a crisis forces their hand.
Towards a new social contract for connectivity
The past year’s shocks point to an uncomfortable truth that we have mistaken ubiquity for resilience. The global flow of data upon which we all depend is far more vulnerable than we realise. Resilience will not emerge from a shinier dashboard or one more vendor promising a “single pane of glass.” It will come from diversity – of routes, vendors and signals – from deliberate friction in verification (so deepfakes and token theft don’t glide through) and from engineering for partial failure so that the inevitable doesn’t become existential.
“True resilience comes from diversity,” Ferrara reminds us. “The tipping point is reached when organisations mistake more components for more protection, when in fact they have built an even more tightly coupled and fragile system.”
As cables snap and signals falter, resilience is defined less by flawless defence than by our willingness to bear risk while keeping the world running.
The hum beneath the waves is never silent. Our task is to ensure that when it falters, the world does not fall quiet with it.
This feature originally appeared as the October 2025 cover story of Arabian Business magazine.
Follow us on
