You Can’t Secure What You Can’t See: The Case for HBOM & SBOM in Subsea Cables

Last month, On July 16, 2025 the Financial Times and Reuters reported something that didn’t surprise anyone paying attention: the U.S. is preparing to ban Chinese technology from undersea telecom cables connecting to America (Reuters). Why? The concern is simple but serious: if nearly all global internet traffic flows through these cables, then whoever controls the hardware — or even the embedded software — has access to the world’s digital bloodstream.

And yet… we’re still flying blind.

It’s 2025, and we still deploy mission-critical infrastructure — including submarine cable systems — with zero standardised visibility into what’s under the hood.

However, the easiest way to solve the problem is to rely on geopolitical assumptions:

“If it’s made in China, it’s probably risky”.

But what if it’s a component made in Taiwan, using Chinese chips running US firmware with open-source code from who knows where?

Let’s be honest: The U.S. approach to cybersecurity in critical infrastructure is often reactive, fragmented, and politicized. This cable ban is just the latest move in a long line of enforcement-first, transparency-later policies.

We can’t ban our way to security.

We can’t just de-risk the world by decree, especially when our own supply chains are full of ambiguities, blind dependencies, and opaque vendors.

What if instead the U.S. led with standards, not sanctions?

That’s where HBOM and SBOM come in.

SBOM & HBOM — What Are They, Really?

Think of them as ingredient labels — but for your digital and physical infrastructure.

• SBOM (Software Bill of Materials) tells you exactly what software components are inside a device or system — every library, every version, every dependency.
• HBOM (Hardware Bill of Materials) does the same for hardware. It details chips, boards, firmware, and where they come from.

They’re not buzzwords. They’re becoming the baseline for trust in supply chains — especially for infrastructure that literally sits on the ocean floor and connects continents.

So, Why Do Submarine Cables Need This?

Submarine cables aren’t just fiber-optic threads — they’re complex systems with repeaters, landing stations, embedded firmware, and configuration software. And once they’re underwater, you can’t just patch them overnight.

That’s why visibility — before deployment — is critical.

If we had standardized SBOMs and HBOMs for every piece of gear going into these networks, we wouldn’t have to wait for a ban to wonder:

• Who made this chip?
• What’s running inside this repeater?
• Is that firmware calling home?

Instead of banning based on origin, we could audit based on facts.

Transparency Is the Real Cybersecurity

Here’s what SBOMs and HBOMs enable:

• Know what’s inside your systems — before they’re installed.
• Spot components from banned or high-risk suppliers.
• React quickly to software vulnerabilities — even in embedded systems.
• Prove compliance with evolving regulations like NIS2 or CISA’s supply chain frameworks.
• Make incident response faster and more precise.

Imagine if a submarine cable failed, and instead of guessing, we could instantly trace the affected component, check its firmware, and see if similar equipment exists elsewhere. That’s the power of digital and physical traceability.

What Should Happen Next?

It’s not just about banning. It’s about building smarter.

Here’s what regulators and industry can do now:

1. Mandate SBOMs and HBOMs for all subsea infrastructure vendors. No transparency = no approval.
2. Adopt standard formats like SPDX or CycloneDX for software, and CISA’s HBOM framework for hardware.
3. Invest in tooling to verify and audit BOMs — continuously, not just at procurement.
4. Make BOMs part of national security policy for critical infrastructure, especially cables, satellites, and energy systems.

Final Thought

In cybersecurity, visibility always wins. The world is waking up to the risks of opaque supply chains — and for good reason. Undersea cables don’t just carry internet traffic. They carry geopolitics, commerce, and the hopes of digital societies.

If we want to secure them, we need to start at the source. That means demanding clear, verifiable SBOMs and HBOMs from every supplier — not as an exception, but as standard operating procedure.

We don’t just need stronger cables. We need smarter cables.

Would love to hear your thoughts: Is your organization already using SBOMs or HBOMs? What challenges do you see in adopting them for critical infrastructure?

By José Amaro