Resilience and security of digital infrastructure

How should public and private sector stakeholders respond to threats to the resilience and security of digital infrastructure?

That is the subject of a white paper released last month by Dr. Georg Serentschy, the former head of the Austrian telecom regulator and past chair of BEREC (Body of European Regulators for Electronic Communication). Recall that building resilience in telecommunications was the subject of a workshop a few weeks ago; Dr. Serentschy discussed the paper. In my recent post, I included links to a number of other articles on network resilience.

Among the highlights are a call for public-private partnership between governments and the private sector. “The highly complex and ever-changing threat landscape can only be tackled in cooperation between the private sector and governments and, beyond that, with international cooperation”. Governments are not able to address these challenges alone. Keep in mind, digital networks and infrastructure are generally private sector assets. However, since these assets are seen as strategic, what is the appropriate level of government involvement to ensure critical infrastructure is secured?

Sixteen months ago, Canada’s telecom regulator launched a consultation calling for comments on “Development of a regulatory framework to improve network reliability and resiliency”. The consultation was focused on notification and reporting requirements in respect of major telecommunications service outages. The file closed 15 months ago, but no determination has been released. In the meantime, the CRTC established interim reporting requirements.

In the February 2023 Notice, the Commission promised a broader consultation:

As its next step, the Commission will initiate a public proceeding to address network reliability and resiliency in broader terms, including issues relating to resiliency principles, emergency services (9-1-1), public alerting, consumer communication, the impact of outages on the accessibility of telecommunications services, consumer compensation, technical measures, and the imposition of administrative monetary penalties.

Such a consultation has not yet been launched. The CRTC’s departmental workplan is indicating a much less ambitious next step. “The CRTC will continue its work to enhance the resilience and reliability of telecommunications networks across the country. This includes continuing to examine requirements for reporting major service outages and future consultations on consumer communication and compensation requirements.”

Yesterday, Sammy Hudes of Canadian Press wrote a related story, “Canadian telecoms work on strengthening networks amid growing wildfire activity”. The article noted “It’s an issue that Canada’s telecommunications regulator is keenly aware of. Two consultations touching on that topic — one considering ways to improve telecom services in the Far North and another on how providers should report and notify customers of major service outages — remain in progress.”

It isn’t clear that the CRTC’s current focus on consumer communications and compensation is the best approach to develop a greater degree of resilience and security in Canada’s digital infrastructure. The work plan does not seem to include addressing “network reliability and resiliency in broader terms”, as promised in last year’s consultation.

To be fair, 6 paragraphs, representing almost 15% of that Notice of Consultation pointed to other government organizations that have roles to play. The agencies and committees are at federal, provincial, territorial and municipal levels. It also mentioned CSTAC, the Canadian Security Telecommunications Advisory Committee, as a voluntary working group that provides a forum for federal government and industry stakeholders to analyze, develop, and implement measures to protect critical telecommunications infrastructure.

The Serentschy white paper warns “regulatory authorities in most cases do not have a mandate to develop or apply a holistic view and break out of their vertical silos.” The paper suggests that policy makers may need to “give regulators a new and expanded mandate.” Dr. Serentschy suggests that increased network element redundancy, and reducing single points of failure can be at odds with other regulatory measures.

There are 10 recommendations in the white paper. Recommendation 10 calls for institutional reform, calling for the establishment of a central coordinating body as “an important step towards overcoming the usual historically fragmented governance structures.” According to Dr. Serentschy, “governments cannot tackle these challenges alone, nor can industry.” Therefore, he calls for a central coordinating, advisory and decision making body, empowered to reassess regulatory priorities, including competition policy, where necessary.

The subject of increased network resilience in a time of climate emergencies was raised on May 21 in the House of Commons:

How do we ensure digital infrastructure security and resilience are priorities for regulatory and policy determinations?

Is a more holistic approach to governance needed to improve cooperation and planning between government and the private sector? In a competitive telecom environment, how do we fund the needed network reinforcement in areas of challenging geographic and demographic characteristics?