The age of resilience: is Europe ready? Andrea Renda CEPS Senior Research Fellow CRNI, 22 November 2013 TAKING TECHNOLOGY SERIOUSLY Any EU policy adopted today has to look at 2017-18 Key assumptions Technological evolution accelerates Internet ecosystem increasingly crucial for the evolution of high-tech markets (and increasingly, all markets) Smart, integrated infrastructure increasingly crucial for the Internet ecosystem “Legal rules do matter” INCREASED DEPENDENCE ON INFRASTRUCTURE Changing role of network infrastructure Commingling of physical and virtual infrastructure “Age of connectivity” Commingling of physical and virtual world Efficiency-oriented economic policy has dominated the past decades: a paradigm shift? The quest for efficiency has been partly beneficial, but also made our infrastructure increasingly vulnerable Reliance on the essential facility doctrine has failed: need for a more consistent, layered, dynamic approach to infrastructure policy EXAMPLE OF INTERDEPENDENCIES 4 Source: Rinaldi et al. (2007) EXAMPLE OF INTERDEPENDENCIES 5 Source: TNO (2008) EXAMPLE OF INTERDEPENDENCIES 6 Source: FCC WHY CIP AND CIIP HAVE BECOME (OR SHOULD INCREASINGLY BECOME) DOMINANT AND CONTROVERSIAL Increased infrastructure convergence (e.g. Smart grids) Increased need for infrastructure upgrade (at what cost?) Need for redundancy and flexibility (e.g. Deepwater Horizon) Increased unpredictability (attack advantaged over defence?) Need to enhance security against: Accidents Errors Cyber-attacks (including government-sponsored ones) Difficult to communicate CIP/CIIP policy to citizens 7 THE MORE WE CENTRALIZE DATA MANAGEMENT AND INFORMATION FLOWS, THE MORE WE BECOME VULNERABLE GREAT TRENDS THAT EXACERBATE OUR DEPENDENCE Cloud computing Big data Internet of Things and M2M communication Driverless cars Augmented reality and the “deviceless” world 3D printing Remote & robotic healthcare CLOUD COMPUTING FROM THE “SPAGHETTI BOWL” TO THE “LASAGNA”… Content layer (e.g. web pages, audiovisual content, Voice calls) DRM Application layer (e.g. web browsing, streaming media, email, VoIP, database services) OS, middleware Logical layer (e.g. TCP/IP, domain names, telephone numbering systems, etc.) Physical (transport) layer (e.g. coaxial cable, backbones, routers, servers) Fixed Mobile Other 11 11 … TO THE “CLOUD TIRAMISU’” Cloud Delivered Services Cloud delivered services (SaaS, PaaS, AaaS, IaaS) Cloud platform (Operational and business support services) Virtualized resources (Virtual network, server, storage) Cloud platform System resources (network, server, storage) Physical (transport) layer (e.g. coaxial cable, backbones, routers, servers) Fixed Mobile Other (xDSL, Cable, Fiber) (LTE, WiMax, etc.) (eReaders, PDAs) 12 BIG DATA INTERNET OF THINGS “AGE OF CONNECTIVITY” “AGE OF CONNECTIVITY” EXAMPLE: DRIVERLESS CARS DRIVERLESS CARS... WEARABLE DEVICES AND MORE... 3d printing Smart paper “Haptic” technology Holograms and four wall screens Universal translators Mind scanning Synthetic biology Advanced bionics ... What might happen in the near future... Cyberattacks become the major cause of car accidents A major cause of disease/pandemic is the remote manipulation of personal healthcare data held by hospitals or private companies Hacking satellites becomes the most effective act of war (e.g. stopping drones) A giant IT company is your new supermarket, with virtual shelves projected in your home You sign a contract to subscribe to “connectivity”, i.e. Energy + Internet at a flat price An Art.102 TFEU case against the dominant “contact lens OS” provider for exclusionary abuses 27 CONVERGED INFRASTRUCTURE WILL BE AS RESILIENT AS ITS WEAKEST LINK IS IT TOO EARLY TO DELEGATE OUR DAILY ACTIVITIES TO “ALWAYS ON” INFRASTRUCTURE? (“FINANCIAL CRISIS SYNDROME”?) Is the EU ready? 30 A LOST DECADE? Excessive fragmentation at the infrastructure level Enormous delays in the deployment of optical fibre Lagging behind in LTE deployment Lack of entrepreneurship in app and cloud layers E-services and e-commerce slowly developing Legal uncertainty as regards copyright Lack of a digital single market EMERGENCY! An infrastructure emergency 1 trillion for energy, €350 bn for telecoms? Need to exploit synergies with other network industries Need to reduce the cost of deployment (CEF?) Need to boost spectrum allocation (pan-European auction?) Need to work on the resilience of existing infrastructures Policies that boost infrastructure deployment include rules adopted for the higher layers Net neutrality, Copyright, Data protection... CONNECTED CONTINENT PROPOSAL (I) CONNECTED CONTINENT PROPOSAL (II) But the Commission leaves the door open No discriminatory blocking and throttling Traffic management on the Internet must be nondiscriminatory, proportionate and transparent. Content providers and internet providers might sign deals to assure a certain QoS (“specialised services”). This will enable telcos to generate additional revenue streams from OTT actors, content providers as well as from consumers BUT: Specialised services must not lead to quality degradation of the "normal" Internet. CONNECTED CONTINENT PROPOSAL (III) Practical application might prove highly complex When is the open internet sufficiently impaired? QoS means different things to different users and different services How can transparency obligations become more user-friendly? Risk of market micro-management? CONNECTED CONTINENT PROPOSAL (IV) A meaningful proposal, but what about other layers? Emphasis on NN suggests that the only gatekeepers of cyberspace are and will always be ISPs However, the Internet is evolving in a way that generates market power (better, “gate-keeping” power) also at higher layers In a layered architecture, discrimination and exceptions to the basic Internet freedoms may emerge at all layers (Who do you think is stronger, Verizon or Google? AT&T or Apple?) Concepts such as “search neutrality”, “application neutrality” or “cloud neutrality” are likely to become more widespread and evolve into a “platform neutrality” argument. Will regulation spread like an oil spot in the Internet ecosystem? BEYOND “CONNECTED CONTINENT” Future regulatory intervention going up the value chain? Search neutrality (e.g. Google case) “ballot screen” obligations Vertical, functional separation “on screen” Cloud neutrality Mandatory open standards? Inter-cloud interoperability? Device neutrality? How many contact lenses can you wear at the same time? Antitrust, regulation or both? BIG QUESTIONS (II) What regulatory scenarios for infrastructure? A future for standard access policy ? Co-investment as a dominant paradigm? Structural separation of connectivity from services? Access holidays with mandatory, reciprocal access to network for energy and telecom companies? (“regulated duopoly”) Energy, telecoms and IT companies competing on an equal footing to provide connectivity + home automation services? LEVEL OF PREPAREDNESS (EXCL. FINANCIAL SECTOR) Companies with more than 10 employees that reported having a formally defined ICT security policy in 2012 40 Source: Eurostat A “WEB OF NOTIFICATIONS”? 41 CONCLUDING REMARKS: TOWARDS FORWARDLOOKING, TECH-BASED POLICY? The open and unregulated nature of the Internet is a distant memory Increased regulation of OTT and cloud to be expected? More red tape without real solutions? Command and control regulation is unlikely to work in this ever-changing environment Co-regulatory approaches are the only possible way Public and private regulation must key market failures Externalities and free riding problems Lack of information and awareness Insufficient production of public goods Absence of a mature insurance market 42 Peter Steiner. The New Yorker, July 5, 1993 44 Copyright – 1997 The School of Journalism and mass Communications, University of North Carolina The age of resilience: is Europe ready? Thank you! [email protected] Andrea Renda CEPS Senior Research Fellow CRNI, 22 November 2013 The age of risk: evolution of risk in cyberspace Not just cyberwarfare! Natural disasters are a major cause of outages Errors and unintentional security incidents another major cause Intentional cyberattacks feature various forms and targets Malware (Viruses, worms, trojans, etc.) DDoS Unauthorized access Advanced persistent threats Phishing Increased evidence of cyberattacks that target financial services (WSJ, July 2013) 46 Techniques 48 First steps to develop a CIP/CIIP EU policy Initial emphasis on public-private cooperation The EP3R was a promising step, but was discontinued and replaced with the new NIS platform (starts tomorrow) Main initiatives 2008 ECI Directive Review of the telecoms framework led to Art. 13a ENISA’s role expanded over time Problems Wide divergence in definitions, standards, regulatory approaches A largely under-developed (cyber)insurance market Very diverse or lacking national strategies 49 Directive 40/2013 Member States shall take the necessary measures to ensure that they punish as a criminal offence (Artt. 3-7): Illegal access to information systems Illegal system interference Illegal data interference Illegal interception Includes incitement to commit such offences, and also failed attempts Imprisonment of at least two years, at least for cases which are not minor Monitoring and statistics provisions 50 Measures proposed in the NIS Directive (I) Article 6: every MS should establish a Competent Authority (CA) that: Monitors the application of the Directive at national level Receives notifications of incidents from public administrations and market operators Consults and co-operates with relevant law enforcement and data protection authorities. Article 8: CAs should be connected via a secure network (e.g. sTESTA) where they can circulate early warnings on risks and incidents , cooperate with the Euroean Cybercrime Centre, etc. 51 Measures proposed in the NIS Directive (II) Member States should establish CERTs responsible for handling incidents and risks that are to: monitor incidents at national level provide early warnings and alert announcements respond to incidents o provide dynamic risk management, incident analysis and situational awareness build broad public awareness CAs need to report early warnings of incidents or risks to the co-operation network where they: grow rapidly or may grow rapidly in scale exceed or may exceed national response capability affect or may affect more than one Member State. 52 An unprecedented notification system An estimated 42,000 entities covered!! Key Internet companies (e.g. large cloud providers, social networks, e-commerce platforms, search engines) Banking sector and stock exchange Energy (e.g. electricity and gas) Transport (operators of air, rail, maritime transport, logistics) Health Public administrations Excluded Network operators (already notify under Art 13a) Hardware and software producers Micro-enterprises 53 Will it work? Rejection of the PPP approach? “Obligatory” reporting obligations almost unprecedented Regulating internet enablers also unprecedented Insufficient emphasis on developing a risk-management culture in the public and private sector Will the system be flexible enough to adapt to such an everchanging environment? Administrative burdens probably under-estimated Cumulative costs/burdens and duplication of notifications Exempting micro-enterprises might be risky 54 Agenda Infrastructure and the “age of resilience” Is Europe ready for the connectivity age? The Connected Continent’s net neutrality proposal Cybersecurity: towards a new wave of regulation? Conclusion Statements “It is fair to say that we’re already living in an age of state-led cyber war, even if most of us aren’t aware of it […]. The logical conclusion of many more states coming online, building or buying cyber-attack capability and operating within competitive spheres of online influence is perpetual, permanent, low-grade cyber war.” Schmidt and Cohen (2013) “cyber attacks are now the most pressing threat to the US security, ahead of Islamist terrorism.” Geoff Dyer (2013) “Just as nuclear war was the strategic warfare of the industrial era, cyber warfare has become the strategic war of the information era” Leon Panetta (2012) 56 Targeted attacks (I) 57 Targeted attacks (II) Example: Stuxnet Allegedly developed by Israel with US support to hobble Iranian facilities (SCADA developed by Siemens) 10,000 estimated person/days, 6 to 9 months, 5-10 developers Development costs: $3 million Damaged also India, Indonesia etc. At Sept 2010, 100,000 infected hosts according to Symantec Source: Falliere, Murch and Chien 2011 58 Targeted attacks (III) After Stuxnet Flame (2011): attacks computers running Windows7 and XP, mostly in the Middle East. It replicates itself to other computer systems and networks over LAN or USB, records audio using your drivers, takes screenshots, monitors keyboard activity and network traffic. Looks out for Skype and uses Bluetooth to steal data. Has infected over 1,200 machines. Gauss (2012): a “nation-state sponsored cyber-espionage toolkit” (Kaspersky) designed to steal passwords and banking data from individuals in the Middle East – particularly Lebanon. DuQu (2012): looks for info to attack industrial control systems and reports the sensitive data back to the mother ships. Captures keystrokes and computer system and network information. 59 Targeted attacks (IV) APT1 in China (Mandiant) Note: China argues that 70% of cyber-attacks in the world are targeted at them Source: Mandiant, 2013 60 Global value chains Global production is distributed across the globe Essential factors Low energy prices Simple rules (no red tape) IP protection Legal certainty Available skills Cheap labour “Always on” infrastructure Cloud/storage services Market size Back to industrial policy? Example: iPhone’s value Source: OECD (2011) "Global Value Chains: Preliminary Evidence and Policy Issues" 62 Nokia N95’s origin Source: ETLA 63 CIP meets CIIP Growing interdependence between the Internet and other critical infrastructure Financial services Smart grids Intelligent transport Private and public clouds Is the Internet resilient? Mobile less than fixed Cloud less than Internet? Source: TrendMicro, 2013 CIP meets CIIP Growing interdependence between the Internet and other critical infrastructure Financial services Smart grids Intelligent transport Private and public clouds Is the Internet resilient? Mobile less than fixed Cloud less than Internet?