Presentation - Competition and Regulation in Network Industries

Report
The age of resilience:
is Europe ready?
Andrea Renda
CEPS Senior Research Fellow
CRNI, 22 November 2013
TAKING TECHNOLOGY SERIOUSLY
 Any EU policy adopted today has to look at 2017-18
 Key assumptions

Technological evolution accelerates

Internet ecosystem increasingly crucial for the evolution of
high-tech markets (and increasingly, all markets)

Smart, integrated infrastructure increasingly crucial for the
Internet ecosystem

“Legal rules do matter”
INCREASED DEPENDENCE ON INFRASTRUCTURE
 Changing role of network infrastructure

Commingling of physical and virtual infrastructure
 “Age of connectivity”

Commingling of physical and virtual world
 Efficiency-oriented economic policy has dominated the
past decades: a paradigm shift?

The quest for efficiency has been partly beneficial, but also
made our infrastructure increasingly vulnerable

Reliance on the essential facility doctrine has failed: need for
a more consistent, layered, dynamic approach to
infrastructure policy
EXAMPLE OF INTERDEPENDENCIES
4
Source: Rinaldi et al. (2007)
EXAMPLE OF INTERDEPENDENCIES
5
Source: TNO (2008)
EXAMPLE OF INTERDEPENDENCIES
6
Source: FCC
WHY CIP AND CIIP HAVE BECOME (OR SHOULD
INCREASINGLY BECOME) DOMINANT AND CONTROVERSIAL
 Increased infrastructure convergence (e.g. Smart grids)
 Increased need for infrastructure upgrade (at what cost?)
 Need for redundancy and flexibility (e.g. Deepwater Horizon)
 Increased unpredictability (attack advantaged over defence?)
 Need to enhance security against:
Accidents
 Errors
 Cyber-attacks (including government-sponsored ones)

 Difficult to communicate CIP/CIIP policy to citizens
7
THE MORE WE CENTRALIZE DATA
MANAGEMENT AND INFORMATION
FLOWS, THE MORE WE BECOME
VULNERABLE
GREAT TRENDS THAT EXACERBATE OUR DEPENDENCE
 Cloud computing
 Big data
 Internet of Things and M2M communication
 Driverless cars
 Augmented reality and the “deviceless” world
 3D printing
 Remote & robotic healthcare
CLOUD COMPUTING
FROM THE “SPAGHETTI BOWL” TO THE “LASAGNA”…
Content layer
(e.g. web pages, audiovisual content, Voice calls)
DRM
Application layer
(e.g. web browsing, streaming media, email, VoIP, database services)
OS,
middleware
Logical layer
(e.g. TCP/IP, domain names, telephone numbering systems, etc.)
Physical (transport) layer
(e.g. coaxial cable, backbones, routers, servers)
Fixed
Mobile
Other
11
11
… TO THE “CLOUD TIRAMISU’”
Cloud
Delivered
Services
Cloud delivered services
(SaaS, PaaS, AaaS, IaaS)
Cloud platform
(Operational and business support services)
Virtualized resources
(Virtual network, server, storage)
Cloud
platform
System resources
(network, server, storage)
Physical (transport) layer
(e.g. coaxial cable, backbones, routers, servers)
Fixed
Mobile
Other
(xDSL, Cable, Fiber)
(LTE, WiMax, etc.)
(eReaders, PDAs)
12
BIG DATA
INTERNET OF THINGS
“AGE OF CONNECTIVITY”
“AGE OF CONNECTIVITY”
EXAMPLE: DRIVERLESS CARS
DRIVERLESS CARS...
WEARABLE DEVICES
AND MORE...









3d printing
Smart paper
“Haptic” technology
Holograms and four wall screens
Universal translators
Mind scanning
Synthetic biology
Advanced bionics
...
What might happen in the near future...

Cyberattacks become the major cause of car accidents

A major cause of disease/pandemic is the remote manipulation of
personal healthcare data held by hospitals or private companies

Hacking satellites becomes the most effective act of war (e.g.
stopping drones)

A giant IT company is your new supermarket, with virtual shelves
projected in your home

You sign a contract to subscribe to “connectivity”, i.e. Energy +
Internet at a flat price

An Art.102 TFEU case against the dominant “contact lens OS”
provider for exclusionary abuses
27
CONVERGED INFRASTRUCTURE WILL
BE AS RESILIENT AS ITS WEAKEST LINK
IS IT TOO EARLY TO DELEGATE OUR
DAILY ACTIVITIES TO “ALWAYS ON”
INFRASTRUCTURE?
(“FINANCIAL CRISIS SYNDROME”?)
Is the EU ready?
30
A LOST DECADE?
 Excessive fragmentation at the infrastructure level
 Enormous delays in the deployment of optical fibre
 Lagging behind in LTE deployment
 Lack of entrepreneurship in app and cloud layers
 E-services and e-commerce slowly developing
 Legal uncertainty as regards copyright
 Lack of a digital single market
EMERGENCY!
 An infrastructure emergency
1 trillion for energy, €350 bn for telecoms?
 Need to exploit synergies with other network industries
 Need to reduce the cost of deployment (CEF?)
 Need to boost spectrum allocation (pan-European auction?)
 Need to work on the resilience of existing infrastructures

 Policies that boost infrastructure deployment include
rules adopted for the higher layers

Net neutrality, Copyright, Data protection...
CONNECTED CONTINENT PROPOSAL (I)
CONNECTED CONTINENT PROPOSAL (II)
 But the Commission leaves the door open

No discriminatory blocking and throttling

Traffic management on the Internet must be nondiscriminatory, proportionate and transparent.

Content providers and internet providers might sign deals to
assure a certain QoS (“specialised services”). This will enable
telcos to generate additional revenue streams from OTT
actors, content providers as well as from consumers

BUT: Specialised services must not lead to quality
degradation of the "normal" Internet.
CONNECTED CONTINENT PROPOSAL (III)
 Practical application might prove highly complex

When is the open internet sufficiently impaired?

QoS means different things to different users and
different services

How can transparency obligations become more
user-friendly?

Risk of market micro-management?
CONNECTED CONTINENT PROPOSAL (IV)
 A meaningful proposal, but what about other layers?
Emphasis on NN suggests that the only gatekeepers of
cyberspace are and will always be ISPs
 However, the Internet is evolving in a way that generates
market power (better, “gate-keeping” power) also at higher
layers


In a layered architecture, discrimination and exceptions to the basic
Internet freedoms may emerge at all layers (Who do you think is
stronger, Verizon or Google? AT&T or Apple?)

Concepts such as “search neutrality”, “application neutrality” or
“cloud neutrality” are likely to become more widespread and evolve
into a “platform neutrality” argument.

Will regulation spread like an oil spot in the Internet ecosystem?
BEYOND “CONNECTED CONTINENT”
 Future regulatory intervention going up the
value chain?

Search neutrality (e.g. Google case)
“ballot screen” obligations
 Vertical, functional separation “on screen”


Cloud neutrality


Mandatory open standards? Inter-cloud interoperability?
Device neutrality?

How many contact lenses can you wear at the same time?
 Antitrust, regulation or both?
BIG QUESTIONS (II)
 What regulatory scenarios for infrastructure?

A future for standard access policy ?

Co-investment as a dominant paradigm?

Structural separation of connectivity from services?

Access holidays with mandatory, reciprocal access to
network for energy and telecom companies? (“regulated
duopoly”)

Energy, telecoms and IT companies competing on an
equal footing to provide connectivity + home automation
services?
LEVEL OF PREPAREDNESS (EXCL. FINANCIAL SECTOR)
Companies with more than 10 employees that reported having a
formally defined ICT security policy in 2012
40
Source: Eurostat
A “WEB OF NOTIFICATIONS”?
41
CONCLUDING REMARKS: TOWARDS FORWARDLOOKING, TECH-BASED POLICY?
 The open and unregulated nature of the Internet is a
distant memory
Increased regulation of OTT and cloud to be expected?
 More red tape without real solutions?

 Command and control regulation is unlikely to work in this
ever-changing environment
Co-regulatory approaches are the only possible way
 Public and private regulation must key market failures


Externalities and free riding problems

Lack of information and awareness

Insufficient production of public goods

Absence of a mature insurance market
42
Peter Steiner. The New
Yorker, July 5, 1993
44
Copyright – 1997 The School of Journalism and mass Communications,
University of North Carolina
The age of resilience:
is Europe ready?
Thank you!
[email protected]
Andrea Renda
CEPS Senior Research Fellow
CRNI, 22 November 2013
The age of risk: evolution of risk in cyberspace

Not just cyberwarfare!

Natural disasters are a major cause of outages

Errors and unintentional security incidents another major
cause

Intentional cyberattacks feature various forms and targets
Malware (Viruses, worms, trojans, etc.)
 DDoS
 Unauthorized access
 Advanced persistent threats
 Phishing


Increased evidence of cyberattacks that target financial
services (WSJ, July 2013)
46
Techniques
48
First steps to develop a CIP/CIIP EU policy

Initial emphasis on public-private cooperation


The EP3R was a promising step, but was discontinued and
replaced with the new NIS platform (starts tomorrow)
Main initiatives
2008 ECI Directive
 Review of the telecoms framework led to Art. 13a
 ENISA’s role expanded over time


Problems
Wide divergence in definitions, standards, regulatory approaches
 A largely under-developed (cyber)insurance market
 Very diverse or lacking national strategies

49
Directive 40/2013

Member States shall take the necessary measures to
ensure that they punish as a criminal offence (Artt. 3-7):
Illegal access to information systems
 Illegal system interference
 Illegal data interference
 Illegal interception

Includes incitement to commit such offences, and also
failed attempts
 Imprisonment of at least two years, at least for cases
which are not minor
 Monitoring and statistics provisions

50
Measures proposed in the NIS Directive (I)

Article 6: every MS should establish a Competent
Authority (CA) that:
Monitors the application of the Directive at national level
 Receives notifications of incidents from public
administrations and market operators
 Consults and co-operates with relevant law enforcement and
data protection authorities.


Article 8: CAs should be connected via a secure
network (e.g. sTESTA) where they can circulate early
warnings on risks and incidents , cooperate with the
Euroean Cybercrime Centre, etc.
51
Measures proposed in the NIS Directive (II)

Member States should establish CERTs responsible for
handling incidents and risks that are to:
monitor incidents at national level
 provide early warnings and alert announcements
 respond to incidents o provide dynamic risk management,
incident analysis and situational awareness
 build broad public awareness


CAs need to report early warnings of incidents or risks
to the co-operation network where they:
grow rapidly or may grow rapidly in scale
 exceed or may exceed national response capability
 affect or may affect more than one Member State.

52
An unprecedented notification system

An estimated 42,000 entities covered!!







Key Internet companies (e.g. large cloud providers, social
networks, e-commerce platforms, search engines)
Banking sector and stock exchange
Energy (e.g. electricity and gas)
Transport (operators of air, rail, maritime transport, logistics)
Health
Public administrations
Excluded
Network operators (already notify under Art 13a)
 Hardware and software producers
 Micro-enterprises

53
Will it work?
Rejection of the PPP approach?
 “Obligatory” reporting obligations almost unprecedented
 Regulating internet enablers also unprecedented
 Insufficient emphasis on developing a risk-management
culture in the public and private sector
 Will the system be flexible enough to adapt to such an everchanging environment?
 Administrative burdens probably under-estimated
 Cumulative costs/burdens and duplication of notifications
 Exempting micro-enterprises might be risky

54
Agenda

Infrastructure and the “age of resilience”

Is Europe ready for the connectivity age?

The Connected Continent’s net neutrality proposal

Cybersecurity: towards a new wave of regulation?

Conclusion
Statements

“It is fair to say that we’re already living in an age of state-led cyber
war, even if most of us aren’t aware of it […]. The logical conclusion
of many more states coming online, building or buying cyber-attack
capability and operating within competitive spheres of online
influence is perpetual, permanent, low-grade cyber war.”
Schmidt and Cohen (2013)

“cyber attacks are now the most pressing threat to the US security,
ahead of Islamist terrorism.”
Geoff Dyer (2013)

“Just as nuclear war was the strategic warfare of the industrial era,
cyber warfare has become the strategic war of the information era”
Leon Panetta (2012)
56
Targeted attacks (I)
57
Targeted attacks (II)

Example: Stuxnet

Allegedly developed by Israel
with US support to hobble Iranian
facilities (SCADA developed by
Siemens)

10,000 estimated person/days, 6
to 9 months, 5-10 developers

Development costs: $3 million

Damaged also India, Indonesia
etc.

At Sept 2010, 100,000 infected
hosts according to Symantec
Source: Falliere, Murch and Chien 2011
58
Targeted attacks (III)

After Stuxnet
Flame (2011): attacks computers running Windows7 and XP,
mostly in the Middle East. It replicates itself to other computer
systems and networks over LAN or USB, records audio using
your drivers, takes screenshots, monitors keyboard activity and
network traffic. Looks out for Skype and uses Bluetooth to steal
data. Has infected over 1,200 machines.
 Gauss (2012): a “nation-state sponsored cyber-espionage
toolkit” (Kaspersky) designed to steal passwords and banking
data from individuals in the Middle East – particularly Lebanon.
 DuQu (2012): looks for info to attack industrial control systems
and reports the sensitive data back to the mother ships.
Captures keystrokes and computer system and network
information.

59
Targeted attacks (IV)

APT1 in China (Mandiant)
Note: China argues that 70% of cyber-attacks in the world are targeted at them
Source: Mandiant, 2013
60
Global value chains
 Global
production is distributed across the globe
 Essential









factors
Low energy prices
Simple rules (no red tape)
IP protection
Legal certainty
Available skills
Cheap labour
“Always on” infrastructure
Cloud/storage services
Market size
 Back
to industrial policy?
Example: iPhone’s value
Source: OECD (2011) "Global Value Chains: Preliminary Evidence and Policy Issues"
62
Nokia N95’s origin
Source: ETLA
63
CIP meets CIIP


Growing interdependence between the Internet and
other critical infrastructure

Financial services

Smart grids

Intelligent transport

Private and public clouds
Is the Internet resilient?

Mobile less than fixed

Cloud less than Internet?
Source: TrendMicro, 2013
CIP meets CIIP


Growing interdependence between the Internet and
other critical infrastructure

Financial services

Smart grids

Intelligent transport

Private and public clouds
Is the Internet resilient?

Mobile less than fixed

Cloud less than Internet?

similar documents