How to Make Telecoms More Resilient? For Starters, Better Internal Controls

Resiliency is bigger than any one individual or even one company. It is systemic.

September 1, 2022
starbucks
People crowd around a Starbucks coffee shop in Toronto to use its free Wi-Fi on the Bell network, during a major Rogers Communications internet outage that caused widespread disruptions across Canada on July 8, 2022. (Chris Helgren/REUTERS)

A provocative way of thinking about infrastructure is to consider it as sociologists Susan Leigh Star and Karen Ruhleder have, as something that “remain[s] invisible until breakdown.” When Rogers Communications’ network went down on July 8, 2022, it became hard to unsee the depth of our dependence on telecommunications services, and the firms that provide them.

It’s one thing not to be able to email colleagues, phone friends or like their social media posts. It’s another matter altogether to go without emergency services, or payment services, or to miss a mandated court appearance because your internet is down. The dynamics of entire communities change when thousands of concertgoers are sent home, bike-share fleets blink offline, or doctors must remain at hospitals because they may be otherwise unreachable.

Given enough lifespan, every complex system must experience failures, despite the best efforts of individuals within those systems who work hard to prevent them. But that inevitability should be viewed as a conversation-starter, rather than an excuse for inaction.

Resiliency is bigger than any one individual or even any one company. It is systemic. How do we retrofit into our fraught telecom environment a reliability agenda that amounts to more than a telecom equivalent of poorly privatized health care, in which service is most accessible to the most fortunate? What does a reliability agenda for telecom look like — one that recognizes that we are all better off when we all are served by a critical communications infrastructure that we rarely need to notice?

The answer starts with understanding where existing public oversight fell down in the Rogers fiasco and the nature of those gaps. For nearly 30 years, the Canadian Radio-television and Telecommunications Commission (CRTC) has been charged by the Telecommunications Act with ensuring that markets render “reliable … telecommunications services of high quality accessible to Canadians in both urban and rural areas in all regions of Canada.” Its mandate is to steer telecom markets in ways that ensure they meet all the public policy expectations we have for them in view of their public role.

The CRTC is, of course, aware of telecom’s embeddedness as both a direct-use service and an essential ingredient in the services that businesses, public agencies and not-for-profits provide for Canadians’ everyday use. But following through on that awareness — even after the post-mortem the CRTC has initiated with its 54 pointed questions to Rogers is completed — should include more than better visibility, fewer redactions, or scrambling into action when news of an outage crackles over the transom. How, rather, should resilience become embedded in the way we oversee and regulate telecom markets systemically?

Reliability Lost in the Shuffle

A resilience agenda for Canadian telecom is easy to call for but hard to execute, especially when much else is afoot. Over the three decades since the Telecommunications Act came into force, the regulator has also presided over the progressive introduction of competition; the implementation, then general dismantling, of foreign ownership restrictions; and the complete, and ongoing, reworking of how communications services are delivered in light of digital technologies. It has worked to update its frameworks to both respect and respond to the once-central public switched telephone network’s long wind-down in favour of broadband and internet.

Somewhere along the way, however, the reliability expectations exemplified by responsibilities such as retail quality-of-service reporting, once required of rate-regulated monopolies by the CRTC, were replaced by the lesser outcome of “informal resilience.” That’s something that emanates from markets in which overlapping service providers compete on multiple platforms for the trust of consumers and businesses. For critical infrastructures, informal resilience is not enough.

The consequences of insufficiently embedding a reliability agenda within shifting telecom policy mandates have long been visible in places such as Canada’s North, where 9-1-1 services have lagged modern standards, telephone and broadband services are frequently spotty, and community-wide outages are not uncommon.

Assign Clear Responsibility

The consequences of insufficiently embedding a reliability agenda within shifting telecom policy mandates have long been visible in places such as Canada’s North, where 9-1-1 services have lagged modern standards, telephone and broadband services are frequently spotty, and community-wide outages are not uncommon. For the media and political capitals in Canada’s South, July 8, 2022, provided a taste of what life without casual reliance on these critical services is like.

Prompted by Minister of Innovation, Science and Industry François-Philippe Champagne, the major telcos hammered out an agreement for reasonable roaming under emergency arrangements when technically feasible, modelled on an arrangement between US carriers recently made mandatory by the CRTC’s counterpart, the Federal Communications Commission (FCC). It was the solid start to a response. But private contracts for emergency roaming must be reabsorbed into the ordinary work of the telecom markets’ regulator, not remain a one-off ministerial or political prerogative negotiated behind closed doors. The CRTC’s job includes both improving systemic reliability and enhancing telecom markets’ permeability to emerging competitors. As a sectoral agency, it is charged with achieving balance, and recognizing trade-offs in navigating what administrative lawyers call “polycentric” objectives.

Innovation, Science and Economic Development Canada (ISED) is responsible for assigning the core aims of telecom markets’ oversight responsibilities. It’s also a second telecom regulator, first of all with respect to spectrum and international submarine cables. For years, however, ISED has also undertaken concurrent resiliency activities, concerning everything from convening working groups to issuing incident notifications guidelines.

These activities are very much what a regulator ought to do. The work of the staff of ISED and the companies it convenes has been conscientious, steady and committed. The number of incidents they have prevented will forever remain, like infrastructure itself, invisible.

But structurally, the diffusion of these responsibilities is confusing. First, they’re best undertaken subject to an arm’s-length regulator’s independence, statutory transparency requirements and accountability to market participants. Second, when ISED signals that it too will deliver on oversight, the continuing diffusion of responsibility communicates that, while this may technically be the CRTC’s job, it can afford to focus on other areas, because someone else has it covered.

In this regard, consider that Bill C-26’s Critical Cyber Systems Protection Act and related Telecommunications Act amendments propose more of the same. The bill would establish a broad scheme around critical infrastructure protection for vital services and systems including not only telecom but also pipelines, power lines, nuclear systems, transportation and the financial sector. But rather than fix what’s wrong with the CRTC, or focus on overseeing its systemic responsibilities, the bill would assign these to ISED as regulator, carrying forward and deepening that relatively unstructured role, and continuing to let the CRTC off the hook.

Canadian telecom’s reliability agenda should begin with drawing the lines between policy making and program responsibilities. The latter may be better assigned to the independent, rules-based, notionally apolitical body answerable to all telcos, responsive by law to stakeholders, and empowered with a set of tools up to and including administrative monetary penalties to incentivize responsible behaviour. If Minister Champagne is serious about tackling the matter systemically, he will recommend to his colleagues not only that they quickly and seriously address real concerns about CRTC independence, timeliness and capacity, but also that they bolster its long-standing reliability responsibilities, rather than further minimizing these. And, if the CRTC is serious, it will carry on with using its already-existing mandate and powers to translate the lessons from outages such as July 8 into tangible, transparent and systemic rules that show Canadians the CRTC can and will do the job assigned to it.

Catch Up on Minimum Standards

High on the list of essential elements for any telecom reliability agenda must be baseline reliability governance across the sector, in the form of “proper, robust, independently-audited internal controls.”

Most large telcos are, it is true, already subject to some patchwork of security standards as payment card processors, outsourcing partners or procurement respondents. So are most banks, railways and electric utilities. But the Office of the Superintendent of Financial Institutions (OSFI) holds Canada’s banks to guidelines, and reporting, on operational (E-21) and technology (B-13) risk management. The Ontario Energy Board requires electricity distributors to self-assess annually against an Ontario Cyber Security Framework, and is one of eight provincial regulators to mandate North American Electric Reliability Corporation cyber standards. The looser work coordinated for some telcos by ISED, not the CRTC, is an uneven equivalent.

Work toward mandatory internal controls will not come as a surprise. The Broadcasting and Telecommunications Legislative Review Panel called in January 2020 for the CRTC to update security best practices for Canadian telcos and to determine to which classes of service provider they should apply. Now the proposed Critical Cyber Systems Protection Act would more formally duplicate within ISED, by designating it the telecom sector regulator, some of the very responsibilities the CRTC ought already to have taken up.

In our view, waiting for Bill C-26, and waiting to see how the ISED’s regulatory designation evolves alongside the CRTC’s long-standing role, is not the better approach for a resiliency agenda for Canadian telecom services. The CRTC should not wait to consult on and systematize its whole-of-market approach to internal controls for network resilience and cybersecurity.

Rogers’ internal teams no doubt scrambled to communicate with their own systems and people, let alone with third parties, and faced a mix of liability concerns and fast-evolving uncertainty that limited both what was possible and what was advisable.

Systematize Outage Reporting Disciplines

A major complaint during the outage and its aftermath was the limited communication between Rogers and affected stakeholders or, for that matter, affected residential, business and wholesale customers. A range of third parties such as Cloudflare, Downdetector and Kentik combined their own vantage points with public data to infer the outage’s scope as it developed and, remixed by news sources and combined with social-media-enhanced anecdata, became the main sources on which Canadians relied.

Rogers’ internal teams no doubt scrambled to communicate with their own systems and people, let alone with third parties, and faced a mix of liability concerns and fast-evolving uncertainty that limited both what was possible and what was advisable. Nor is it accurate to say that no outage reporting is in place in Canada. ISED’s Telecommunications Incident Notifications Guidelines are both detailed and confidential. The CRTC occasionally and, since July 8, increasingly conducts public-facing follow-up into major disruptions.

But system-wide, well-established frameworks, as would result from tackling these issues with the arm’s-length regulator’s procedural toolbox, are needed for all four phases of a sustained service interruption: first, pro-active outage detection; second, mandatory reporting; third, timing and detail baselines for confidential and public notice to affected service providers and users, respectively; and fourth, public summaries for systemic learnings. Compare, for instance, the rules-based frameworks the FCC mandates through its Network Outage Reporting System and enables through its voluntary Disaster Information Reporting System. Canada’s telecom reliability agenda must foreground all four areas within a transparent rule-setting environment. It is, at minimum, open to the CRTC to build a proposal on doing so, and to convene a public proceeding to review it.

Competition as Complement to Resiliency

How competition is structured affects how telecom markets tackle resilience. Single points of failure, both within a network and through over-reliance on any one firm, are red flags. Canada’s rural and remote communities, already confronted with being underserved, face particular challenges in this regard. Yet it would be a mistake to assume no room for improvement in Canada’s urban centres, as images of city-dwellers descending on coffee shop hotspots drove home on July 8. Even in our largest cities, many residents and commercial users, particularly those in newer apartment and condo buildings and single-developer plazas, increasingly have what amounts to a single choice for a facilities-based internet service provider. Where additional network facilities would provide a hedge against the scope and scale of potential outages, the CRTC, municipalities and provinces can all take steps to promote resilience-first competition.

Municipalities can implement building standards and construction-permitting rules that require projects under development to ensure competing networks can build in at the right time. Inserting similar notice periods into utility cut permitting and related bylaws would give competing telcos the meaningful opportunity to add fibre to existing utility digs — giving teeth to the much-vaunted “dig once” approach. Publicly controlled utilities could follow Montreal’s lead in leveraging utilities to streamline access to the conduits that run near and into virtually all buildings — reducing the cost of deploying fibre, and transforming the economics of connecting to underserved neighbourhoods along the way.

The CRTC could continue to make visible and address practices such as preferred marketing and bulk-billing arrangements that, especially within residential and commercial towers, make meaningful choice of providers an illusory concept at best. Provincial condominium, strata and consumer laws continue to allow burying bulk bills in condo fees, and let single-sourced telecom services cross over from developer to condo corporation unhindered. Should advertisements of flanker brands (extensions of brands in the same category) be required to disclose telco affiliations, so that consumers can differentiate between stand-alone competition and customer segmentation? Having long required incumbents to grant competitors last-mile network access at compensatory rates to spur service-based competition, should the CRTC have gone further by mandating a resiliency-first architecture so that, when all competitors want is access to that last mile, they aren’t knocked out by outages in a far-off network core?

Safeguarding real choice is a necessary step, if alone insufficient, to mitigating some of the monocultures that made a single telco’s outage, in the shadow of neither mandatory resiliency nor mandatory outage notification rules, so widely seen and deeply felt. The same is true of clear responsibility for resilience regulation and baseline security standards, a more systematic approach to notification and reporting, and resilience-first competition rules. No one wanted to see such a harsh spotlight become the catalyst for policy attention. But having stared it down, Canada can and should take the opportunity presented to set a more resilient course for the future of the telecommunications ecosystem on which we all rely.

The opinions expressed in this article/multimedia are those of the author(s) and do not necessarily reflect the views of CIGI or its Board of Directors.

About the Authors

Bram Abramson practises law and public policy as principal with 32M, a regulated technologies advisory firm.

Keldon Bester is a CIGI fellow and the executive director of the Canadian Anti-Monopoly Project, a think tank dedicated to addressing the harms of monopoly and building a more democratic economy.