- Resilience describes the ability of communications networks in providing and maintaining acceptable level of service in the face of various challenges to normal operations.
More and more we live in world where the use of information and communication technology is part of our daily lives. Hence dependability and network resilience is becoming ever more important for all of us. I began this series with an introductory post here:
I followed up with discussing challenges 1 & 2:
Today I continue addressing:
3) Operationalization of laws and regulation
Often neither new laws nor regulations are needed, instead, better administration of the ones in force is often the most effective approach to achieve better dependability and resilience of e-communications networks.
Challenge: Paper trail versus sensible use of regulation – the devil lies in the detail, without proper administration and control (e.g., checking if acceptable level of resilience is achieved), reaching better resilience may be a pipedream. Regulation not administered and enforced properly is a paper tiger if not a bureaucratic nuisance or nightmare.
There is much regulation regarding resilience of networks or how infrastructure owners and operators need to better protect dependability of their networks. The regulator may ask the infrastructure owners to submit a strategic security plan. The latter outlines what the corporation intends to do for improving the dependability and reliability of public e-communications networks.
The current financial crisis has shown that strengthening of supervision of institutions that pose a potential risk to the stability of the financial system is a must. Naturally, improved supervision comes at a price. Similarly, looking at the public e-communications networks, to improve their dependability and reliability demands the regular assessing of how infrastructure owners, operators and large users transfer and manage risks.
Working on a long-term framework for improving resilience with the help of sensible and enforced regulation is hard work. Unfortunately, paper is patient and while countries may push regulation through national parliament’s approval process quickly, this is a first step on a long journey to better dependability and reliability.
For instance, while infrastructure may be owned by firm A, it is managed by firm B (the hardware supplier) and its capacity is sold to several telecom operators including virtual mobile telecom operators (VMTOs). In turn, claiming to regulate the infrastructure owners only, is no longer satisfactory. There are too many different parties involved in managing, running and using infrastructure. Most importantly, what each player does may affect the other’s service severely (i.e. everything is interdependent when it comes to communication networks).
With the incoming provider owning most of the infrastructure, administeration of laws was a bit easier. These days, utilities may own networks, while vendors run the latter on the owner’s behalf. In fact, the utility may not have the engineering know-how to manage the risks regarding dependability of such a network. One reason for why the running of the network was outsourced. However, talking to the owner may not suffice if one wants to improve dependability of e-communications networks
Interdependency, regulation and critical stakeholders are:
1) the infrastructure owner – maybe a utility or a municipality,
2) the outsourcer that may run and manage the network (ever more often the hardware supplier),
3) the telecom companies purchasing capacity on these networks, and
4) those organizations running virtual private networks on the utilities’ fibre optics system (e.g., financial institutions and their automatic teller machine – ATM – network).
There are many more players in this field than before deregulation. Especially, smaller players may have limited technical know-how available to address resilience issues. In turn, regulators are being challenged to make sure that this does not result in unnecessary risk exposure regarding resilience of public e-communications networks.
Regulators may have some budgetary constraints that make it a challenge to acquire the know-how and manpower needed for effectively enforcing regulation. Assessing information security and resilience measures undertaken by stakeholders for managing risks according to regulation is more than just having regular meetings to exchange information.
Regulators need to follow-up to be able to check if regulation is doing the job it is supposed to. The current financial crisis is, in part, the result of inadequate regulation but, more importantly, regulators not assessing that proper procedures were being followed (e.g., being too lax checking up on the banks, not following up when inproper procedures were being discovered). Control mechanisms can help to improve things.
This is vital to a society ever more dependent on resilience and dependable public e-communications networks. If they do not function properly, things tend to fall apart. Regulators and their masters have their work cut out for them.