As featured on TM Forum’s the Insider Blog
The EC's digital agenda commissioner, Neelie Kroes, is very concerned about internet security threats. So much so that she has called for urgent action at a European and international level because “societies have not taken the necessary measures to address these risks.”
The threats, she said, could damage not just government or critical infrastructure, but also threaten consumer trust in global e-commerce, worth trillions of euros each year. She wants everyone—governments, businesses and individuals—to work together and share the responsibility of making Internet safe and secure.
All well and good so far, but the lynchpin of her plan is a governance structure and – hopefully - this does not translate to more regulation. To achieve this she has put forward a five strand plan that mentions governments, the private sector that owns and runs most of the infrastructure, presumably operators, and businesses that need proper risk management, to assess and mitigate risks.
She pointed out that prompt reporting of attacks meant that competent national authorities could react quickly to incidents, and minimize their impact. Such an obligation to notify security breaches already exist for the telecom sector and that it should also encompass other sectors relying on critical information infrastructure, like energy, water, finance and transport.
These actions are admirable and necessary. No-one will deny that internet security concerns are widespread and that a serious and coordinated attack on the those abusing the internet should be in place, but how does this sit with previous commitments by Kroes to enforce net neutrality in Europe?
Under those proposals shaping, restricting, throttling, enhancing, filtering or manipulating of internet access in any way, will be a no-no. Yet in order to provide the levels of cyber-security that Kroes is suggesting, it will be necessary to infringe on those very same proposed net neutrality rules.
ISPs and network operators - the very same entities that Kroes claims are not investing enough to meet EU targets on improving broadband speeds - will be the most obvious implementers and providers of the proposed security measures. They already claim that they cannot justify the investment in new broadband infrastructure because they are unable to generate extra revenues in an ultra-competitive market from customers that have come to expect low-priced access to the internet, so why would they rush to help.
So, what will be the happy medium? Will the net neutrality rules allow operators to interrogate the network searching out threats, monitoring traffic, applying filters and using software that will protect internet users but at the same time, broaching the very net neutrality Kroes is trying to instigate?
There is no doubt that any European-wide initiative to combat cyber-security will involve CSPs and it may provide the bargaining chip they need for reduced regulation and give them the freedom to provide differing levels of internet access and service in order to generate more revenues and build more infrastructure. Better still, maybe the provision of internet security will be a revenue spinner on its own.