Download full summary here.
Connectivity infrastructure, such as mobile and broadband connectivity, is critical infrastructure. Evolving environmental and geopolitical risks mean that Canada’s connectivity infrastructure is becoming increasingly vulnerable to disasters, such as, wildfires, and cyber threats. This poses a challenge as connectivity disruptions can result in significant cascading costs and repercussions. Consider the 2022 Rogers outage which disrupted public services, payment processing, emergency service calls, etc. The incident was a stark reminder of the potentially far-reaching impacts of telecommunication service disruptions. Minimizing these impacts requires coordinated efforts from both the public and private sectors to engage in comprehensive planning and emergency preparedness.
The next federal election is an opportunity to prioritize emergency management for Canada’s connectivity infrastructure. With support from TELUS, the Institute of Fiscal Studies and Democracy (IFSD) convened an expert roundtable to define the basic components/considerations of an emergency response approach for resilience of connectivity infrastructure. The purpose of the roundtable was to define the basic components of an emergency response framework to ensure the resilience and reliability of connectivity infrastructure. Participants included operators, government, consultants, lobbyists, and academics from Canada and other countries. Consistent with Chatham House Rules, the following is a general summary of the discussion rather than meeting minutes.
In its deliberations, the roundtable was clear: fostering resilience is a multi-faceted and multi-actor effort. Economic security and social well-being require that strategies and tools to foster resilience cover the full stakeholder environment. As risks are varied and unknown, coordination for long-term planning is required.
Resiliency of ICT should be incentivized at the levels of operators, the state, and end-users because risks are varied and unknown. Economic security and social well-being are inextricably interconnected with ICT, making resilience everyone’s concern, demanding collective action and investment.
From its deliberations, the following recommendations for the Government of Canada are proposed:
- Define ICT infrastructure resilience as a national issue of importance. Resources and initiatives should be aligned to support long-term strategic management and planning to protect Canada’s economic security and social well-being.
- Convene ICT-specific operators and supporting services such as utilities, law enforcement, and recycling, to engage in information sharing and to explore opportunities for joint initiatives, including, collective training/simulation.
- Establish or amend existing legislation to protect ICT critical infrastructure (consistent with the proposed changes in Bill C-26, e.g., adding security as a policy objective and enabling the Government of Canada to act to protect the telecommunications system, etc.) to enhance security and resilience.
- Leverage tax credits to incentivize operators to invest in network resiliency, focusing on infrastructure hardening, redundancy, and recovery.
- Establish a taxpayer-funded response fund for emergencies that impact ICT infrastructure or networks for restoring infrastructure, enabling rapid recovery, and ensuring continuity of critical telecom services during and after events.
- Define the data required to size ICT resilience risk, and align mechanisms such as standardized reporting and emergency management frameworks to ensure informed planning and investment decisions.
Why does ICT resilience matter?
In August 2024, the Government of Canada announced public consultations on potential new measures to advance and defend the country’s economic and security interests. Securing the resilience of Canada’s ICT infrastructure and networks is an essential step in defending these interests.
The recognition of the importance of acting to protect economic and security interests has only been amplified with the election of Donald Trump in the United States. The shifting political environment will require Canada to enhance its economic and continental security activities so that it is not perceived or targeted as a vulnerable actor.
The Business Council of Canada called upon the federal government in 2023 to establish a national security strategy with economic security as a central component. Cyber and other threats to Canada’s business and research infrastructure are threats to its economic security. The Parliamentary Committee on Economic Security’s summary committee notes from February 2023 indicated that:
The issue of Critical Infrastructure intersects with national, cyber, and economic security. From an economic security perspective, the NS [National Security] community is most interested in those CI [Critical Infrastructure] sectors that are most vulnerable to foreign state disruption, surveillance, or control, all of which can be harmful to Canada’s national security.
There is a clear multi-sector emphasis on the centrality of critical ICT infrastructure for Canada’s economic security. The Government of Canada’s action through public consultations, while it establishes Critical Infrastructure as a priority for economic security, does not offer a coordinated and clear plan to maintain economic security in an environment of evolving geopolitical, climate, and technological risks.
Canada is a service-based economy. In 2023, nearly three-quarters of gross domestic product (GDP) by industry was service-based (Figure 1). This should make Canada and other advanced economies especially concerned with the resiliency of ICT. From the purchasing of goods and services to the management of utilities to access to health care, mobile and broadband connectivity permeate all facets of economic and social life in Canada.
Given the central role of ICT in Canadian economic security, the ability to anticipate and absorb threats, adapt and transform, recover from disruptions, and learn from past events is crucial for those operating and leveraging connectivity infrastructure.
Recommendation: Define ICT infrastructure resilience as a national issue of importance. Resources and initiatives should be aligned to support long-term strategic management and planning to protect Canada’s economic security and social well-being.
ICT resilience and ecosystem
While there are numerous recent reports, statements, and memoranda of understanding (MOU), from the outside, it is not clear who is coordinating planning and responses in Canada. Resilience in ICT requires a whole of government approach (beyond ISED and CRTC). Laws, regulations, procurement practices, policy decisions, etc., have a direct influence on how resilience is planned and practiced.
Much of the outside literature (on engineering and communications infrastructure) is focused on designing and building resiliency into networks. There is substantial analysis of approaches to building resilience to mitigate or manage certain types of risk, e.g., earthquakes, or for certain types of networks, e.g., fibre, optical. The analysis is both technical and theoretical, while leveraging lessons and case studies of actual disaster or emergency circumstances.
Existing best practices, statements, and legislation
The 2022 Memorandum of Understanding on Telecommunications Reliability (MOU) defined a protocol for shared emergency roaming during a critical network failure caused by an emergency. In the preamble to the MOU, “the importance of telecommunications quality and resiliency” is recognized as a driver for the arrangement. In addition, a 2022 decision from regulators in the United States is referenced, identifying mobile services as “a significant lifeline” in emergency and disaster situations that require providers to establish procedures for roaming, mutual aid, and stakeholder/public communications in emergency circumstances. The MOU is recognition of the need to promote network resilience through provider collaboration in emergency contexts.
Canada’s networks are resilient, due to facilities-based competition, but increasing threats makes the much more challenging to maintain.
Ofcom (the United Kingdom’s communications regulator) produced a guidance document on ICT reliability and resilience for providers required to comply with legislatively defined resilience-related security duties. The document defines types of risk and considerations for intervention (with the recognition that technical response will vary by provider). With an emphasis on integrating resilience throughout the delivery cycle (design, build, operate, maintain), Ofcom provides guidance to providers linked to concepts of infrastructure reliability and resilience defined through the National Infrastructure Commission. The guidance document is an example of how national standards were translated for the operations of ICT providers that Canada could emulate.
In Canada, the Canadian Telecommunications Network Resiliency Working Group (a working group of the Canadian Security Telecommunications Advisory Committee (CSTAC), produced policy recommendations in March 2023 to advance network resilience. There are five general recommendations: 1) establish network redundancy; 2) identify and mitigate single points of failure, e.g., geographic; 3) design physical to withstand shocks; 4) install underground cables; 5) establish business practices for rapid assessment and responsiveness. A series of more detailed recommendations for six key elements: core networks, physical structures, services and applications, internet services and infrastructure, access to networks, and processes, are included in the report. Composed of industry experts and ISED, the working group’s recommendations were operator focused, but there was a call for national action and legislation to protect ICT critical infrastructure.
Bill C-26, An Act respecting cyber security, amending the Telecommunications Act and making consequential amendments to other Acts proposes changes consistent with CSTAC’s recommendation. Proposed changes include adding security to the Telecommunications Act as a policy objective. Amendments would authorize the Government to act to promote the security of the Canadian telecommunications system, e.g., in instances of manipulation, interference, disruption. The Minister of Industry would be empowered to issue orders to providers on the use of products/services from certain companies, the development of security plans, etc. On December 5, 2024, Bill C-26 was at its third reading in the Senate.
Actions to support resilience and implications of decisions extend beyond ICT operators. Consider for instance, the theft of copper wire. As instances of thefts increase, localized disruptions must be addressed to maintain network resilience. Operators’ staff, law enforcement, etc., are involved in the costly responses. Some operators recommend changing penalties in the Criminal Code and support amendments to the Telecommunications Act to increase the severity of the repercussions of the theft.
Community-level considerations should be included in emergency management Public service announcements, how to guides, and planning tools should be developed by government and shared.
A mindset shift among citizens/end-users is needed. They will first feel the impacts of any ICT service disruptions and they should have a range of solutions to respond to them. For instance, encouraging citizens/end-users to have a generator or backup power source to ensure broadband connectivity (when power is down, internet is not necessarily down, it is that there is no power to generate the connection). Communities must have plans for their own resilience.
Recommendation: Convene ICT-specific operators and supporting services such as utilities, law enforcement, and recycling, to engage in information sharing and to explore opportunities for joint initiatives, including, collective training/simulation.
Recommendation: Establish or amend existing legislation to protect ICT critical infrastructure (consistent with the proposed changes in Bill C-26, e.g., adding security as a policy objective and enabling the Government of Canada to act to protect the telecommunications system, etc.) to enhance security and resilience.
How can resilience be incented?
The state is the insurer of last resort in the case of a national emergency or crisis. This has significant public finance implications. Fostering resilience requires anticipating and quantifying risk. Given the complexities and unpredictability of climate change, geopolitical tensions, technical and human errors, defining all forms of risk is untenable (i.e., there is significant uncertainty surrounding the risk of emergencies that impact ICT). However, planning to respond to different circumstances and defining who is accountable is crucial.
Considering ICT resilience, the state, as insurer of last resort should liaise with actors and stakeholders to define, quantify, and respond to risks. Resilience of networks and related delivery infrastructure could be incented at the front-end and back-end through two mechanisms: 1) tax credits, i.e., to encourage providers to apply resources to emergency preparedness and network resilience; 2) response fund, i.e., resources accessible in an unforeseen circumstance with major implications.
There is limited information on the costs of failed ICT resilience. It is challenging to quantify the cost to operators (both direct and indirect) and to consumers in an emergency circumstance until it has passed. There are economic and social impacts to connectivity outages with quantified impacts estimated after the fact.
It would be beneficial to incent operators to build resilience into their networks at the front-end and in their regular operations. A tax credit, spending by the government by reducing or eliminating a tax (revenue) opportunity on a payer, is a potential tool to incent resilience.
In Canada, the six largest telecommunications firms spent approximately $13.3B on ICT capital in 2022. That capital expenditure is supporting 75% of Canada’s GDP, i.e., the service sector directly or indirectly. When considered in the context of sectors of economic activity, it is imperative for government to incentivize operators to build resiliently, to test frequently, and to respond decisively to threats. This is not to say that operators are not already engaged in such activities, but there should be a clear indication of and support for industry-led initiatives for resiliency. ICT resiliency is essential to economic security.
Future analysis should assess the tax credit instrument, its terms, targets, and estimate costs. Working with industry and other users of the tax credit, the Government of Canada could define a spending tool to incent desired action on resilience in functional ways among operators. A condition to share results or practices through common forums would align to the interoperability intention in emergency circumstances of the 2022 MOU.
Recommendation: Leverage tax credits to incentivize operators to invest in network resiliency, focusing on infrastructure hardening, redundancy, and recovery.
Response fund
There is significant uncertainty surrounding ICT disasters, where there are both known unknowns and unknown unknowns. The private sector is unlikely to provide insurance for unknown threats and, even for known threats, firms are unlikely to insulate themselves from risk at socially-optimal levels. Reaching these social-optimal levels of resilience investments will likely require action from the Government of Canada.
ICT resiliency requires participation from multiple actors. Given their different functions, e.g., operators, government, community, etc., an application-based fund can be a source of resources to respond to emergency circumstances. The fund is useful in promoting broad-based access for a variety of actors and circumstances. A backstop for unforeseen risks in a changing environment, the fund would be a set of resources to rebuild or respond to ICT-related emergencies.
The mechanism is not as targeted as the tax credit but is a set of ready resources to respond to occurrences. Its broader base and reach would require assessment to estimate the appropriate capitalization. To establish an ICT response fund, initial investment should define types of risk and their anticipated frequency. The size of the fund should be linked to the capital stock and potential economic impact of an ICT emergency. There are noted information gaps in defining and quantifying risks associated to ICT. The Government of Canada should address these gaps as they provide a foundation for public and private action.
Sources of funding may include spectrum fees or a whole-of-society contribution, e.g., generator tax revenues, as industry taxes do not capture the breadth of impact of ICT resilience.
Access to the fund should be well-defined, considering the emergency circumstances in which it may be called upon. A clear process, guidelines, and rules should be pre-established to facilitate access in chaotic situations.
There are precedents for government funds both prior to and in response to an emergency.
To respond to emergencies, New Zealand established Natural Hazards Fund (managed by the Natural Hazards Commission Toka Tū Akean). Resources to the fund are provided through a levy on homeowners’ insurance. The fund provides “the first layer of insurance” for residential homes after a natural disaster event. Resources from the fund are also used to purchase reinsurance, manage the Commission, and undertake research and public education campaigns on emergency preparedness. The fund is part of a broader approach in New Zealand to funding recovery following emergencies. There is a clear statement that should needs extend beyond the fund’s capacity, the Crown would cover shortages as the insurer of last resort.
CRTC has an application-based fund (funded through operator and other payments) for granting prior to an emergency (see Figure 4). In the past, the focus has been on connectivity in transportation. However, public proceedings are underway by the CRTC to explore what else the fund could be supporting. There is an opportunity to repurpose the $150M fund to focus on resilience. There is a precedent for funds to incent actions and respond to occurrences federally. Consider for instance, the Broadband Fund, designed to incent operators to provide connectivity in underserved parts of the country; the On-Farm Climate Action Fund that provided resources to farmers to respond to climate change; or the Disaster Mitigation and Adaptation Fund that provided communities impacted by climate change with resources to improve natural and structural infrastructure resilience.
The CRTC’s Broadband Fund
The CRTC established the Broadband Fund to support the development of a telecommunications system that can provide Canadians with access to broadband Internet and mobile wireless services in underserved areas of Canada. In its 3rd call for applications, the CRTC focused on projects that bring mobile wireless and Internet transport infrastructure to underserved regions, and it gave special consideration to transport projects that also propose enhanced resiliency to the telecommunications infrastructure project. In its ongoing review of the Broadband Fund Policy, which governs the funding program, the CRTC is considering providing funding to projects that propose to improve resiliency as an eligible project type for future BBF funding.
In addition to the Broadband Fund, the CRTC is working towards enhancing the resiliency and reliability of telecommunication networks in Canada through multiple consultations. A consultation on requirements for the reporting of major service outages has been launched with interim reporting requirements published and additional consultations are expected on a broader look at resiliency, including measures to enhance network resiliency.
Recommendation: Establish a taxpayer-funded response fund for emergencies that impact ICT infrastructure or networks for restoring infrastructure, enabling rapid recovery, and ensuring continuity of critical telecom services during and after events.
Recommendation: Define the data required to size ICT resilience risk, and align mechanisms such as standardized reporting and emergency management frameworks to ensure informed planning and investment decisions.
At what cost?
Across jurisdictions, the risks of ICT require horizontal management. Executive direction on the criticality of ICT infrastructure and risk management requires collaborative responses and pricing of probability of forms of risk. That risk cannot be priced limits its likelihood for insurance (as it is being experienced with limitations on cybersecurity insurance), and complexifies state exposure as the insurer of last resort. Threats from climate change, geopolitical tensions and nefarious actors, human error, and technological changes require long-term plans to address them. The threats are increasing and complexifying, not demurring. The costs of inaction are vast. The costs of action, spread across several years, are more manageable. This is a matter of public decision-making and expenditure allocation. If a government considers the threats serious and ICT as imperative to economic security and social well-being, actions and expenditures should align. While no amount of funding can eliminate risk, risk can be managed with appropriate planning and incented planning across groups of actors.
Dedicated public funding should be allocated through a combination of tools including tax credits and a response fund. Tax credits may be appropriate for industry, but an ICT emergency response fund may be more broadly applicable to actors in supporting services and communities.
The federal government should lead on the development of long-term holistic plans on an industry basis. With industry plans established, inter-industry collaboration and exchange should be encouraged, including through information sharing and joint initiatives such as collective training/simulation. Industry coordination would require federal bodies to emulate the coordination internally.
There is work to be done on costing risks of ICT emergencies and their responses. Immediate action is required to assess the costs of mitigation mechanisms designed to incent resilience, e.g., tax credits to operators, a response fund. Estimating these costs and impacts can be a step in building a long-term cohesive plan to managing the changing ICT threat environment.
As expenditures are aligned to priorities of ICT resilience, the federal government should pursue its roles in coordination, compelling, and convening to anticipate responses to ICT emergencies.
Connectivity resilience has broad implications for Canada’s economy and national security. This roundtable highlights the need for the Government of Canada to take action to build resilience to climate change, cyber threats, and other emergencies that could threaten ICT infrastructure and networks. The Government of Canada can begin by defining ICT infrastructure resilience as a national issue. They can then work with stakeholders, develop regulations, and enhance funding to ensure resilient ICT infrastructure Canada-wide.
Glossary
Information and Communication Technologies (ICT)
“[…] refers to all communication technologies, including the internet, wireless networks, cell phones, computers, software, middleware, video-conferencing, social networking, and other media applications and services enabling users to access, retrieve, store, transmit, and manipulate information in a digital form.”
Emergency:
“”Impactful Emergency” means an urgent and critical situation that seriously endangers the lives, health or safety of Canadians, including but not limited to those arising from Accidents, cyber attacks or other deliberate malicious acts, fires, floods, storms, earthquakes, emergencies arising from domestic or international security threats, or armed conflicts involving Canada or its allies.”
Resiliency:
“…resilient infrastructures [are] systems with [the] ability to (i) anticipate and absorb disturbances, (ii) adapt/transform in response to changes, (iii) recover, and (iv) learn from prior unforeseen events.”
Tax Credit:
For the purpose of this summary, a tax credit is an incentive that lowers the amount of tax due for individuals and firms meeting certain criteria.