Following high profile network outages, regulators have reconsidered mobile network resilience in recent years. We review common resilience requirements made of MNOs and discuss the implications of emerging technologies for network resilience.
Regulators around the world have moved to standardise the network resilience requirements from operators. In the UK, Ofcom’s review of guidance and consultation on power back-up is the most recent to consider new binding rules on network security and reliability.
The cause of outage has tended to inform the tools a regulator adopts when reviewing resilience policies. Extreme weather and internal network errors are the most common causes of large-scale outages in recent years, though the PSTN switch-off is an important secondary context in the UK.
Requiring power (battery) back-up, is an increasingly popular measure to strengthen network resilience, especially against extreme weather. In countries where operators fund power back-up, Finland sets the most demanding standard requiring four to six hours of back-up whereas the UK’s proposed one hour of back-up is the least onerous.
Emergency roaming is also a common resilience requirement but can be a less effective solution. In the US, where emergencies are defined as critical community events designated by government agencies, outages are likely to impact all MNOs at once and make roaming less consequential.
Public outage reporting is the most common and least costly option for regulator’s seeking to address resilience. After action reporting has also been used to investigate the causes and impacts of outages, such in Canada following the 2022 Rogers outage.
The increasing importance of platform services, such as online communications and cloud services, makes super app service outages more disruptive to more consumers. The security of other layers in the network stack should also be considered in a more comprehensive understanding of network resilience, despite limited attention to date.
Regulators around the world are moving towards regulating greater mobile resilience
In recent years, numerous global regulators have paid renewed attention to the resilience of networks, creating and enforcing new or updated rules on the physical infrastructures and internal processes necessary to secure mobile connectivity. Since 2020, regulators in the US, Australia, Canada and Germany have all reviewed the requirements made of MNOs to secure connectivity and prevent outages. Most recently, Ofcom is revisiting the requirements made of mobile network operators (MNOs) to secure connectivity in the UK. In implementing the Electronic Communications (Security Measures) Regulations under the amended Communications Act, the regulator updated guidance on network design, failover functionality and internal processes for MNOs all as it pertains to network resilience. As part of its review, Ofcom opened a consultation on the regulation of battery back-up, also referred to as power back-up, for mobile radio access networks (RAN). While noting that MNOs do commonly provide some level of power back-up across RAN cell sites at present, Ofcom’s potential new rules would bring both the proportion of sites covered and the length of coverage secured under regulatory scrutiny.
Throughout these changes and additions to the resilience requirements made of MNOs, a number of common regulatory options have emerged to address common causes of network outage. We’ve detailed the primary contexts in which jurisdictions have moved to regulate network resilience through common policy tools such as outage reporting requirements, mandated roaming agreements and required power back-up.
Extreme weather events and internal errors have been the most common causes of mobile network outages
Regulators have commonly cited a few frequent causes for network outages as reasons to review resilience policies. Since different causes of outages require different preventative measures, understanding the context in which resilience rulemaking is occurring can be useful in predicting the different policy tools regulators are likely to leverage. In the past three years, a number of major MNOs have experienced network-wide outages that have lasted over twelve hours. We’ve sampled a handful of these outages in five different countries and sorted them by cause (see Figure 1).
Extreme weather events, such as storms, wildfires and floods, account for a significant proportion of large-scale outages (as was the case in the US and the UK). During these outages, the loss of connectivity means that customers are unable to contact emergency services at a time when they’d be more likely to seek assistance. Additionally, while many countries create a public safety network with reserved spectrum allocations and enhanced resilience measures, some official public offices which rely on commercial mobile networks are left unable to communicate with their constituencies in a heightened time of need. However, the precise cause of outages during storms, like high winds and excessive rainfall, are normally consistent across events and can be planned for in advance in most instances. Measures to address resiliency in the wake of extreme weather are thus more likely to be taken up by regulators.
Internal errors in network management have also accounted for a number of large-scale network outages in recent years (such as in Canada and Australia). During these events, standard operating procedures are disrupted, such as through human error in network management or unforeseen complications of updates to software. While outages due to internal error are not complicated by the additional challenges of an extreme weather event, these errors are not easily foreseen and bring on outages by surprise. Since other critical infrastructure are not impacted during these events, attention is solely focused on the mobile network, drawing out the role that connectivity plays in communications across sectors such as healthcare, transportation and finance. Generally, however, resiliency through network errors can be difficult to regulate beyond cybersecurity standards and accountability after the event, such as through compensation to impacted consumers.
While it is not a primary or direct cause of network outages, the migration from PSTN to VoIP has also informed the work of regulators such as Ofcom in the UK in their work on mobile network resilience. Given the particular importance of connectivity for vulnerable consumers, not only in communications devices but also in support services such as alarm or telecare systems, any network outage following the VoIP migration can result in a potentially dangerous lapse of service. Therefore, some regulators (such as Ofcom) have considered the PSTN switch-over as another context which heightens the importance of mobile network resilience and therefore the cause for binding regulation.
Power back-up is an increasingly popular ask, although requirements vary greatly
Among the tools regulators have at their disposal to promote the development of more resilient mobile networks, some degree of required power back-up is a relatively common consideration given RAN reliance on a stable electrical grid. However, the length of power back-up required and the funding to source back-up equipment has varied greatly across jurisdictions. We’ve detailed a few examples of how different regulators have approached power back-up around the world (see Figure 2).
As power back-up is a common mitigation for extreme weather events, as opposed to internal network errors, regulators often consider the need for additional network resilience measures in concert with the policies for other critical infrastructure networks, such as the electrical grid in this instance. The importance of topography to emergency response efforts also means that regulators frequently set different power back-up standards for remote, rural or otherwise high risk sites that may be difficult to access during emergencies or may be more prone to extreme weather based on their locations. Through its Mobile Network Hardening Program, the Australian Government prioritised 467 remote or rural base stations for power back-up resources. Similarly, NKOM in Norway and Traficom in Finland each require an additional two hours of power back-up for sites in less densely populated regions. Some regulators, including the Ministry of Internal Affairs and Communications in Japan and the Independent Communications Authority of South Africa, have gone further to consider the unique energy infrastructures MNOs may require to maintain connectivity through events such as rolling blackouts or earthquakes.
Despite the costs of installing and maintaining power back-up systems, relatively few jurisdictions offer public funding to support requirements. Unique among its peers, the Australian Government has allocated A$38.6m (£19.9m) across two rounds of funding for its Mobile Network Hardening Program. The funding has already supported over 1,000 operator-led power back-up projects with additional money to be made available in 2024. However, the program does not fund or enforce any horizontal power back-up requirement throughout the entirety of Australia’s RAN. In consulting on potential new power back-up requirements, Ofcom has acknowledged the tremendous cost of power back-up solutions, estimating that the installation of one hour of battery back-up on all feasible RAN sites in the UK would cost between £0.9-£1.8bn. While the regulator does not appear to suggest that public funding would be made available to cover costs of power back-up installation, it does invite consultation respondents to comment on if and why the mobile market fails to capture the value of such a resilience measure. Despite this recognition of costs, however, the majority of jurisdictions which enforce a power back-up requirement do not provide extensive public funding for the infrastructure, including Finland and Norway as well as Japan and Sweden.
Roaming is a more common, but less effective, solution during certain types of outage
In addition to power back-up, required roaming during emergencies is emerging as a common solution adopted by regulators seeking to improve mobile network resilience. In the US, operators agreed voluntarily in 2016 to provide roaming where technically feasible during extreme weather events. In 2022, the Federal Communications Commission (FCC) made that agreement binding through the adoption of the Mandatory Disaster Response Initiative (MDRI) and now requires operators to test their roaming capability as a preparedness measure. The Canadian Government followed up in 2022 with the announcement of a similar memorandum of understanding between operators to establish emergency roaming and mutual aid during critical network failures, citing the FCC initiative as a direct influence. The Australian government is also currently considering the introduction of emergency roaming standards following the Australian Competition and Consumer Commission’s (ACCC) report on the feasibility of temporary roaming services.
Even as emergency roaming proves popular globally, there is a great degree of variance in the conditions under which roaming is required as well as some limits on the effectiveness of these policies as a tool for network resilience. Across jurisdictions, the definition of an emergency and the determination of what events trigger roaming vary greatly. In some jurisdictions, such as the UK, the introduction of emergency roaming referred to emergency communications, such as calls to 999, made by individual users outside of their provider’s network. In the US, however, emergencies under the MDRI are critical community events designated by government agencies, such as hurricanes or wildfires. Roaming that only supports individual customers in isolated scenarios, while important and potentially life-saving, don’t necessarily contribute to the resilience of a network as a whole. Additionally, during events where critical infrastructure is impacted in entire regions, such as extreme weather events, there is a likelihood that no operator is able to provide coverage, and roaming agreements become moot. Therefore, emergency roaming alone can be ineffective at responding to all threats to network resilience.
Public outage reporting is often the minimum required of MNOs when monitoring and reporting on network resilience
The least costly and most common tool leveraged by regulators on mobile network resilience is the mandated reporting of outages by MNOs. Reporting is frequently required of outages caused by both internal and external events, although some jurisdictions such as the United States have separate reporting channels during declared emergencies such as extreme weather. Reporting enables regulators, like Ofcom in the UK, to engage directly with MNOs following large-scale outages in determining the cause and future prevention of the loss of connectivity. That after action engagement can occasionally spark controversy, as has the CRTC’s investigation of the 2022 Rogers outage in Canada. The benefit for the regulator of a collected data set on network outages weighed against the relative cost for MNOs of preparing reports still suggests this measure to be a less onerous tool in network resilience.
Some regulators have extended their reporting requirements of MNOs to include public communications on outage preparedness. In a number of jurisdictions, operators are required to provide customers with information in advance of expected disaster events to assist with community preparedness. Similarly, some regulators, including the FCC in the US, require that operators coordinate with key community stakeholders, including local governments and public safety officials, to prepare for expected or potential outages when possible. While it has no direct impact on the functionality of the network, public outage reporting can nonetheless mitigate some impacts of outages by keeping the public well-informed of network status and can provide regulators with a comprehensive picture of the resiliency of the network through different external events.
Increasing reliance on super app services should expand the definition of network resilience
Just as the resiliency of the mobile network becomes increasingly important with further reliance on mobile services, the increased reliance on certain super apps, or all-in-one communications platforms, brings into view the importance of resilience through the network stack. Recent notable outages in cloud services, including by hyperscalers Google, Microsoft and Amazon Web Services, have resulted in mass disruptions across various economic sectors. Additionally, outages of dominant online communications services such as the global Facebook and WhatsApp outage in 2021 and the 2022 Kakao outage in South Korea left millions of reliant consumers disconnected from their main forms of communication. Market concentration for these intermediary or platform services has resulted in outages that can be similarly disruptive to mobile network outages, even as the firms which provide these increasingly critical services are largely unregulated for the resiliency of their operations.
Some consideration has been given broadly to the security of select services in the context of hostile foreign actors, particularly in jurisdictions considering “sovereign” clouds or other data sovereignty policies. However, the ability of these platforms to withstand more mundane interruptions, like configuration changes or software updates, remains largely outside the scope of regulators. Regulating for the resilience of services elsewhere in the network stack would likely require a foray into network infrastructure which would be new for many regulators, including the security of both data centres and the increasing proportion of subsea internet cables owned by big tech firms. The main standard setting would need to occur at the software level, however, noting most outages are not the result of failures of physical equipment. Regulating super apps for resilience would ultimately present both an opportunity and a challenge for many jurisdictions. Acknowledging the importance of these services to everyday life could be a gateway to addressing other long standing public policy interests, such as user safety. However, additional restrictions made or incentives offered to entrenched platform services to support resilience could exacerbate competition concerns already expressed by a number of global regulators. Regardless, without a massive disruption to these platform markets, the inclusion of platform services in conversations on mobile network resilience should be considered by regulators seeking to improve the reliability of consumer connectivity.