the ict policy & development magazine · the telecom arena and vice-versa, with major companies...

Government ViewpointExclusive interview with His

Excellency Dr, Mohammed Bin IbrahimAl-Suwaiyel, the minister of CIT.

Mobile taxes & feesAn overview of policies, principles, and

priorities for reform.

ICT transformationChallenges and opportunities for carriers.

Understanding M2MMaking M2M work

profitably for the carriers.

Net neutralityThe safeguard for an open Internet.

DIGITAL POLICYThe ICT Policy & Development Magazine

Issue 5 I October 2015

The Power of ICTIndustry trends impact social and economic development globally.

2

We are proud to be the top brand in Saudi Arabia and the 240th globally according to Brand Finance Consultancy.

To know more about our services,please visit stc.com.sa

3

Contents

BRIEFING

FORESIGHT

The recent trends and challenges in the ICT industry

Heralding 5G Networks

Mobile taxes and fees in the Kingdom Of Saudi Arabia

Challenges and opportunities for carriers in ICT transformation

6

7

9

13

Dr. Khaled Hussain BiyariCEO of STC Group

Prof. Gebreel Al-AreeshiHead of the ICT committee at the Shura Council of Kingdom of Saudi Arabia, Professor of Information Science - King Saud University

Peter LyonsFormer Director of Middle East and North Africa, GSMA

Charles YangPresident of STC GKAD, Huawei

DIGITAL POLICY

STC Group CEODr. Khaled Hussain Biyari

Emad Aoudah Al-Aoudah

Vice President of RegulatoryAffairs and Corporate Affairs

General Manager ofRegulatory Affairs:Zyad Al-Khwaiter

Editor-in-chief:Abdulaziz Almohaimeed

Editorial Team:Ayham Abu-Assi,Khaled Al-MutairiFaris mohamed AlribdiZaid bin Abdul Razak Almorshid

Digital Policy #5 October 2015

ImagesiStock, GSM Association,Getty Images,private collection

PublisherPursuit Mode InitiativesFZE – UAE

STC, Regulatory AffairsRiyadh, Mursalat,King Abdulaziz ComplexP.O. Box 87912, Riyadh 11652Kingdom of Saudi Arabia

Governmen tviewpointExclusive interview with His

,Excellency the Minister of CITDr. Mohammed Bin Ibrahim Al-Suwaiyel

Mobile taxes & fees An overview of policies, principles, and

priorities for reform

ICT transformationChallenges and Opportunities for Carriers

Understanding M2M

profitably for the carriers

Net neutralityThe safeguard to an open Internet

DIGITAL POLICYThe ICT Policy & Development Magazine

Issue 5 I October 2015

The Power of ICTIndustry trends impact social and economic development globally

4

An insight by Panos Kalnis, Associate Professor, King Abdullah University of Science and Technology

DIGITAL POLICY

Machine-to-Machine

Smart Grid Communications Security

Data security in Cloud Computing

Cloud Computing Security

Net Neutrality the safeguard for an open InternetAn overview by Philippe Defraigne, Founding Director, Cullen International, and Sufian Shunnaq, Senior consultant, Cullen International

Termination rates in Saudi Arabia and a roadmap for evolutionPresented by Edwin Grummitt, Partner at Analysys Mason, and Mohamed Wahish, Manager at Analysys Mason

Empowering KSA ICT Vision forward 2020By Zyad AlkhwaiterGeneral Manager of Regulatory Affairs at STC

On the road to smart citiesBy Eng. Rayed Al Kahtani, Director Regulatory Planning at STC and Dr. Essam Mitwally, Regulatory Affairs Advisor

Evolving Dynamics of the Telecom Regulatory Environment in Saudi ArabiaBy Emad Aoudah Al-Aoudah, Vice President of Regulatory and Corporate Affairs, STC

16

18

24

28

30

34

36

39

44

An introduction by Hilal Halaoui, Vice President, Strategy.

By Majed Mohammed Al-Masar and Masoud Hussain Al-Qahtani of STC

By Manan Al-Musallam, Cloud Security Researcher

LOOKING AHEAD

REGULATORY MATTERS

SOCIETY

LAST WORD

Opinions expressed in this magazine are those of the experts and the professionals who wrote them, and do not necessarily reflect the opinion of Saudi Telecom Company (STC).

6

hope of a major growth opportunity.

Another emerging ICT trend is that of a “Connected World, Connected Things”. The physical world is turning virtual as objects, devices, and machines acquire more digital intelligence and connectivity. There is a vast opportunity to connect almost everything at both the consumer and enterprise levels; which offers new benefits for consumers and businesses alike.

The ubiquity of network connectivity and the proliferation of smart “things” such as sensors, signs,

phones, tablets, lights, and drones, have created platforms upon which every enterprise can innovate. What is emerging here is more than just an “Internet of Things”, it is the “Internet of Everything”; it is a new layer of connected intelligence that augments the actions of individuals, automates processes, uses data, and incorporates digitally empowered things into our lives, which ultimately increases our insight into and control over the tangible world. It is expected that by the end of 2020, the installed base of the Internet of Things will be approximately 212 billion “things”

globally(1).

The way that we interact with the world around us has changed and is still changing.

Digital technologies offer new decision-making experiences, from selecting a restaurant in a new neighbourhood to making a critical maintenance decision on an oil pipeline. Smartphones have turned their owners into digitally augmented versions of themselves enabling them to access, create, and share an astonishing array of pertinent information that can enable faster and better decisions. That is why it is expected that by 2019 the global number of mobile subscriptions will increase to 9.3 billion of which 60% will be for smartphone subscriptions, while the global number of smartphones in use will triple in number(2).

The challenge for industry leaders today is not accurately predicting the future of ICT industry, but it is about: first having a broad and open understanding of the trends reshaping the ICT world. Second, forming an informed point of view of the future and what it means for their organisation.

And third, and most importantly, taking actions today to begin to prepare for tomorrow. In a world of accelerating change, the biggest risk for leaders is not being wrong in their predictions about the future, but rather beginning to take action too late.

The Recent Trends andChallenges in the ICT IndustryDr. Khaled Hussain BiyariCEO of STC Group

The convergence of Information Communication Technology (ICT) is a clear trend today, with the traditional boundaries between these two industries, markets, policies, and regulations having become increasingly blurred. Converged ICT services are not linked to a specific infrastructure anymore, and the policy objectives for content, applications, connectivity, or infrastructure provision are no longer specified in terms of traditional industry definitions.

In this new ICT industry, enterprises are embracing advanced technologies and using them as catalysts for defining new markets, new products, and new areas of growth and revenues. “The change is revolutionary; traditional IT companies are entering the telecom arena and vice-versa, with major companies like Google and Microsoft being live examples of ICT convergence.”

The telecom industry today is experiencing an increasing globalisation in the services market, especially the mobile market. With this expansion of the telecom ecosystem, new business models are emerging among traditional and new players, which could open up new markets and change the landscape.

The telecom industry is also facing a major challenge to satisfy increasing consumer demand for speed and connectivity to keep up with the requirements of applications such as video streaming. These high band width needs are placing greater. pressure on operators, and forcing them to pursue new technological advancements and innovations, in the

1 “The Internet of Things Is Poised to Change Everything”, International Data Corporation (IDC)2 “Ericsson Mobility Report – Nov. 2013”, Ericsson

7

Heralding 5G NetworksProf. Gebreel Bin Hasan Al-AreeshiHead of ICT Committee at Shura Council of Kingdom of Saudi ArabiaProfessor of Information Science - King Saud University

We seem to be standing on the verge of a new technical revolution within the broadband networks field. One of the main hitches encountered by such networks is traffic congestion due to large data volumes passing through their nodes; a global concern that is becoming more acute with time, since wireless data traffic is rising rapidly.

The International Telecommunications Union (ITU) estimates the current number of mobile device subscribers in the world at seven billion, which is equivalent to 95 per cent of the world’s population.

By 2018, the number of 4G LTE connections will reach 500 million worldwide, which represents a fivefold increase to today’s figure (i).

Meanwhile, network operators and telecom technology providers are attempting to keep pace with these growth rates through innovative technology and marketing tactics.

Operators will, for example, use new protocols or multiple antenna systems that allow them to transfer larger amounts of data through each single frequency of the broadband capacity (ii).

Operators may also resort to solutions aimed at restricting data

overloads by some users through offering scalable service packages (iii), trying to address the fact that 20 per cent of broadband users consume 80 percent of the data transferred on the network, or even more, which is one of the main contributors to slow performance of some mobile networks.

The high penetration of smartphones also results in cases of increased network congestion, given the ever-increasing data volumes being consumed over internet-compatible devices. This problem is most evident in big cities with large populations, as data transfer rate reductions occur whenever large numbers of users in crowded areas use the same mobile network cells intensively, making lengthy calls and downloading multiple large-size media files on their devices at the same time.

As mobile networks were originally designed in the 1980s to share the spectrum among subscribers, the current users share the same broadband channel at these crowded locations, which leads to the slow connections that they experience.

This can only worsen as more devices are connected to the same channel, since more data and files will need to pass through the network.

This situation leads to signal disruptions, as network towers broadcast signals sent and received by all subscribers present within their coverage area. The disruption causes signals to overlap, in a

pattern that resembles ripples of water pushing each other, leading to more disruption, as the circles

draw closer to one another. There is an attempt to reduce interference as much as possible and multiple antennas on towers and such are often installed to try to help deal with network congestion.

Moreover, the interference intensity can vary from one network to another, depending on the mechanism adopted by each network to transfer data packets across the node. In fact, data traffic congestion happens at certain network nodes when the data packets passing through them exceed a certain limit (iv).

Hence, we are witnessing many efforts to develop the existing wireless networks, or to invent new systems that address the current problems, in order to keep up with the tremendous increase in data volume across the network.

Some of these efforts have proved to be successful. For instance, Steve Perlman, a Silicon Valley icon, has developed a new system that enables every mobile device to use the entire range of spectrum, irrespective of the number of connected subscribers at the time and the data volume, as if each user was the only subscriber on that cell at that time. Hence the name p-cell, which stands for ‘personal cell’.

The idea of this innovative system is that instead of swamping the area with wireless signals carrying data related to thousands of mobile devices at the same time, an intelligent system locates each mobile device that is using the network, then using a complex mathematical calculation it creates a wireless signal set for this device in particular.

FORESIGHT • DIGITAL POLICY

8

This allows placing transmitters anywhere without worrying about signal interference, as each mobile device is connected independently. Therfore, instead of sharing the signal among many mobile devices in a certain area, each device receives a dedicated signal and the majority of the antenna transmission capacity at that moment. Perlman noted that the process is similar to using optical fibres.

This new structure requires a cloud data centre, featuring a huge collection of servers (connected to each other), which can handle all the complex calculations required by the system.

It also requires wireless antennas deployed wherever there are subscribers; including homes, workplaces and streets. These antennas are not like towers we know at the moment, but more like interim nodes decoding radio signals.

They are small enough to be placed in any site that can be connected to the data centre, which allows deployment of many of them together, either directly through optical fibres, or over a line of sight connection over a wireless computer network.

As an example, when a mobile phone tries to stream a video clip on YouTube, it connects to a p-cell.

All the antennas located within the vicinity of that phone (assume there are 10 of them) capture the signal and send it to the data centre, which in turn will requests the video clip from YouTube servers (Google) and send it to the phone through the 10 antennas that received the requested signal.

This is the essence of the innovation. Instead of one antenna sending the video clip frames in a stream succession, as is the case on the current networks, the data centre will use the antenna sites to calculate 10 private radio waves, each transmitted by one of the 10 antennas to the phone, where they are then gathered to form the video clip.

In case the phone user moved out of its original position, or other phones were connected to the network, the data centre will continue generating the waves so that the phone receives the right collected signal all the time (v).

Hence, unlike traditional cellular systems, an unlimited number of mobile devices can share the same spectrum simultaneously. Perlman noted that the p-cell system can work with existing mobile communication networks, supporting 3G and 4G LTE, but it requires subscribers to receive new SIMs that support the technology.

Artemis had plans to start using the p-cell technology in San Francisco in 2014, which would see the new antennas fixed on the roof of 350 houses to cover the entire city.

P-cell networks are considered 5G, as they can radically change the way mobile networks operate, substituting current cellular towers with a completely new infrastructure that collects radio signals from multiple antennas located in different sites to create a small receiver pocket around each mobile device.

This pocket can use the entire spectrum, which makes the system’s capacity unlimited, according to Perlman.

This marks a new era of high-bandwidth broadband transmission if he is correct.


9

the longer term.

Constraining the growth of the telecoms sector will also negatively impact other important areas of the economy that make use of, and are enabled by, the availability of communications services, such as health, transport, banking, industrial, and education.

Best practice principles of taxation based on published research: A 2011 benchmarking study by the GSMA showed that mobile taxation has increased in more than half of the 111 countries surveyed.

The GSMA has conducted a further

indepth comparative analysis of mobile taxes and fees across 19 markets that found over US $3 in every US $10 of mobile revenue was transferred to the government in the form of taxes, regulatory fees, or other charges.

These excessive levels of taxes and fees are not consistent with established taxation principles. Taxation is a complex area and, in developing markets, the establishment of an effective tax policy has to contend with numerous

An overview of policies, principles, and priorities for reform

Mobile taxes and fees in the Kingdom of Saudi ArabiaBy Peter Lyons, Former Director of Middle East and North Africa, GSMA

The mobile sector has a key role to play in economies across the world, and especially in emerging markets where mobile has been demonstrated to support digital inclusions, financial inclusion, and broad-based socio-economic development. It has been well established that shifts towards mobile broadband services, in particular, has had wide-ranging economic impacts and positive externalities, across both developed and developing countries by contributing to innovation and enhancing productivity. Mobile operators in the Kingdom of Saudi Arabia (KSA) are facing pressure to modernise operations in an increasingly competitive market.

This at a time when we are witnessing a global shift in the economic opportunities offered by the digital economy, both for businesses and for consumers. Across the globe, governments are looking at the possibilities to foster and encourage mobile innovation, as well as the investment required to lay the foundations for this, in order to boost employment and GDP growth. Excessive taxes and regulatory fees levied on mobile operators in KSA could lead to higher prices paid by end-users and reduction in consumption as a result of demand elasticity.Lower consumption by end-users would directly constrain the growth of the sector, which in turn leads to a reduction in the tax revenue extracted by the government over

practical difficulties including widespread informal activity, limited institutional capabilities, and political pressure to avoid taxing special interests. There are however a number of principles that are generally recognised as contributing to an effective tax system:

• In general, taxation should be broad based.

Taxation alters incentives for production and consumption, and so economic distortions will generally be minimised where the burden of taxation is spread evenly across the economy.

In practice this equates to adopting broadly defined bases for taxation; rate variations that are limited and effective enforcement of tax compliance.

• Taxes should account for sector and product externalities.

The case for taxation to address negative externalities such as those arising from tobacco consumption is well recognised.

However, the same logic also applies in the case of sectors and products with positive externalities.

• Taxation policy should encourage sectors, such as mobile, that create positive externalities in the wider economy.

The tax and regulatory system should be simple, easily understandable and enforced: A lack of transparency over taxation systems and liabilities may deter investors and is also likely to increase enforcement costs for government.


10

Different taxes have different economic properties: There is a general consensus that, for most products, a broad-based consumption tax will be less distorting than taxation on income or profits.

Current taxation of mobile is not consistent with recognised best practice.

Mobilefaces a high burden relative to other sectors: Nearly half the burden of taxation on mobile came from taxes and fees levied specifically on the mobile sector. The GSMA has identified several additional exacerbating factors arising from this:

• Much of the mobile specific burden is in the form of regulatory fees that are typically narrowly defined and disincentivizes investment.

• A high-level review of the technical design of the taxation suggests that many of these mobile specific taxes would not apply to other operators providing competing services such as Voice over Internet Protocol (VoIP). The potential for this to create competitive distortions makes this particularly problematic.

• Externalities not properly accounted for in taxation policy: World Bank research suggests that most markets have significant extra capacity to levy additional taxes on economic ‘bads’.

However, when considering corporation taxes and other broad-based levies, there is evidence that mobile is making a disproportionate contribution.

From a policy perspective, these findings on mobile taxation are concerning. The mobile sector makes a major contribution to economic growth and the affordability of services is a recognised constraint on more widespread usage, particularly in developing markets.

It is estimated that a one percentage point reduction in the tax burden on mobile broadband would result in up to 1.8 percentage point increase in penetration and up to 0.7 percentage point increase in gross domestic product (GDP) over five years.

High taxation will also affect the decisions of mobile operators, changing their incentives to invest and altering their ability to raise capital to finance it. A review of over 400 different studies found that, on average, a one per cent increase in the rate of tax on capital led to a four per cent decrease in the level of foreign direct investment (FDI).

“The growth of mobile data opens

up the possibility for the sector to increase its economic value through a whole new generation of products and services ranging from healthcare services to education and finance”

Policy implications and priorities for reform.

Taxes and fees levied on mobile services appear to be increasing over time and at a faster rate than other sectors in the economy.

High taxes and fees hold back the growth of mobile services and the economic benefits they offer. Previous research has found that as mobile services become more affordable, for example via

“Taxation is a complex area and, in developing markets, the establishment of an effective tax policy has to contend with numerous practical difficulties including widespread informal activity, limited institutional capabilities, and political pressure to avoid taxing special interests”


11

While addressing this will be challenging, the findings suggest that in the long-run governments have a considerable opportunity to increase tax revenue through expansion of the tax base.

For the full report referenced in this article, “Mobile taxes and fees-a toolkit of principles and evidence” and other GSMA research on mobile taxation please visit:

http://www.gsma.com/publicpolicy/tax

reductions in the taxes and fees burden, the impact on economic growth is sufficiently high to offset, in the medium term, the direct negative effect on tax revenue.

The outcome of lowering the burden would therefore be higher economic growth and similar, if not higher, government tax revenue. Based on GSMA analysis the following priority areas for reform have been identified:

• Reduce specific taxation of the mobile sector: Nearly 40 per cent of the tax revenues raised from the mobile sector came in the form of mobile specific taxation.

Sector specific charges on this scale are problematic as they distort production and consumption behaviour and reduce the ability of mobile operators to finance future investment. The issues around mobile specific taxation are particularly acute where the taxes give rise to for early reform is that as the value of the services grows over time, the fiscal cost of reform will be bigger and more difficult to manage.

• Phased reductions of taxes on established services: Phased reductions of taxes and fees offer governments the opportunity to benefit from the economic contribution from mobile whilst limiting short-term fiscal costs.

• Consider alternatives: Compared to other industries, the mobile sector pays an above average amount to governments. Early reform and phased reductions of high taxes help governments to manage the fiscal costs while benefiting from the mobile driven growth.

Where compensating tax rises are needed, governments have a range of options available to them. Taxation of economic ‘bads’ offer governments the opportunity to raise revenue whilst improving economic welfare. Typical examples of economic ‘bads’ include tobacco and environmental pollution.

Greater use of general taxation, particularly on consumption, also offers an opportunity to raise revenue without negatively distorting economic activity. It is often argued that broad-based consumption taxes are preferable to other forms of taxes.

The shadow economy is estimated to average 39 per cent of GDP across the 19 markets referenced earlier.


12

Challenges and Opportunities for Carriers in ICT transformationCharles Yang, President of STC GKAD, Huawei

This is the best of times: Smartphone popularity and mobile internet services are booming. This is the worst of times: Over-the-top (OTT) services are growing fast and eating away at traditional voice and messaging services, putting pressure on mobile broadband (MBB) monetisation and revenue growth for telecom carriers.

The current operation and business models of mobile carriers are destined to be overturned. Carriers have to transform their business models and build networks centred on user experience if they are to achieve business success in the ICT revolution.

The Internet is a brand new business model as well as infrastructure. In 2007, the smartphone came into being, and with it came limitless possibilities for “optimal user experience” and driving ICT integration. An industry transformation is still in its primary stages, but in the next decade, the entire industry chain will undergo a qualitative change and embrace a new digital society.

The traditional business models of the physical world will be “copied” to the digital world and operate more efficiently due to free flowing information.

The core of the Internet is to realise “connection beyond time and spacial limits” to greatly boost efficiency while minimising cost.

However, the Internet also changes people’s way of thinking: “Full and zero-distance connection” can be created between people, businesses and customers, and business partners.

The ICT transformation is also characterised by digitalisation and smartness. Digitalisation is the collection of big data, including information on production, transportation, sales, and trading as well as information related to human activities, geographical locations, and medical records.

The gathered information is displayed in data models. Smartness refers to the storage of information and data in data centres for big data analytics to shed light on and even predict customer requirements more accurately. As a result, more exact product development, manufacturing, and delivery will be possible with more precise services offered to customers. With big data collection and analytics, information services will become a basic social infrastructure just like public transportation, electricity, and running water.

“The development of OTT services drives the consumption of data traffic, bringing increased revenue to carriers, but the increase does not offset the cost of network expansion” Carriers face huge challenges in business and operation models, and network construction OTT service providers are a great challenge to the traditional carrier business model. The development of

OTT services drives the consumption of data traffic, bringing increased revenue to carriers, but the increase does not offset the cost of network expansion. Ironically, the major source of revenue for carriers is voice and messaging services, which are gradually being replaced by almost free OTT voice and instant message services. Traditional carrier profits are steadily eroding.

The “all-online” operation model is also a challenge to carriers. OTT players prefer disruptive and asymmetrical competition. They focus on one or several points and compete with carriers in the most unlikely way. For example, traditional carriers rely on the number of business halls for competition. But in the internetised time, an online business hall costs a mere 10% of what a traditional business hall costs and can operate 24/7.

Due to this asymmetrical competition, traditional physical business halls turn out to be a liability.

Last but not least, booming smart terminals and OTT services are driving carriers to expand their networks to support ever-growing data traffic. Frequent network outage accidents in recent years demonstrate that carriers are under great pressure to expand network capacity.

Smartphones have forever changed user behaviour. Mobile phones are only used a few times a day for calling and messaging, whereas smartphones are used more often for social networking services (SNS) and various applications. A recent report shows that on average, global users rely on their smartphones


13

• In the future, carriers will have to build pipes as wide as the Pacific to support the mobile traffic that will multiply hundreds of times.

• Differentiating services for traffic monetisation: Unlike traditional voice and messaging services, OTT services are rich in variety and require superior user experience. Carriers can develop differentiated service packages based on the time, location, traffic, access mode, and user group to encourage consumption by users and to implement traffic monetisation. For example, the bundling of fixed and mobile service packages along with family packages are some of the popular ways for differentiated services.

• Building the big data analytics platform and user experience

more than 150 times each day. The smartphone has become an integral part of life.

Carrier advantages, opportunities, and transformation direction. The current ICT industry is home to several major players including carriers, Internet service providers, device vendors, and IT suppliers.

Carriers boast some exclusive core assets including mobile networks (pipes), users, and spectrum.

Carriers can exploit these core assets for business opportunities.

• Developing pipes to gain LTE dividends: New technologies bring business opportunities as well as unprecedented user experience.

• In recent years, there have been many examples of carriers achieving great success by building LTE networks for fast downloading.

based networks to conduct user asset operation: Carriers on pipes, which grants them exclusive access to information on user behaviour. By building data centres, carriers can gain network information and information on user behaviour. Based on the collected information, they can understand and predict customer requirements and conduct business model innovation accordingly.

Transformation in the mobile Internet industry has just begun. Carriers must seize this opportunity and leverage their advantages to optimise processes and revamp their IT infrastructure accordingly. They must reduce total cost of ownership (TCO) and integrate the industry chain for innovation if they are to survive this ICT transformation.


14

collaboration between the different players along the value chain.

The complexity lies in the strict needs arising from the nature of M2M applications, as well as the fragmentation of the value chain.

For example, on the hardware front, the durability of components used is key to the success of the solution.

M2M equipment may need to function continuously for a prolonged period of time. Once deployed, M2M equipment must require little manual maintenance, or else the business model fails. This is the case particularly when M2M equipment is deployed in remote locations with harsh conditions. M2M applications and software solutions is where

most of the “value add” occurs; value that goes above and beyond that of pure connectivity.

This is where tailored applications are developed for specific industries or a particular enterprise. Applications need to be integrated into that particular enterprise’s IT architecture, while at the same time providing user-friendliness for managing the M2M solution. Given the broad application space of M2M, tailored application providers have emerged with different focuses on different industries, from logistics,

M2MBy Hilal Halaoui, Vice President, Strategy&

I. Understanding M2M

Machine-to-machine (M2M) is broadly defined as any technology that enables automated wired or wireless communication between mechanical or electronic devices. It allows networked machines to exchange information and perform actions without the manual assistance of humans.

M2M technology offers infinite possibilities that are not yet imagined. With M2M, every object in our daily lives could become part of a global network of digital interactions, which will facilitate our day-to-day activities and work.

This will be done through sensors and embedded devices that do one or many things: listen, feel, measure, and report on facts that we never had access to, or that we had difficulty in collecting and understanding.

It is due to these unlimited opportunities that M2M enables that M2M players are bullish about its expected growth. It has been forecasted that the number of global connected devices could reach 50 billion by 2020, and overall revenues from M2M services could surpass USD 60 billion by 2016 (see Figure 1).

The M2M value chain is complex. It consists of several roles, and there is no single provider that has the capabilities to provide the full range of services across the whole value chain.

For this reason, many players are needed to provide a fully-fledged M2M solution. In its simplest form, the M2M value chain consists of five main areas: hardware components, system integrators, service enablers–platform providers, application providers, and finally access providers (see Figure 2). The successful delivery of an M2M solution requires an effective

to health, to home automation.

The complexity is accentuated when we imagine integrated M2M solutions across multiple verticals. On the connectivity side, data transport is the most fundamental component of any M2M deployment and may be provided by a wide variety of possible access technologies: cellular, satellite, fixed-line, Power-Line Control or proprietary RF may be used for end-to-end connectivity.

Telecom operators tend to play a critical role in this element of the value chain, yet they need to ready themselves for different grades of services, coverage, and sometimes better latency in the case of mission-critical applications of M2M.

II. M2M to change the world

The number of possible applications for M2M is endless. M2M deployments are likely to change the way we interact with our environment and transform the business models of companies. Today, the emergence of smart cities is at the heart of M2M applications.

While M2M applications are diverse and broad, primary groupings could be made along the following categories:

• Smart homes – Enables the automation and remote control of home facilities such as lighting, heating, sound systems, energy utilisation, and levels of supplies available at home.

• Automotive and fleet tracking – Allows smart cars to better sense surroundings and provide early warnings to drivers and passengers.

Drivers can be informed of available car parking spaces within their surroundings, and companies with large fleets could remotely monitor their vehicles on a single screen with various sensors and alerts that allow

LOOKING AHEAD • DIGITAL POLICY

15

effective decision-making.

• Security and surveillance– The application of M2M to security has long been in use. Over time, improvements continue being applied such as high-definition cameras, motion detectors, and correlations between various activities and crime.

• Smart utilities– Enables remote metering and control of utilities (electricity, water and gas) across the value chain–production, distribution, consumption and billing. Monitors remotely supply line losses and ensures optimisation across the value chain.

• Medical and healthcare– Enables remote monitoring of patients’ vital signs and provision of appropriate medication, hence ensuring real-time treatment. Allows automated transfer of test results and patient records to medical staff, improving flow of information.

Now imagine a world in which all of the above are applied and effectively coordinated. This would be a completely changed world from the one we are currently living in. Naturally, M2M is likely to be introduced gradually into our lives, but our expectations are that once the tipping point is reached and the enablers are in place, M2M is likely to be rolled out fast across various verticals that impact our lives.

III. M2M Benefits and Trade-offs A Final Word As a technology, M2M enables a large number of transformative applications, yet like any technology, its use and misuse could result in various benefits and trade-offs. From a consumer perspective, M2M has the potential of improving the quality of life. More control over the environment, safer lives, cost savings, and better customer experience. From an enterprise perspective, M2M allows for cost savings, productivity improvement, faster decision making, and customer demand fulfilment.

Although most players along the M2M value chain view it as one of the “next big things”, many have failed to capitalise on this opportunity.

This is due to a number of challenges:

• Complex Value Chain: The M2M value chain is complex and fragmented. It involves hundreds of small players each specialising in different applications, devices, modules, and verticals. M2M solutions require partnerships and development of complex business models that bring various players together.

• Lack of standardization: There are very few standard application building blocks or interfaces in M2M. While developers in other areas make use of well-defined APIs and interfaces between the different

layers of the communications stack, in M2M this is rarely possible.

Despite some standardisation efforts, almost all applications need to be developed from scratch.

• Security: There are some security concerns related to the automation of critical verticals.

The ability to control vital sectors remotely and centrally at times creates security concerns among different entities.

• Lack of scale: While there is no doubt that there are many emerging applications out there, most of these are specialised industry applications such as remote monitoring of specific machines in narrow industry verticals, which requires customisation for individual consumer or corporate use.

• Telecom Network Requirements: With high requirements of reliability and cost efficiency, M2M solutions require broad mobile network coverage – at times most importantly in remote locations – as well as increasing data consumption requirements.

This is coupled with an explosive growth in deployed SIM cards, which require new economic processes for provisioning, signalling, and management.


16


17

The importance of smart grid security is emphasised in this outline. Its impact on nation states and the well-being of its citizen is underlined.

A brief smart grid network architecture and the various domains involved and its relation to information communications technology (ICT) is given. Performance and quality of service requirements and their link to security is briefly touched upon. The security challenges of the power smart grid is discussed.

Challenges such as false data injection attacks and the detection/localisation of faults are highlighted. An illustrative malware such as Stuxnet is given as an example of a cyber-warfare attack vector targeting smart grids. We also outline denial of service attacks (DoS) against smart grids, as well as a supervisory control and data acquisition (SCADA) security framework. Finally we end the outline with intrusion detection techniques used in smart grids, concluding with a comment on the future direction of the topic.

Challenges and Opportunities for Carriers in ICT transformationCharles Yang, President of STC GKAD , Huawei

Contemporary electric and nuclear power plants use smart grid network communications to embrace efficient electricity management and supply a reliable smart power distribution to customers. Security concerns for such network communications are a major issue to countries regulating and providing power via smart grid.

Power supplied via smart grid is considered as critical infrastructure to the state and any attack on it may have a significant and devastating impact on peoples’ lives and wellbeing.

A stark example of this impact is what happened in the power blackout in 2003, which took 100 power plants offline in North America and paralysed tens of millions of people with over USD 10 billion in social costs[1]. It turned out that it was not an attack but a failure in the load balancing of the grid that was the main culprit of the outage.

In addition, the large scale and the autonomous nature of the power smart grid introduces various security vulnerabilities and invites attackers to compromise the network by creating high-value targets with large impact.

It is not just individual lonely attackers or script kiddies at play, even sophisticated state sponsored cyber warfare has reached new heights with the launch of very complex attacks like Stuxnet and Flame targeting Iran’s nuclear power plants.

Hence, it is vitally important to have the risks associated with power smart grid security well understood by governments and have sound security measures in place to

minimise the security risks and the impact on peoples’ lives due to any serious breach to the network.

In this networking survey paper, and following setting the scene for power smart grid network infrastructure, we will consider various cyber-attack techniques on power smart grids and the security challenges they impose[2].

We use the word “cyber-attack” in this outline to emphasise that the attacks used are very similar if not identical in nature to the attack vectors used on the Internet. An attack vector based on attack trees will be surveyed and analysed including worms such as Stuxnet.

Also we will survey how tocounter-measure these attacks and how to secure the power smart grid, bearing in mind reliability, efficiency, and security[١].

We will also survey the architectural-based requirements and the security requirements needed to support sound grid security[3].

Smart Grid Network Architecture Currently there is no globally agreed definition for “the smart grid”. However, it has already been recognised that smart grids are new electricity networks, which integrate the advanced sensing and measurement technologies, information and communication technologies (ICTs), analytical and correlation decisionmaking technologies, and automatic control technologies with energy and power technologies and infrastructure of electricity grids[4].


18

Figure 1, extracted from[1] shows an overall view of the smart grid, showing information flow between domains as well as the flow of electricity power through transmission and distribution systems to customers.

The major component is a backbone of the information flow network, the Wide Area Network (WAN), distributes messages between different domains.

There is another networkcloud that aggregates/de-aggregates local traffic in some domains to/from the WAN, similar to access networks such as optical, cable or DSL. In the smart grid environment, the access network is needed for connection to smart meters represented by advanced metering infrastructure (AMI) and customer premises, and is called a neighbourhood network[4].

The smart grid network communication consists of the following two functional groupings: `

• Information access determines the syntax and semantics of application related data.

• Communication network enables the reliable, efficient, and secure transmission of the application and

(DoS) attacks,[2] Anomaly detection in order to correlate data logs with possible attacks on the grid.

Smart Grid Cyber AttacksThe Stuxnet Case

False data injection attacks assuming a DC power flow model are discussed in[5]. Power flow are stochastic in nature and can be modelled using stochastic processes modelling[7]. False data injection requires that the attacker knows the power flow configuration of the system, information that cannot be easily obtained. There are two types of false data injection attacks, one is a targeted attack and the other is a random attack. In the targeted false data injection, the attacker uses a specific attack vector to inject erroneous arbitrary data in a specific state variable such as the bus voltage angle or magnitude. In contrast to a random data injection where the attacker finds any attack vector that may lead to alteration of state estimation.

Power system smart grid can be considered as an application of supervisory control and data acquisition (SCADA) system. SCADA is simply a Windows application that facilitates human operators to monitor industrial (e.g. nuclear/electric power plant, or smart grid) processes and to store them in order to later analyse the values of processes[8].

Protocols such as MODBUS, DNP3, Ethernet/IP, PROFIBUS and Foundation Fieldbus are common network communications protocols used in SCADA systems[9]. The choice of the protocol depends on

service specific data. It is necessary to consider both the network architecture and performance requirements to meet the application and service requirements, including the quality of service (QoS) and the security of information transmitted over the network. The latency is very tight in supervisory control and data acquisition (SCADA) systems in comparison with the normal meter reading and configuration in AMI. The network infrastructure must provide reliable two-way communication and support various classes of QoS, such as real-time and non-real-time, and different bandwidths and latency, loss, and security requirements[4].

SECURITY CHALLENGES

Smart grids have posed a serious security challenge since all the attackvectors available on the Internet can be exploited against the smart grid network. Attacks such as false data injection attacks against state estimation in electrical power grids can easily be performed[5].

State estimation is the process of gathering and analysing data from meter measurements then estimating unknown state variables. Attacks such as denialsof service, can alter state estimation functions resulting in slowing down the control centre or even shutting it down completely[6].

Another security challenge is the detection and localisation of faults for early mitigation of any instability in the power grid[7]. In[6] the proposed SCADA security framework was divided into four distinct components: (1) Real-time monitoring to combat threats such as denial of service


19

the operational requirements and industry preferences. For example, in an oil refinery, MODBUS/TCP is the most likely choice to communicate with a programmable logic controller (PLC) device.

In power grids, a control centre could use DNP3 protocol to communicate with a remote terminal unit (RTU) located in a remote sub-station[9].

Cheeo-Wooi Ten et al used attack trees to analyse and evaluate the vulnerability risks impacting SCADA systems[6]. The attack-tree is a graph that connects more than one attack leaf from each node incorporating, for example, password policies and port auditing. The benefit of using attack trees is that it is a simplified methodology to carry the analysis on measurable specific attack goals that can be converted into a real test case to be executed against real devices and network protocol implementations[9].

The infamous Stuxnet malware is one of the perceived attacks against SCADA systems. This is somewhat inaccurate as Stuxnet targets industrial controllers even if it was run and managed as a SCADA system[8].

Stuxnet was a standalone malware and it only contacted a command-and-control (CC) server to announce its compromise as opposed of being controlled by the CC server [8]. In contrast to typical worms, Stuxnet propagated via unconventional means such as USB sticks and LANs. Once it is in the system, it can affect any Windowsbased machines but high in its target list was Siemens PLC type 6ES7-417 and 6ES7-315-2 integrated controllers.

Once a Siemens controller was identified, Stuxnet injected code in the main cycle as a state machine and kept monitoring in stealth mode till zero strike hour came where the legitimate

code was eventually disabled by the malware injected code.

All this happened without any interaction with any remote CC servers; instead the attack was triggered by a complex timer and process conditions[8]. Stuxnet can be considered a state-of-the-art weapon.

Denial of service attacks can have a devastating effect on a power smart grid. A double-queuing model to simulate the stochastic process of packet delay jitter and loss under a DoS attack was proposed in[10] to measure the impact of a DoS attack

on a network-based control system.

Two attack models were discussed in[10], with the first attack model considering a local network DoS attack and the second attack model considering an external DoS attack.

SCADA Security Framework

Cheeo-Wooi Ten et al have proposed a SCADA Security Framework based on four main components. (1) Real-time monitoring, (2) Anomaly detection, (3) Impact analysis, and (4) Mitigation strategy[6]. In real-time monitoring, distributed sensors are utilised to measure electrical as well as other quantities between the control centre and substations[6]. Realtime monitoring is crucial in detecting attacks such as denial of

service.

Anomaly detection is based on event correlation techniques to establish relationships between statistical data and possible credible attacks.

Event correlations can be categorised as either (1) Temporal correlation, which involve data extraction from a local environment that can be inferred by using learning-based techniques on devices training or it can be rule-based matching. (2) Spatial correlation, which involves analysis of events occurring in multiple substations, in the control

centre, or a combination of both substations and control centre. (3) Hybrid correlation combines both temporal and spatial correlations to determine the likelihood of an attack and its severity level[6]. Impact analysis is basically the analysis of intrusion behaviours and performance of the vulnerability and risk assessment of the intrusion impact on the SCADA system. Based on the outcome of the correlation and impact analysis, a risk mitigation strategy can be developed to address high impact attacks such as the one resulting in

loss of power load or damage to costly power equipment such as generators and transformers.

Based on the outcome of the correlation and impact analysis, a risk mitigation strategy can be developed to address high impact attacks such as the one resulting in loss of power load or damage to costly power equipment”

Intrusion Detection

There are several intrusion detection mechanisms to detect intrusion attempts in smart grid. One technique is bad measurement detection and identification[111]. However, this technique is very limited as an attacker with knowledge of the power system configuration can use a false


20

data injection attack to circumvent such measurement detection[5].

Fault localisation algorithms using graphical models and theorems such as Hammersley-Clifford has great potential for constructing decentralised algorithms that are useful in intrusion detection. Graphical models bring together Graph Theory and Probability Theory to establish a powerful formulation of multivariate statistical modelling[12]. A decentralised fault localisation scheme using Gauss Markov Random Fields (GMRF) is outlined in[7] where phasor angles are treated as random variables.

Markov Random Fields are set

of random variables satisfying the memoryless property of stochastic processes and described by an undirected (edges have no orientation) graph. An adaptive data anomaly detection strategy is essential to deal with missing sets of data and detection attempts of false data injections[6].

Conclusion and Future Direction

In this survey we outlined the importance of power smart grid security. We gave a brief smart grid network infrastructure overview then we outlined the security challenges of smart grid networks.

We gave an outline of Stuxnet

malware and DoS attacks as example of attacks on smart grids. We the outlined the SCADA security framework and outlined

some intrusion detection techniques used in smart grids. Smart grid security is very challenging and with the advent of sophisticated malware such as Stuxnet, intrusion detection techniques becomes pivotal especially in the area of anomaly

detection and attack correlation which is a fluid area of research.


21

1. X. Li, X. Liang, R. Lu, X. Shen, X. Lin, H. Zhu and S. Tong, “Securing Smart Grid: Cyber Attacks, Countermeasures, and Challenges,” IEEE Commun. Mag., vol. 50, no. 8, pp. 38-45, 2012.

2. P.-Y. Chen, S.-M. Cheng and K.- C. Chen, “Smart Attacks in Smart Grid Communication Network,” IEEE Commun. Mag., vol. 50, no. 8, pp. 24-29, August 2012.

3. H. Khurana, M. Hadley, N. Lu and D. A. Frincke, “Smart-Grid Security Issues,” IEEE Security & Privacy Mag., vol. 8, no. 1, pp. 81-85, 2010.

4. Lee G et al, “Smart Grid Overview,” Internal ITU-T Focus Group Document , Geneva, 2011.

5. Y. Liu, P. Ning and M. K. Reiter, “False Data Injection Attacks Against State Estimation in Electric Power Grids,” Proc. ACM Conf. Comp. Commun. Security, pp. 21-32, Nov 2009.

6. Cheeo-Wooi Ten et al, “Cybersecurity for Critical Infrastructure Attack and Defense Modeling,” IEEE Transactions on Systems, MAN, And Cybernetic, vol. 40, no. 4, 2010.

7. H. Z. J. Miao, “A Dependency Graph Approach for Fault Detection and Localization Towards Secure Smart Grid,” IEEE TRANSACTIONS ON SMART GRID, vol. 2, no. 2, pp. 342-351, 2011.

8. R. Langner, “Stuxnet: Dissecting a Cyberwarfare Weapon,” IEEE Security & Privacy, vol. 9, no. 3, pp. 49-51, 2011.

9. E. J. Byres, “The Use of Attack Trees in Assessing Vulnerabilities in SCADA Systems,” in IISW’04, IEEE, Lisbon, 2004.

10. Men Long et al, “Denial of Service Attacks on Network-Based Control System: Impact and Mitigation,” IEEE Transaction on Industrial Informatics, vol. 1, no. 2, pp. 85-96, 2005.

11. A. Wood and B. Wollenberg, Power Generation, Operation, and Control, New York: John Wiley & Sons, 1996, pp. 453-512.

12. M. J. Wainwright and M. I. Jordan, Graphical models, exponential families, and variational inference, Found. Trends Mach. Learn., 2008.

13. H. e. a. Cheung, “Strategy and Rolebased Model of Security Access Control for Smart Grids,” in IEEE Canada Electrical Power Conference, 2007.


22

Data security in Cloud ComputingPanos Kalnis, Associate Professor King Abdullah University of Science and Technology

Cloud computing is a hot trend in the information technology industry, and views computing resources as a commodity. A good analogy is electricity: One can plug into the electricity grid and gain immediate access to virtually unlimited electrical power, by paying only for the amount he consumes, without knowing where or how the electricity is generated. In a similar way cloud computing allows a user to access through the Internet, vast amounts of computing resources that reside physically in multiple large data centres around the world. The user is not concerned with the details of the infrastructure; he just pays for what he uses. The term “user” typically refers to an enterprise or organisation in need of substantial computing resources that exceed the capacity of a few desktop computers. Advantages of cloud computing include the elimination of the capital cost of purchasing private computing infrastructures,

and the minimisation of operational and administration costs. Cloud computing is available in many varieties. Some cloud providers offer Infrastructure - as - a - Service (IaaS), meaning that the user rents a set of machines and has full flexibility to install any combination of software. Others offer Applications-as-a-Service (AaaS), which are complete preconfigured and ready-to-use solutions, such as a fully-fledged payroll application. Irrespective of

the type of service, the user, who is also the data owner, must outsource the data and the processing to the cloud provider.

With outsourcing, inevitably the issue of security arises. It should be clarified that, if data is extremely valuable, such as seismic data for oil exploration, or data related to national security, then cloud computing is not a viable solution.

This is due to a combination of threats that include industrial espionage, hacking by common criminals or hostile nations, the legal environment that governs the operations of the cloud providers in their host countries, and the fact that extremely valuable data is a prominent target. Therefore, this article focuses on the outsourcing of less critical data, for which a reasonable level of security may be adequate in practice.

When data security is needed, cryptography is the first solution that comes to mind. The idea is simple:


23

first, the owner encrypts the data on his local machine. Then he sends the encrypted files to the cloud provider, but keeps the decryption keys for himself. Obviously, the communication between the owner and the cloud provider is safe and the cloud provider cannot decrypt the data; therefore the solution is secure. Unfortunately, such an approach is of limited practical value, because the cloud provider cannot process directly the encrypted data. Even for simple queries, the cloud provider must communicate constantly with the owner, which defeats the purpose of outsourcing. In practice, pure cryptographic solutions are only good for remote backup services. There exists a special type of encryption, called homomorphic, which partially solves the problem.

Homomorphic encryption allows a limited set of operations to be applied directly to the encrypted data. For example, the data owner can encrypt and send to the cloud provider a database of all his emails. At a later time the owner can ask the provider to return emails containing a combination of keywords that are also encrypted. Therefore, both the emails and the requested keywords are hidden from the provider. It must be noted that the method incurs considerable computational overhead. In conjunction with the fact

that only a limited set of operations is supported, homomorphic encryption is useful only for very few practical applications.

A few years ago, researchers from Stanford University and IBM invented a new approach called fully-homomorphic encryption. The revolutionary aspect is that fully-homomorphic encryption allows any operation to be applied on the encrypted data.

In theory, the data owner would be able to send to the provider an encrypted virtual machine that includes all data and applications. The provider would execute the encrypted applications without ever knowing anything about the data or the processing that was performed. Unfortunately, the computational cost of fully-homomorphic encryption is so significant that only toy applications can be used. Until a faster alternative is invented, this approach will remain of theoretical interest only.

By now it should be clear that encryption in its pure mathematical form is impractical for generalpurpose data outsourcing.

However, there exist engineering solutions that can help. An example is tamper-resistant hardware, which is a computing device in the form of a sealed computer or add-on card.

The enclosure of the device physically resists attempts to access the electronics, and may even contain a mechanism to self-destruct if it is forced open. The device is placed in the data centre of the cloud provider in close proximity to the cloud-computing infrastructure.

Before installation, the data owner pre-loads the device with his decryption key. Then he sends an encrypted version of the data to the provider. Since data is encrypted, the provider cannot operate directly on it. Instead information is exchanged with the tamper-resistant device, which can decrypt the required portion of the data. Decrypted information only exists within the tamper-resistant device, so nothing is leaked to the provider. In general this is a promising approach, but there are two drawbacks: First, it may not be practical for each data owner to physically install his trusted device in the provider’s data centre. Second, as the name implies, the device can only resist tampering, but there is no absolute guarantee that an adversary cannot find a way to access the decryption keys.

In some cases data security does not imply that data must be hidden, because the value does not lie in the raw data but on the appropriate processing or dissemination. In such


24

cases, the owner must verify that the cloud provider handles the data in the appropriate way. Consider for instance an owner of a vast amount of raw data on which he needs to run some business analytics models to extract useful knowledge. Such analysis needs a lot of computational power, which is the reason why the owner outsources the data to the provider.

However, the provider has an incentive to return incomplete results in an attempt to keep the utilisation of his infrastructure low and attract more customers. Unfortunately, the owner does not have an easy way to verify the completeness of the results.

A partial solution is based on quality control via sampling. Specifically, the user includes in the workload some carefully selected control jobs, which are kept secret from the provider, and assesses the results. Such an approach is typically complemented by a service level agreement (SLA) that legally binds the provider.

As another example consider a cloud provider offering an applicationas- a-service solution that consolidates many travel agents, who offer flight tickets at various prices. The travel agents are the data owners and they want their prices to be displayed accurately. However, the cloud provider may collude with one of the travel agents and may hide better offers by competitors. To solve such a problem there currently exist methods that formally verify the results, based on the so-called Merkel trees, which in turn are based on cryptographic primitives. Such methods work well for simple cases, but become very expensive computationally for more complex scenarios.

A third example of controlled data access is the case of digital rights management. Consider a business that sells digital photographs and needs to check whether a particular photo is an authorised copy of its

own archive. For such cases there exists a well-established technique, called watermarking. The idea is to make minor modifications in many pseudo-random pixels in the image. The owner has a key, which can be used to detect these modifications, confirming the authenticity of the image. An unauthorised user, on the other hand, does not know where the modifications are; any attempt to remove them would destroy large parts of the image. Similar approaches are applicable for documents, financial reports, or even maps. The previous discussion assumes that the cloud provider is not trustworthy. Nevertheless, often a certain level of trust is allowed, typically as a part of a service level agreement.

The data owner transfers the data encrypted, but it is decrypted as soon as it arrives at the provider; therefore processing is easy. The provider promises to establish strong defences at the perimeter of his computing resources in order to prevent attacks from outside. He also promises not to access any of the owner’s private data and to establish sound access control and accountability mechanisms.

Note that technically it is possible for the provider to access the data; he is only bounded by the legal obligation. In practice this is how most cloud providers operate and the level of security is deemed adequate for many businesses. However, security is not guaranteed: private data may be leaked because of external forces, such as a court order, or simply due to negligence.

A last comment should be made about cryptography: Often it is casually assumed that cryptography would have been the absolute secure solution, if only there was an efficient way to employ it in a variety of applications. Unfortunately this is not always true for a variety of reasons. A recent highly publicised example is the heartbeat virus associated with

the SSL protocol. SSL establishes encrypted communication channels for transferring data between computers, but it cannot process encrypted data.

The protocol has been widely used for a long time and was considered secure. Lately, however, it was discovered that the implementation of SSL contained a bug that would allow an attacker to access private information.

Another question concerns the level of security guaranteed by the core encryption method. In general it is assumed that it is computationally infeasible to decrypt encrypted information, unless one has the decryption key. However, for a long time there have been rumours that specific foreign government agencies may have access to “back doors” that would allow them to decrypt any message without the key.

One may rush to conclude that, from a security point of view, cloud computing is vulnerable, so it is better to keep data in private servers. This, however, overlooks the fact that achieving an acceptable level of security is a difficult task that requires a lot of expertise. Among others, it involves securing the perimeter of the local computing infrastructure, establishing strict access control policies, training the users, achieving an optimal tradeoff between usability and security, constantly monitoring for possible intruders, and constantly patching the software for newly-discovered vulnerabilities.

Cloud providers have the required manpower and level of expertise to perform these tasks effectively. Individual enterprises, on the other hand, may not have adequate resources or may face difficulties to attract the IT security experts who are in high demand worldwide.

Consequently, data in private servers may in practice be more vulnerable.

Another issue of data security


25

that is sometimes overlooked is data availability and recovery from catastrophic failures. Of course every enterprise is expected to have a well-established backup process. However, sometimes a natural disaster or malicious act may physically destroy the entire computing infrastructure of an enterprise. To minimise disturbance, one must keep up-to-date data backups at remote sites and must have ready access to adequate backup computing infrastructure that will enable it to restore the business operations as soon as possible.

Unfortunately, maintaining the

required redundancy is often beyond the capabilities of many enterprises. Cloud computing, on the other hand, can easily meet these requirements, transparently to the user and with low cost.

In conclusion, from a theoretical point of view data security in cloud computing is still an open research problem. However, assuming a certain level of trust, in many practical cases data can be outsourced to a cloud provider with an adequate level of security. The fact that cloud computing is an enabling technology for rapid economic development should not be overlooked. A lot of start-ups

as well as small and medium size enterprises from the US, Europe, China, and India are employing cloud resources to achieve phenomenal growth that would not have been financially feasible should they have attempted to purchase dedicated on-site computing infrastructure. A possible way to minimise the security concerns may be the establishment of a local cloud computing industry. The necessary ingredients are cheap energy, which is abundant in Saudi Arabia, and properly trained workforce. Fortunately local universities are already offering cloud computingrelated courses in their curricula.


26

Cloud Computing SecurityManan Al-Musallam, Cloud Security Researcher

Cloud computing has been defined by NIST1 as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources that can be rapidly provisioned and released with minimal management effort or service provider interaction. In simpler words, cloud computing is a means of delivering on-demand computing resources as a service over the Internet.

Cloud computing service models range from providing access to applications hosted by service providers to providing access to raw virtual machines to develop and execute custom applications. The cloud market provides services through dedicated data centres, rather than having them developed

and maintained internally by organisations. Cloud computing has enabled the development of business models and applications that were infeasible through traditional approaches. Enterprises considering a move into public clouds are generally accustomed to security arrangements in their data centres that provide a strong security infrastructure. However, such security guarantees are difficult to achieve as the situation with clouds is more complicated.

Traditional security mechanisms are no longer suitable for applications and data in the cloud. Researchers(2)

argue that the openness and multi-tenant characteristic of cloud computing has a tremendous impact on cloud security: (1) in the event

of security breach, it is difficult to isolate a particular physical resource that has been compromised since there is no fixed infrastructure and security boundaries to isolate the applications and data hosted on the cloud platform, (2) cloud resources may be owned and operated by multiple providers, which makes it difficult to deploy unified security measures, (3) sharing virtualised resources by multi-tenants may allow un-authorised access to data, (4) cloud security measures have to meet the need for massive information processing.

Migrating applications to the cloud and hosting them in a remote multi-tenant environment raises concerns(3) about: the security of the storage and network access


27

environment adopted by the cloud provider; the cloud provider data management procedures affecting the integrity; confidentiality and privacy of data; and the cloud provider’s regulatory compliance.

Major privacy issues(4) arise from data being stored outside of the control of the owner organisation. This lack of direct control opens channels through which information can be released, intentionally or not, to third parties. In some cases service

providers may choose not to charge users directly but instead to derive revenue from targeted advertising and sale of customer data.

One of the most common compliance issues facing an organisation is data location5. An in-house computing centre allows an organisation to know in detail where data is stored and the safeguards used to protect the data. In contrast, many cloud computing services do not disclose the location of an organisation’s data to the service subscriber. This situation makes it difficult to ascertain whether sufficient safeguards are in place and whether legal and regulatory compliance

requirements are being met.

Once information crosses a national border, it is extremely difficult to guarantee protection under foreign laws and regulations. In their report on the cloud computing top threats in 2013, the Cloud Security Alliance (CSA) explains that the security and availability of general cloud services is dependent upon the security of the basic APIs that customers use to manage and interact with cloud services.

Reliance on a weak set of interfaces and APIs exposes organisations to a variety of security issues related to confidentiality, integrity, availability and accountability. The CSA also adds that a malicious insider, such as a system administrator, in an improperly designed cloud scenario can have access to potentially sensitive information.

The insufficient due diligence , as CSA puts it, by the many enterprises that jump into the cloud without understanding the full scope of the undertaking opens the door for unknown levels of risk.

There has been progress in both

industry and research communities that strive to mitigate cloud security risks.

However, there is more to be achieved. Cloud security best practices can help organisations enjoy the benefits of cloud computing while maintaining a reasonable level of security.

One of the approaches is SLA focused (6). The SLA (Service Level Agreement) is the only legal agreement between the service provider and client. Organisations are urged to push cloud providers to apply more security visibility in SLAs. The SLA has to describe different levels of security and their complexity based on the services to make the customer understand the security policies that are being implemented.

This should include, but is not limited to, information about the people who manage cloud data, information on the hiring and oversight of privileged administrators, and their access controls, whether or not providers will commit to storing and processing data in specific jurisdictions, and

whether they will make a contractual commitments to obey local privacy requirements on behalf of their customers.

Symantec, a leading computer security software corporation, proposes a high-level roadmap to implement cloud security best practices:

Step 1- conduct a full risk assessment before you contract with any cloud provider. Look at the provider’s security and compliance activities, sub-contractors policies, and how easily you can migrate your data to another platform.

Step 2- evaluate how your own security works in a cloud environment and determine whether your existing security capability can adequately protect your data and your identities beyond the perimeter.

Step 3- implement a strong ongoing


28

governance framework. Gather information from providers and from your own systems, and monitor for security events and compliance with accepted best practice and specific regulation/standards where appropriate.

It is clearly evident that cloud computing provides many opportunities and many risks.

As in typical risk management scenarios, risks must be carefully balanced against the available safeguards and expected benefits. Organisations must live up to the responsibility of maintaining their security in the clouds.

They must find the best fit between the security capabilities of cloud

service providers and the security requirements of their applications.

1. National Institute of Standards and Technology (part of the U.S. Department of Commerce)

2. Deyan Chen; Hong Zhao, “Data Security and Privacy Protection Issues in Cloud Computing,” Computer Science and Electronics Engineering (ICCSEE), 2012 International Conference on, vol.1, no., pp.647,651, 23-25 March 2012

3. Sengupta, S.; Kaulgud, V.; Sharma, V.S., “Cloud Computing Security-Trends and Research Directions,”

Services (SERVICES), 2011 IEEE World Congress on, vol., no., pp.524,531, 4-9 July 2011

4. Wright, J. (2010) Obscured by Clouds: On the Privacy Implications of Cloud Computing. Proceedings of the 11th Czech Information Security Summit, Prague, Czech Republic, 24-26 May 2010

5. Jansen, W.A., “Cloud Hooks: Security and Privacy Issues in Cloud Computing,” System Sciences (HICSS), 2011 44th Hawaii International Conference on, vol., no., pp.1,10, 4-7 Jan. 2011

6. Kandukuri, B.R.; Paturi, V.R.; Rakshit, A., “Cloud Security Issues,” Services Computing, 2009. SCC ‘09. IEEE International Conference on, vol., no., pp.517,520, 21-25 Sept. 2009


29

Net Neutrality – the safeguard of an open InternetBy Philippe Defraigne, Founding Director - Cullen International and Sufian Shunnaq, Senior consultant - Cullen International

The debate on Net Neutrality encompasses several distinct regulatory issues that all have in common the goal of preserving an ‘Open Internet’. The aim of the paper is to highlight the generic questions facing regulators and to identify the regulatory trends.

Definitions

Regulators have often pointed to the definition of Net Neutrality proposed by Tim Wu, an academic credited for coining the phrase in a 2003 paper ‘Network Neutrality, Broadband Discrimination’. “Network design principle where a maximally useful public information network aspires to treat all content, sites, and platforms equally.

This allows the network to carry every form of information and support every kind of application.” In 2009, the Swedish regulator, PTS offered its own definition of net neutrality: “Within the framework of the Internet access service provided according to the agreement, an end user should, by means of ‘best effort’, be able to:

• freely receive and send content

• freely use content services that do not damage the network. Within

the framework of the same Internet access service, an Internet service provider should:

• Refrain from manipulating or de-prioritising data traffic for a user on the basis of content, origin or destination

• Provide clear information in marketing and agreement terms regarding the capacity and quality of the connection.”

In Europe, in April 2014, in the midst of a legislative process on a future telecom regulation, a definition of Net Neutrality was voted by the European Parliament:

Net neutrality means the principle that all internet traffic is treated equally, without discrimination, restriction or interference, independent of its sender, receiver, type, content, device, service or application.

In the US, The FCC does not define Net Neutrality and instead favours the expression Open Internet. The following explanation can be found on the FCC website.

An Open Internet means consumers can go where they want, when they want. This principle is often referred to as Net Neutrality. It means innovators can develop products and services without asking for permission. It means consumers will demand more and better broadband as they enjoy new lawful Internet services, applications and content, and broadband providers cannot block, throttle, or create special “fast lanes” for that content. The FCC’s Open Internet rules protect and maintain open, uninhibited access to legal online content without

broadband Internet access providers being allowed to block, impair, or establish fast/slow lanes to lawful content.

The FCC’s Open Internet rules are designed to protect free expression and innovation on the Internet and promote investment in the nation’s broadband networks.

Restrictions to the use of applications (access to contents)

The clear trend is for regulators and legislators to prohibit the blocking or undue throttling of lawful applications and access to lawful content. In the US, on February 26 2015, the Federal Communications Commission (FCC), adopted a new Open Internet Order that states that there must be

• No blocking: broadband providers may not block access to legal content, applications, services, or non-harmful devices.

• No throttling: broadband providers may not impair or degrade lawful internet traffic on the basis of content, applications, services, or non-harmful devices.

In Brazil, the ‘Marco Civil’ (law on Internet) of April 2014 provides for a prohibition of the blocking of specific applications.

In Europe, the European Commission did not really tackle net neutrality before 2011 and at that time took a pro-competition view of the matter: where there is competition, transparency and low switching costs, market forces will take care of restrictions by operators. If consumers are aware (transparency) that an operator is blocking an application and are able to switch

REGULATORY MATTERS • DIGITAL POLICY

30

(number portability and reasonable contract duration) to another operator (competition) then no regulatory intervention is needed.

This policy had very significant effects on the market and many mobile operators lifted restrictions to the use applications competing with their retail voice and SMS revenues. However, in September 2013, the European Commission announced a U-turn and proposed a regulation that would prohibit the blocking of applications. The Bill is currently still going through the legislative process but there is a consensus by all parties to forbid the blocking of lawful applications and contents.

In MENA countries, several operators are blocking some unmanaged VoIP applications (e.g. Viber and Skype) but, so far, no net neutrality legislations in place in any country. In the UAE, for example, the regulatory framework restricts the provision of VoIP services to the existing licenced operators. OTTs only allowed if they work with the licenced telecoms companies.

Traffic management

The growth of data traffic is exponential both on fixed and mobile networks. To respond to this challenge, telecom operators are investing in the upgrade of their networks moving from ADSL to VDSL and FTTH for fixed and from 3G to 4G for mobile operators. In spite of the continuous flow of investments in Next Generation

Access technologies, operators, particularly mobile operators, may from time to time have to take steps to manage the traffic. This is somewhat similar to what is happening with road traffic in cities where public authorities may chose to give priority to buses, taxis; not to mention ambulances, police and fire brigades.

In case of congestion on the network, telecom operators should be able to take steps to prioritise time critical applications (e.g. voice) over non-time critical ones (e.g. file transfer).

Telcos traffic management policies should be cleared and monitored by regulators to prevent any discriminatory behaviour. Such monitoring is aimed at limiting the potential risks of telcos taking advantage of traffic management to deteriorate the Quality of Service (QoS) of applications competing with their own downstream operations.

A number of regulators are taking advantage of consumer widespread use of smartphone to promote applications that give end-users instant information on the mobile data QoS but also send the information to the regulator. This mechanism enables regulators to collect vast amount of data on QoS at a relatively small cost. Brazil Anatel’s EAQ App is is available on

App stores for both Android and Apple devices

Specialised services

Specialised services, also called managed services or fast lanes, are electronic communications services that are provided and operated within closed electronic communications networks using the Internet Protocol. These networks rely on strict admission control and they are often optimised for specific applications based on extensive use of traffic management in order to ensure adequate service characteristics. This is the definition used by BEREC, the body of European regulators. IPTV over a DSL connection is a classic example of a specialized service.

Specialised services are in contrast to Internet access services also called ‘best effort’ access services. The latter allows for reachability between all endpoints connected to the Internet without any form of restriction to the content exchanged. It enables end-users to run any application utilising the electronic communication function of the Internet.

While specialised services and Internet access services pursue different goals (access to specific contents and applications vs. access to any contents and applications)


31

the former are sometimes seen as posing a risk to the well functioning of the latter. Some suggest that telcos will be tempted to voluntarily degrade the quality of Internet access services to force content providers into buying specialised services. In the US, the FCC Open Internet Order of February 2015, recognizes that some data services do not go over the public Internet and are, therefore, not “broadband internet access” services. Examples are cited of such services, including VoIP on a cable system and a dedicated heart-monitoring service. The FCC says the Order will ensure that these services are not used in a way that could undermine the effectiveness of the open internet rules.

Moreover, the transparency obligations will continue to cover the offering of any such non-internet access data services, ensuring that the FCC and the public can monitor any tactics that could undermine the open Internet rules.

While the debate on specialised services is still raging in Europe, current legislation includes a safety net.

All national regulators have the right to impose a minimum quality of service for broadband communication operators if they notice that the specialised services are degrading internet access services or hindering or slowing down traffic over their networks.

Whatever steps are taken by regulators to protect consumers, they should not lead to a blocking of specialised services. That would be the opposite of openness and would strangle innovation.

The debate on zero rating

Some regulatory issues have a weaker link or even no link to net neutrality but are often ‘thrown’ into the same debate. A good example of this is the debate on zero rating (also called sponsored links).

In most countries, mobile operators

sell mobile broadband connections associated to a specific data cap (e.g. 5 GB per month). Data caps are less frequently associated to a fixed broadband connection (or are very high and serve to define unreasonable usage). less frequently associated to a fixed broadband connection (or are very high and serve to define unreasonable usage).

Zero rating is an arrangement whereby consumers access specific contents (e.g. Facebook) but that traffic is excluded from the calculation of their consumption.

This can be a marketing decision of the operator itself who wants its offering more attractive; it can also be the result of a commercial deal is struck between the content/application provider and the mobile operator, whereby the former pays for the traffic (this reverse charging model is similar to the 0800 model for voice).

In Jordan, for example, Umniah has a partnership with Skype whereby customers, under several tariffs plans, will be offered extra capacity, on top of their data plans, to make more free Skype to Skype voice and video calls to any Skype user without consuming their voice allowances. In Belgium, Mobistar does not charge for the Facebook traffic. In France, SFR does not charge for the YouTube traffic over its 4G network.

Zero rating does not involve blocking or throttling. No traffic is being prioritised or de-prioritised. Therefore, zero rating does not appear to have any clear ties with Net Neutrality.

Yet, Net Neutrality laws in the Netherlands and Slovenia prohibit such commercial practices. Nkom, the Norwegian regulator, stated in in November 2014 that zero rating would constitute a violation of Norwegian net neutrality guidelines.

Sponsored links rely on pricediscrimination in the retail mobile market. In the real world,

price discrimination is part of economic life and is actually welfare enhancing (e.g. Ramsey pricing).

There are cases where price discrimination can be detrimental to public interest and these are caught by antitrust law.

Net neutrality, telecom policy and populism

The prohibition of zero rating in some countries is the perfect illustration of the danger of populism looming large over the regulation of Internet access.

The strong interest of politicians around the world for an open access to Internet and telecom policy is undoubtedly a good thing. Unfortunately, this topic lends itself to easy headlines grabbing and potentially to populism and its ill thought out consequences.

Economics textbooks explain clearly why price discrimination may improve consumer welfare (Ramsey pricing).

The funding of an infrastructure project, for example, often requires to charge a higher price to consumers with a low price elasticity of demand and a lower price to consumers with a high price elasticity (Ramsey pricing).

This enables the producer to generate higher revenues than the combination of any single price with the corresponding demand.

Unfortunately, the word discrimination has a negative connotation and there is often not sufficient room for in-depth explanations in heated parliamentary debates.


32


33

Termination rates in Saudi Arabia and a roadmap for evolutionBy Edwin Grummitt, Partner at Analysys Mason andMohamed Wahish, Manager at Analysys Mason

Interconnection between different operators’ networks is one of the cornerstones of effective competition within telecom markets.

Without it, customers would only be able to communicate with other users on the same network.

The process whereby operators charge for receipt and delivery of a call from another network (providing a ‘call termination’ service) is a challenge for regulators, as this is inherently a monopoly market and these charges can inhibit effective competition if not set appropriately. Over the last 20 years a set of general principles have evolved for setting regulated termination rates that are applied to varying degrees in many markets worldwide.

In particular, the rates are based on cost, take into account overarching regulatory objectives and consider the expected impact on all stakeholders. In the application of these principles to Saudi Arabia and other GCC markets, regulators may conclude that the appropriate termination rates are different from those in other markets, while still being the optimal for achieving their regulatory objectives.

1. Introduction

The regulation of interconnection between operators is one of the key priorities for regulators to ensure the establishment of a well-run telecom market with effective levels of competition.

The process of establishing a call between two operators involves both the network of the operator where the call was originated and the network of the operator where the call is received (also known as the ‘terminating operator’).

The originating operator recovers the call costs directly through the retail tariff it receives from the customer, while the terminating operator recovers the calls costs from the originating operator, through a fee known as the ‘termination rate’.

The service of mobile/fixed termination creates a monopolistic situation, as subscribers do not have the option of selecting a different operator through which to receive calls. If the call termination service was left unregulated, terminating operators could seek to take advantage of this monopolistic position by imposing very high termination rates for calls received from other networks, which may lead to high off-net calling rates and lower demand for calls across networks, which may not be in the best interests of consumers.

To avoid such a situation, the charge that operators impose for receiving calls from other operators (known as the ‘termination rate’) tends to be regulated by telecom regulatory authorities. In the case of calls ending on a mobile network the charge is referred to as the ‘mobile termination rate’, and in the case of

calls ending on a fixed network it is known as the ‘fixed termination rate’.

Termination rates are an important wholesale service, and can represent a significant contribution to operators’ revenue. Similarly, outgoing termination payments also represent a significant cost to operators, and the extent to which these termination out-payments are not offset by termination revenue determines what impact a change in termination rates will have on operators at a wholesale level. A second, but often more important aspect of termination rates is their role in facilitating, or limiting, competition in the retail market. Firstly, high retail pricing is sometimes linked with high termination rates, although in many cases the high retail price is a result of ineffective market competition, rather than the high termination rate. Secondly, excessively high termination rates may limit the competitiveness of smaller operators, due to having a limited on-net base, and consequently a comparatively higher ratio of off-net calls that will be terminated on another network, thus incurring termination charges.

2. Global trends in setting termination rates

Regulators around the world apply a wide spectrum of tools and methodologies for setting termination rates, ranging from a ‘light-touch’ approach that promotes commercial agreements between operators, to more interventionist regulation involving rigorous economic cost analysis, as summarised in the diagram below.


34

Cost-based methodologies have emerged as the approach favoured by an increasing number of regulators, as they reflect the cost of providing the service, and at the same time allow a necessary markup to support operator profitability, by taking account of the operators’ cost of capital.

Cost orientation is also a widely accepted approach for regulating other industries that involve the delivery of basic services beyond telecom, such as power generation and utilities.

Costing methodologies have been in use for many years to understand costs and profitability for accounting purposes, but regulatory costing presents a new set of challenges and requirements. A regulatory costing approach aims to set termination rates at a level that is closest to that of a competitive market. As such, regulatory models should not account for unused/inefficient network investments, to avoid passing on operator inefficiency to the consumer. They should also measure cost based on the economic lifetime of assets reflecting the actual benefit derived, and not based on accounting depreciation.

To address these regulatory requirements, long-run incremental cost (LRIC) models have been developed to allow for a better understanding of actual operators’ current costs, based on incremental

network investments that would be incurred by an efficient operator.

Whilst regulators’ decisions should have a sound basis in economic theory, they also have a responsibility to ensure that their decisions have a beneficial impact on stakeholders and help to support their overarching regulatory objectives. Consequently, international best practice on setting termination rates also includes evaluation of the expected impact on stakeholders and and the extent to which the decision meets the objectives of the regulatory body.

3. Roadmap for termination rates

Relatively high termination rates is not in itself a reason for changing them. Rather, a regulator should seek to answer the three fundamental questions discussed earlier, namely: are the rates cost based; what impact would a change in rates have on stakeholders; and do the rates help the regulator to achieve its regulatory objectives?

Question 1: Are the rates cost based?

Termination rates should take account of both market-specific considerations and the regulator’s policy objectives. Network roll-out in a country with a low population density involves higher costs than roll-out in a highly urbanised geography.

Other factors that affect local market costs–such as inflation, site rental, staff numbers and salary levels–should all be evaluated and included at an efficient level when setting termination rates.

The general principle for setting cost-based termination rates is to consider an efficient operator, to prevent the higher costs incurred by an inefficient operator being passed on to consumers. However, the costs of an efficient operator can reflect obligations and unavoidable costs that the operator incurs as part of its licence requirements, such as high coverage requirements for areas lacking commercial feasibility,

investments to support emergency response, and applicable staff costs in the case of operators with socio-political obligations.

Additional regulatory policies that promote heavy network investment to support a higher quality of service and roll-out of new technologies may also be factored into termination rates, to encourage network investment and rollout, and compensate operators for the costs involved.

“Additional regulatory policies that promote heavy network investment to support a higher quality of service and roll-out of new technologies may also be factored into termination rates, to encourage network investment and rollout”

Question 2: What impact would a change in the rates have on stakeholders?

A change in termination rates may have significant market consequences and should be thoroughly analysed through broad stakeholder engagement within the industry and potentially beyond.

The process of stakeholder engagement needs to involve the key economic and financial institutions of the country, given the potential implications that a change in rates could have on market value and government revenues, as a result of lower royalties and taxes. Potential implications that should be thoroughly analysed and evaluated include:

• The possibility of large price shifts at the retail level, which may lead to material negative or positive outcomes for the market

• The possibility of a material decline in operator profitability and thus a reduction in the ability and appetite to invest in new technology, which would have implications for broadband penetration and hence national productivity

• The potential for a decline in


35

termination rates to materially change the current revenue structure, which would require operators to undergo a lengthy process to rebalance their revenue sources

• The risk that a higher differential between domestic termination and international termination rates may generate more ‘grey-market’ crossborder calling activity, leading to poor quality of service and lower international termination revenue for specific call routes.

Question 3: Do the rates help the operator to achieve its regulatory objectives?

A key pillar of the mandate for most regulators is to ensure the availability of affordable telecom services, and changes in retail pricing are certainly a key element in understanding the likely impact on consumers. Consequently, before implementing a change in termination rates, regulators should perform retail pricing analysis (as in the recent study by the Arab Regulators Network (AREGNET)), to understand the current levels of market competitiveness and the anticipated impact of a reduction in termination rates. As shown in Figure 2, retail mobile prices in Saudi Arabia are relatively competitive by regional standards, so a significant reduction in termination rates may produce a large cut in retail prices.

Therefore, the desirability of such a reduction and its impact on operator sustainability would have to be considered carefully, in a market where retail prices are already relatively low.

“Termination rates should also be tuned to support national policy objectives and achieve an appropriate balance between consumer welfare, economic growth and operator sustainability”

4. Conclusions

Given the potential implications for the telecom industry and beyond, a change in termination rates should be determined after thorough analysis of the potential outcomes, and where necessary any change should be introduced using a phased approach. The following are important considerations prior to implementing a change in termination rates:

• A retail market study should be conducted to evaluate the potential impact that a change in termination rates would have on retail pricing. A substantial decline in retail pricing may be detrimental to industry and market value, and the regulator should seek to identify whether a change in termination rate will support consumer welfare as well as operator sustainability.

• Termination rates should be set using cost-based methodologies, based on international best practice. Alignment on the key principles for cost modelling should be achieved through broad stakeholder engagement, and operator participation is imperative to ensure good data inputs to the model and to support industry acceptance of the results.

• If appropriate, a phased approach should be adopted when imposing a change in termination rates, to avoid market shocks at the retail and wholesale level, and give the regulator sufficient opportunity to manage any negative consequences that might arise In addition to considerations for global best practices, termination rates should also be tuned to support national policy objectives and achieve an appropriate balance between consumer welfare, economic growth and operator sustainability.


36

Empowering KSA ICT Vision forward 2020By Zyad AlkhwaiterGeneral Manager of Regulatory Affairs at STC

The world is undergoing a revolution driven by the Information and Communication Technologies (ICT). The ICT sector has become a major direct contributor to economic growth, to employment as well as a primary source for government funding. ICT is indirectly transforming the economy and fundamentally changing other sectors, such as healthcare, education etc.

Saudi Arabia, too, is witnessing the socio-economic impact of the ICT revolution, underpinned by the rapid development of ICT infrastructure and usage in the Kingdom. The ICT sector contributes substantially to the Kingdom’s GDP growth and to the job creation (over 60,000 jobs per year including direct, indirect, and induced impact of ICT investments).

Saudi Arabia has achieved great strides of ICT sector development over the past years, currently ranking third in the MENA region and thirty third globally in the World Economic Forum (WEF) National Readiness

Index (NRI). Saudi Arabia also enjoys one of the most mature and advanced telecom sectors globally, with mobile penetration currently well exceeding 177%, and mobile broadband uptake at approximately 70%, well beyond the 32% global average mark.

In this context, the Saudi Government is laying a great emphasis on the ICT sector as one of the enablers for the perspective on the KSA 2016-2020 Strategic Plan that is expected to be issued very soon.

ICT Sector Challenges

Despite the recent KSA ICT sector’s achievements, the ICT sector is facing some challenges which can be characterized as follows:

• Financial obligations: High Government royalty fees imposed on Operators

• Existence of tight commercial regulations (e.g. on retail pricing)

• Sector value dilution driven by aggressive price anti-competition on voice in the past, and recently on mobile broadband

• Spectrum scarcity slowing pace of growth and decreasing quality of service

• Non-regulation of OTTs imposing security risks and sub-optimal commitment to service standards

• Low investment capacity due to high regulatory Rollout obligations and low subsidies

• Absence of national broadband strategy to foster mass-adoption of digital services and protect investments

• Absence of ICT plan to cover

all new/future thousands lands granted by Government for citizens

The prompt addressing of these challenges is of paramount importance. The changing sector dynamics and increasing customer expectations are making the review and the update of ICT sector strategic priorities a necessity and a natural step for policy makers and regulators to adjust to evolving ICT market conditions.

Network Readiness Index (NRI) measures market and regulatory environment, readiness and usage in each country – total rank of 132 countries across the world.

Source: ITU (2014 ICT figures)

The prompt addressing of these challenges is of paramount importance. The changing sector dynamics and increasing customer expectations are making the review and the update of ICT sector strategic priorities a necessity and a natural step for policy makers and regulators to adjust to evolving ICT market conditions.

Looking Toward ICT 2020

Five strategic sector objectives can be identified to allow the ICT sector to fulfill its full potential of digitizing the KSA economy up to 2020 that aligned with proposed on KSA 2016-2020 Strategic Plan. It also elaborates on the initiatives that need to be considered by KSA regulatory and strategy authorities to further develop the regulatory environment, foster the growth of ICT and focus on the strategic objectives for the protection and prosperity of Saudi Arabia.


37

These five key objectives are summarized as follows:

1. Customer Welfare– Enable advanced customer experience in consuming digital services. The digital services must be designed with the customer at the center. They will need to be easy to access and use, fast, secure and reliable. Safe and secure networking is a prerequisite for well-functioning digital welfare services. To ensure a stable connection to customers, operators need to foresee the regulatory developments to be able to invest heavily in expanding and reinforcing mobile and fixed-line infrastructure.

2. Growth– Foster access, and increase use of ICT for businesses and individuals. Necessary policy

frameworks should cater for the accelerated development of the ICT sector in KSA. Recognizing the role of ICT as a key enabler for social, economic and environmentally sustainable development, ICT sector’s vision and strategy should enable and foster access to and increased use of ICTs.

3. Sustainability – Protect the health of the ICT sector participants to enable players to invest with a long-term perspective. The protection of the heath of the ICT sectors participants and the safety of the digital consumers should be identified as a sector objective. To achieve this, it is crucial to establish and encourage the collaboration with different governmental entities in order to have a healthy sector that

protects the safety of the digital consumers and safeguard the capital commitment of investors.

4. Inclusiveness– Bridge the digital divide and provide broadband (BB) for all. Broadband connectivity has been recognized as a transformative technology with the potential to spark advances across all three pillars of sustainable development: economic prosperity, social inclusion and environmental sustainability. This objective can be achieved by creating a regulatory environment that allows industry stakeholders to contribute to bridging the digital divide and providing broadband for all, through innovative operational models, while maintaining a healthy level of profit. For instant, The average amount of mobile broadband

spectrum to meet exponential BB demands can be summarized as follows:

5. Innovation and Partnerships– Lead, shape and adapt to the changing telecommunication and ICT environment. In the rapidly evolving ICT environment, successful companies learn how to adapt their systems and practices to new realities. Inflexibility and narrow focus on old business models and practices might lead Saudi ICT sector to lose the battle against foreign based highly innovative companies. At the same time, It is highly recommended that Saudi government entities to utilize the full potential of private sector in advancing the digitization ecosystem within the Kingdom. Limited partnerships exist

with the private sector, international bodies and academic institutions. It is important to create a policy and regulatory environment in which collaboration amongst industry players is encouraged and rewarded.

Effective Regulatory Management

It is widely recognized that effective regulatory management encourages growth and investment in the telecom sector, promotes technological and service innovation, and is correlated with healthy competition and greater consumer choice, leading to greater service penetration. Moreover, it helps the telecom industry to flourish and make a positive contribution to a country’s overall economy.

Effective regulatory management aims to establish adequate

regulatory frameworks and mature regulatory practices that drive market development and optimize value creation in the long-term. It is generally characterized by:

• Holistic and strategic approach to policy and regulatory issues

• Long-term strategic and operational regulatory planning

• Clear assignment and separation of policy and regulatory responsibilities

• Well-defined ICT Governance structure that clarifies interactions between various ministerial mandates

• Engaging and continuously involving key stakeholders through public consultations and


38

direct strategic meetings ..etc.

Effective regulatory management is the engine for ICT development, it is absolutely crucial that an effective policy framework is in place, with clearly define objectives and regulatory visibility (e.g. by identifying the roadmap of guidelines that will be imposed into the players investing in technology in the Kingdom), to effectively create a KSA telecom sector investment-friendly environment.

There are several regulatory priorities can be identified to achieve the above 5 key objectives, as follows:

1. Regulatory Transparency

2. Security

3. Regulatory Certainty for Greater Investments

4. Effective management of Spectrum resources

5. National Broadband Strategy

6. OTT Regulatory Framework

7. Smart City Development Support

In order to maximize the benefits of all ICT sector players, as well as the Kingdom’s social and overall economic welfare, the following underlying principles should be followed:

• Light-touch Regulatory Approach –Adopt next-generation, market-driven approach to improve operational agility of service providers and foster competition

• Removal of Regulatory Obstacles – Discard regulations which hinder natural market developments and efficient sector interactions

• Promoting wider collaboration among cross-industry stakeholders – Engage sector participants to ensure well-balanced policies and regulations.

• Effective Management & Full optimization of RF Spectrum resources – Empowering Spectrum National plan, ITU/GSMA and Trusted international authorities recommendations, Expanding spectrum allocations for operators to meet exponential demands for new and future BB services and applications.


39


40

On The Road to Smart CitiesBy Rayed Al Kahtani, Regulatory Planning Director at STC andDr. Essam Mitwally, Regulatory Affairs Advisor

Smart cities’ is the latest concept of building future cities. ‘Smart Cities’ may be seen as an attempt for the quest of paradise on earth, with goals of providing people and societies with safety, security, sufficiency, efficiency, economic prosperity, convenience, improved quality of life, and happiness. It is through Information and Communications Technology (ICT) that smartness is facilitated by city services, making use of highly networked sensors and devices connecting every human and relevant thing in the city for optimal monitoring, analysis, automation and control.

However, successful deployment and operation of smart cities needs to be carefully planned, shaped up from varieties of business models, depending on a number of factors including ICT infrastructure, supporting government policies and regulations, funding, scope of services, city size, and human factors, as well as whether the city is greenfield or brownfield.

This article discusses the main merits of ‘smart cities’ and potential smart services. In view of careful strategic planning, we present forms of ICT infrastructure and business models associated with ‘smart cities’,

as well as anticipated regulations. It is concluded that, while on the road to reach the vision of ‘smart cities’, we will face infrastructure, business model, financial, and regulatory challenges. However, it is far more rewarding to policy makers, telecom operators, and other market players to undertake such a challenge.

The journey towards ‘smart cities’ Smartness emerged through the recent evolution and widespread adoption of ICT Technologies (Fig. 1). These technologies mainly include: the Internet, 3G/4G mobile and fibre broadband infrastructure, RFID (Radio Frequency Identification), NFC (Near Field Communication), M2M (Machine-to-Machine), sensors, IoT (Internet Of Things), cameras, smart devices, smartphones, tablets, wearables, cloud service platforms, control centres, and big data analytics.

Smart cities may be defined by the way smartness has evolved in order for cities to attain the goals stated above: “Providing people and societies with safety, security, sufficiency, efficiency, economic prosperity, convenience, improved quality of life and happiness.”

Many of the world’s major cities have embarked on smart city projects, including Seoul, New York, Tokyo, Shanghai, Singapore, Amsterdam, Barcelona, Stockholm, Copenhagen, Cairo, Dubai, Riyadh, Jeddah, Kochi and Malaga. One may generally classify smart cities in three types(1):

1. New cities, built smart from the start: These cities are designed to attract businesses and residents with a master plan that uses ICT to deliver efficient citizen benefit services (e.g. King Abdullah Financial City in Saudi Arabia and Lusail in Qatar).

1 “Smart Cities: Seoul: a case study” , ITU-TTechnology Watch Report, February 2013

2. Existing cities made smart: This step-by-step approach with retrofits is the approach followed by most cities (e.g. Seoul, Barcelona, Singapore, Amsterdam, Copenhagen, Stockholm, San Francisco, and Boston).

3. Purpose-driven cities: These are cities established with special purposes, e.g. industrial cities and economic cities in Saudi Arabia.

Main Merits of Smart Cities

Smart cities possess four main merits:

1) Massive connectivity allowing communications among people and things

• Widespread deployment of broadband fibre and 3G/4G mobile network Infrastructure

• Trustable Internet connectivity

• Effective sensors and actuators communicating with smart devices

2) Massive data collection and realtime analytics for decision support

• Through sensors, data may be collected about means of transportation, roads, traffic signals, parking spots, water pipes, gas lines, electrical grids, buildings, hospitals, etc.

• Data is analysed in real-time giving insight into the situation, which allows for making the right calculated decision by the right authority at the right time.

3) Prediction capability in order to proactively avoid problems

• Through the continuous analysis of real data and performance indicators, it would be possible to identify patterns and

SOCIETY • DIGITAL POLICY

41

interrelations to predict problems and faulty situations

4) Resource and process optimisation:

• By having sensors at the right places and collecting the right data at the right time, it would be possible to coordinate and increase the efficiency of operations and make better use of resources.

“Many of the world’s major cities have embarked on smart city projects, including Seoul, New York, Tokyo, Shanghai, Singapore, Amsterdam, Barcelona, Stockholm, Copenhagen, Cairo, Dubai, Riyadh, Makkah, Jeddah, Kochi and Malaga”

Smart Cities Potential Applications and Solutions

‘Smart cities’ are cities built on smart solutions and applications leading to the adoption of several areas of non- exclusive activities, as depicted in Fig. 2:

The main smart areas include:

1- Smart Healthcare: Adoption of mHealth with the use of medical sensors and smart devices for the monitoring of medical status and giving necessary commands and guidance.

2- Smart Transportation: Fleet management, bus and train management, traffic and congestion management, parking management, and road safety.

3- Smart Automotive: Car safety, emergency calls, car theft control, lane departure warning, collision avoidance, hazard early warning, and traffic management.

4- Smart Citizens: Smart lifestyle options, use of green mobility options, live in safe society, access to services that improve quality of

life, and participation in city service decisions.

5- Smart Buildings: Building automation, intelligent lighting equipment, smart grid integration, smart appliances, motion detectors, and security and surveillance systems.

6- Smart Utilities: Smart water management and smart sewage management.

7- Smart Energy: Smart electrical grids, smart meters, intelligent energy storage, green energy, electric vehicles, sensors to monitor traffic, pollution, street lighting and waste collection systems.

8- Smart Security: Surveillance and simulation modelling for crime protection.

9- Smart Government: e-Government to ease providing most government services to people on-line and allow citizens participation in service choices and decision making.

10- Smart Education: Remote

learning, facilitating relationships between educators, students and


42

parents, help teachers to send text message reminders to students, guidance on jobs upon graduation.

11- Smart Telecom: Wi-Fi and 3G/4G connectivity everywhere anytime, fibre broadband to homes and secure connectivity to critical applications.

12- Smart Money: NFC-based mobile payment, establishing secure and trustable Public Key Infrastructure (PKI). Smart money is imperative to many smart city services.

The Strategic Plan for Smart Cities In view of National Strategic ICT plans of the different sectors, and beginning with the Smart City vision and the goals to be achieved, usage, operations, processes and applications can be determined. Accordingly, the necessary ICT infrastructure and equipment are to be commissioned, along with the supporting ecosystem of policies, education, awareness, legislations and regulations (see Fig 3.).

In order to support cross departmental departmental working

for smart cities, many cities are choosing to place the smart city vision in a department that already works horizontally across city silos, such as the Mayor’s office(2).

ICT Infrastructure for Smart Cities The ICT infrastructure of a ‘smart city’ may be divided into three main components, 1) Sensing, devices and things, 2) Connectivity and communications, 3) Data and application. This is depicted in Fig. 4.

1) Sensing Devices

This is the basic requirement for a smart city with respect to monitoring and controlling of the infrastructure, environment, buildings, and security within the city by cameras, NFC, RFID, sensors, M2M and IoT technologies in order to gather the relevant information, and provide ubiquitous information services and applications for individuals and society.

2) Connectivity and Communications The core of communication networks of ‘smart cities’ should have high capacity and high bandwidth, and

should be highly secured and highly reliable. The entire city should be covered by wireless broadband networks. Wi-Fi networks can serve some applications, but most applications would need 3G and 4G mobile networks. In fact, with the forecasted number of connected things reaching 50-100 billion by 2020, there will soon be a requirement for 5G networks. Citizens should be able to access the network “anytime, anywhere, on-demand”, and can enjoy broadband services such as IPTV, HDTV and other high-definition applications.

3) Data and Applications “cloud” Platform

For ‘smart cities’, data is a very important strategic resource. Data may be collected from industries, utilities, enterprises, roads, schools, and hospitals. ‘Big data’ is then analysed in order to turns information into intelligence that helps people and machines to act and make better decisions, to predict situations and faults before

5 “ Developing collaborative mobile-based city solutions for smart cities”, GSMA Connected Living Summit, Shanghai, 24 June 20136 “The Saudi Digital Economy – Opportunities and Benefits”, STC, 2nd Digital Grids and Smart City Forum, May 5-6 20147 “ICT Indicators for Smart Sectors”, STC Digital Policy Magazine, Issue-4 September 2013


43

they occur and to improve resource utilisation and processes.

In the traditional culture of a city, all the infrastructure systems are managed in silos.

For a city to become smarter, it must have a holistic view of the various infrastructure systems, using a single cloud platform for all applications. The application of technology for the integration of various smart infrastructures, combined with national trustworthy telecom operators, will enable this holistic view. Offering city solutions in cloud mode also makes it possible to deploy them rapidly and with little up-front investment, while managing their costs by paying for the services on usage-based terms.

Smart Cities Business Models

The business model for ‘smart cities’ may be expressed in terms of stakeholders’ roles, value chains of smart services, organisational structure, how costs are paid and revenues shared by stakeholders. A holistic approach for ‘smart cities’ involves many stakeholders, including telecom operators and other ICT vendors, specialised consulting firms, government ministries, regulators, municipalities and city administration, city services and utility providers, the citizens and the academic and scientific community.

This concurrence of different actors results in a high complexity of the business model(3).

There are four main aspects according to which the ‘smart city’ business model may be categorised.

1. City types: Greenfield city (i.e. newly built) or brownfield city (smartening existing city).

2. Driver: Government-driven, privately driven, or PPP (Public Private Partnership) driven initiative.

3. Regulatory-based: a) Private network, b) Operator exclusivity, c) Managed network, and d) Open to all operators.

4. Service Platforms: Provided in silos, or provided as a converged cloud platform infrastructure.

Many technology companies involved in ‘smart city’ development strive to compete in the entire value chain of all ‘smart city’ services. Not only do they try to optimise their business case opportunities, but more importantly, it is also the customers’ preference to have a single trustworthy entity to deal with for all services’ value chains(4), as well as the ultimate ‘smart city’ architecture of having a single platform that comprises a holistic view as described in the previous section.

In view of the above, mobile operators are in the best position to host the ‘smart city’ cloud platform in order to provide the full ‘smart city’ service delivery

Most ‘smart city’ experts agree that an important success factor hinges on the ability to collaborate and build a holistic growth ecosystem for ‘smart cities’, and that a leading technology company such as Saudi Telecom Company should be a compelling partner choice for unlocking the Kingdom’s ICT potential for ‘smart cities’.(6)

“The business model for the development of ‘smart cities’ is a significant challenge due to the large number of stakeholders, requiring well-coordinated strategic plans at the national, sector, and city levels, with clear vision and goals”

Smart Cities Policy & Regulatory Challenges

While technology is the main enabler of smartness, policies and regulations can both be drivers and barriers to ‘smart city’ deployment. Regulations can be a driver, with respect to applications such as smart metering and e-call regulations

in Europe, which are responsible for the take-up of those services, but regulations can also be a barrier to

‘smart cities’ if not appropriately engaged. Table-1depicts the main regulatory issues that need to be carefully addressed.

On the other hand, along with the development of the strategic plans pertaining to ‘smart cities’, various ICT indicators will need to be developed(7).

Also incentive funds and policies are required to promote activities

that will improve those indicators and help achieving the ‘smart city’ vision and goals.

Conclusions

‘Smart cities’ require large-scale deployment and adoption of ICT services and applications, mainly based on sensors, smartphones, cloud service platforms, and big data analytics.

Such technologies provide a high capability for monitoring, analysis, and control of infrastructures for the purpose of achieving social and national goals.

The business model for the development of ‘smart cities’ is a

significant challenge due to the large number of stakeholders, requiring wellcoordinated strategic plans at the national,sector, and city levels, with clear vision and goals, while it should also have a holistic view ideally driven by a cloud service platform of a telecom operator. Incentive policies and regulations represent the most important success factor for ‘smart cities’ for the effectiveness of execution of their strategic plans and, therefore, it is imperative to address the regulatory challenges in such a way as for them to become a driver rather than a barrier to attaining the ‘smart city’ vision and goals.


44


45


46

Evolving Dynamics of the TelecomRegulatory Environment in Saudi ArabiaBy Emad Aoudah Al-Aoudah, Vice President of Regulatory and Corporate Affairs, STC

Saudi Arabia has achieved great strides in the development of its ICT sector over the past years, currently ranking third in the MENA region and thirty-third globally in the World Economic Forum (WEF) Networked Readiness Index(1) (NRI).

Saudi Arabia enjoys one of the most mature and advanced telecom sectors globally, with mobile penetration currently exceeding 165%, and mobile broadband uptake at approximately 70%, well beyond the 32% global average(2).

Consumers can currently enjoy a variety of innovative, cutting edge services and applications at very affordable prices. Mobile voice retail prices are well below markets of similar GDP per capita, with effective revenue per minute of just SAR 0.23, while customers benefit from the lowest unlimited data packages in the GCC region.

Saudi Arabia telecom operators have also invested significantly in the latest technologies ensuring that best-in-class infrastructure is deployed, capable of offering high-quality services and support of bandwidth-hungry applications.

Despite harsh terrain and low population density, 3G coverage in Saudi Arabia is in line with GCC and

European benchmarks at 96%, while the 4G coverage is among the highest in the world, currently standing at 93%(4).

The advancement of the telecom sector in Saudi Arabia has been

driven by the wisdom of policy makers at a national level, a savvy and vibrant population always seeking advancement, and strong-willed telecom operators constantly striving to offer best-in-class services to Saudi consumers. In particular, the role of the Communications and Information Technology Commission (CITC) so far has been instrumental in managing effective sector growth and has been vital to driving coverage and adoption in a well-planned manner.

CITC has adopted a “managed competition” regulatory approach, which appears to be the right one, ensuring more choice and competitive offers to consumers, availability of high quality and advanced services,

all at affordable prices. Over the past years, CITC has enacted the required set of regulatory levers around competition safeguards, sector-specific levers and consumer protection, efficiently addressing the whole spectrum of policy making and looking to maximise end-users’ welfare.

The latest developments, including the launch of MVNOs, and the facilitation of next-generation access investments, are expected to further foster the competition and provide more choice for consumers.

The temporary allocation of spectrum for Al-Hajj season has also been instrumental in improving service levels during that very

important period.

At the same time, fast-paced market and technological developments impose new requirements for a paradigm shift in the policy-making and regulatory management in the Kingdom. In this context, a number of key regulatory challenges and topics need to be further reviewed and addressed in order to pursue an accelerated path for the sector at large.

1. Spectrum Allocation:

In Saudi Arabia, over the period 2012-2014, total data traffic increased at an astonishing rate of 99.5%(5), with smartphone mobile data contributing heavily to that growth.

This trend is expected to be further reinforced over the coming period, with mobile data traffic expected to grow 11-fold by 2018(6), effectively serving demand for “anywhere, anytime” bandwidth - hungry services.

In order for telecom operators to effectively serve this exponential user data traffic demand, a balanced and well-engineered spectrum allocation policy needs to be enacted providing the required spectral efficiency levers. Going forward a minimum guaranteed 3-4 Mbps up/downlink throughput needs to be achieved, in any environment and any time, in order to fulfil end-users’ demand and expectations.

In this context, an optimal spectrum mix policy should effectively address the following parameters:

- Digital dividend and spectrum re-farming: Both stemmed from the emerging digital dividend use at lower UHF bands and from the pressure on operators to reduce entailed network rollout capex.

As a result, policy makers have

LAST WORD • DIGITAL POLICY

47

now proceeded with spectrum re-farming, allowing the deployment of UMTS/LTE at 700/800MHz bands. Higher propagation characteristics at these lower bands allow operators to decrease the number of required sites (multiple of 5 to 10, based on the environment) and hence costs involved, while ensuring meeting end-users data throughput demand and service quality.

Technology and service agnostic spectrum bands:

Globally there is a trend for operators to be able to interchangeably deploy different access technologies (e.g. UMTS, LTE, LTE-A) across the lower (e.g. 700/800-900MHz) and higher (e.g. 2100-2600MHz, 3500GHz) bands, based on the type of environment, expected traffic

demand, and respective total cost of ownership (ToC).

Adopting a technology- and service-agnostic spectrum management approach, as well as considering effective spectrum trading and liberalisation practices, could be an equally valuable regulatory lever for Saudi Arabia policy makers in order to fully unlock the digitisation potential.

Policy makers in the Kingdom and CITC should thoroughly review existing spectrum allocation policies and regulations, creating a balanced mix across spectrum bands in order to allow a) maximisation of economic and social returns through the use of scarce spectrum resources, b) providing needed levers to service providers to bridge the digital divide and foster digital inclusion across the country.

2. High government fees impacting future investments

Based on market forces and a competitive environment, significant price reductions have been experienced in the market. Over the past five years, average revenue per user (ARPU) has been constantly decreasing at annual rate of 6%(8), directly affecting operators’ revenues. In contrast, in order to ensure availability of best-in-class and innovative services and technologies, operators have been investing significantly in both fibre access (fixed broadband) and 4G (mobile broadband) networks. On average, 19% of operators’ annual revenues are re-invested in the market, a rate that is among the highest in the world today.

1 Networked Readiness Index (NRI) measures market and regulatory environment, readiness and usage in each country – total rank of 132 countries across the world2 Source: ITU release on 2014 ICT figures3 Refers to national call prepaid rate as of Oct. 20144 Telegeography, GSMA Intelligence Dec 20135 Based on STC data6 Based on “Cisco Visual Networking Index Global Mobile Data Traffic Forecast for 2013 to 2018”


48

A case-in-point, over the past years, STC has invested around SAR 30 billion (USD 8 billion) in developing, expanding, and modernising its fixed, mobile, and data infrastructure.

In order for operators to be able to fund major access and capacity enhancement infrastructure projects, as well as invest in mega-projects (smart cities, and other mega projects) certain levels of financial incentives and benefits should be granted by the government. These incentives could be linked to alleviating some of the operators’ financial obligations.

Currently, service providers are obliged to fulfil a set of annual payment to the government across various dimensions as presented below:

• Royalty fees of 15% on net mobile operating revenues, 10% on net fixed line operating revenues, and 8% on net fixed data operating revenues

• License fee calculated as 1% of net operating revenues

• 2.5% Zakat on Saudi’s share of profits

• Rental fees (towers) and rightsof-way (e.g. excavation) fees collected by municipalities, based on location and type of infrastructure

• Annual spectrum fees

• Numbers use and allocation fees

Despite the recent market and technological changes and advancements, these financial obligations have not been reviewed and/or amended over the past years.

The last review of respective royalty fees was undertaken in 2010, with Saudi Arabia still having the highest rate of applied royalty fees within the GCC.

As the market matures and stabilises, it is of paramount importance for policy makers to revisit these obligations, assess in detail the potential impact of future sector investments and their effect on the welfare of consumers so that they might proceed to correct and/or cancel certain fees.

3. Threat of OTT and their negative impact on RoI

As currently experienced in the marketplace, over-the-top (OTT) players of any nature (e.g. voice, messaging, applications), have experienced significant growth in recent years and have gone on to capture market value and volume. The emerging rise of OTT players has to be treated cautiously in order to ensure proper market equilibrium, and so that their presence does not derail the existing growth trajectory, while in parallel abiding to the overarching principles of neutrality and fair competition.

The presence and expected growth

of OTT players is a positive sign in the market as it provides broader and more affordable choices to consumers. Policy makers in Saudi Arabia need to define a tailor-made OTT policy and regulatory framework in order to ensure a level-playing field for all service providers and not allow rapid value dilution.

Respective areas that policy makers should effectively address include (non-exhaustive):

- Quality of service: OTT players have to abide to certain quality of service (QoS) criteria, and relevant monitoring processes should be enacted and penalties imposed respectively

- Financial obligations: As OTT players are typically established in other jurisdictions (mostly in low tax countries) they have few financial regulatory obligations and thus certain levies on revenues generated in the Kingdom should be considered

- Data retention: OTT players should be subject to requirements to retain data where it is necessary and proportionate in each situation for such duties to be imposed

- Data Privacy: Horizontal regulations must be equally applied to OTT players, safeguarding consumer interests

- Customer care/complaints: OTT providers need to comply with regulations regarding minimum


49

quality standards of on-site customer support and care

- Interconnection: Consideration must be given with respect to the designation of market dominance at termination and the imposition of certain remedies respectively

- Access to scarce resources: OTT players should abide with existing regulations on the allocation of numbering and spectrum bands

In parallel, there are several cases of reported illegal use of OTT voice/ messaging and applications (e.g. VoIP/SIP applications) in the marketplace.

The use of such services violates the overarching licensing regime and imposes threats to consumers. It is critical at this stage that there is a cumulative, joint approach by policy makers in the Kingdom, CITC, and operators in promptly blocking such services, best protecting consumer and industry interests.

“Policy makers in Saudi Arabia need to define a tailormade OTT policy and regulatory framework in order to ensure a level-playing field for all service providers and not allow rapid value dilution”

By not developing and enacting the appropriate policy and regulatory framework for OTT players, and by

sustaining an asymmetric regulatory approach, there is a major risk that

a) further cannibalisation of national and international voice revenues.

b) the triggering of a severe price war with legacy operators that will eventually lead to rapid market value dilution, impacting future investment prospects, and

c) progressive disintermediation of users from clearly recognisable and approachable mobile network operators, jeopardising the privacy of citizens and bypassing lawful interception requirements. The much-needed market equilibrium must be safeguarded in order to allow existing operators to retain required resources to fund the next phases of sector development and the creation of lasting value for consumers.

In summary, and in order for the CITC to continue its proven strategy of effectively managing sector growth and development, some key regulatory imperatives need to be reviewed further and assessed:

1. Effective use and allocation of scarce spectrum resources

• Allocation of additional carriers at capacity-sensitive 2100MHz band

• Designation of digital dividend to mobile broadband

• Consideration of technology and service agnostic regime and service agnostic regime across spectrum bands

2. Facilitation of future sector investments elimination and/or reduction of government royalties and fees on operators (both in fixed and mobile services)

• Government support in telecom infrastructure for new mega projects (e.g. new industrial cities)

• Ease of governmental/municipalities requirements for network rollout

• Designation of market-friendly infrastructure access and sharing regulations

3. Framing of OTT market presence:

• Government support for blockage of illegal services (e.g. SIP applications)

• Development and enactment of tailor-made OTT framework addressing certain levers such as QoS, interconnection, use of scarce resources, data retention and privacy, and financial obligations.

7 ITU, GSMA, industry sources8 CITC ICT indicator report Q3 2013, GSMA intelligence accessed Feb 20149 GSMA intelligence accessed Feb 2014


50

As an ICT leader, we employ the latest technologies for smart devices to utilize life’s opportunities.

For more, please visit stc.com.sa

As an ICT leader, we employ the latest technologies for smart devices to utilize life’s opportunities.

For more, please visit stc.com.sa

Vision turned into reality for the rise of the nation and community empowerment.

Let us work together to achieve Vision 2030.

the ict policy & development magazine · the telecom arena and vice-versa, with major companies...

Documents