8 Reasons Why Cybersecurity Strategy and Business Operations are Inseparable

In modern society, there is one fact that is unquestionable: The hyper-connectivity of the digital economy is inescapable. A financial institution without an online presence or omni-channel strategy will cease to be competitive. Universities (for-profit or non-profit) must develop and continuously evolve their online learning capabilities if they are to stay relevant. Online retailers are quickly outpacing and rendering their ‘brick-and-mortar’ counterparts irrelevant. Travel agents have been largely relegated to dinosaur status in this era of online travel search aggregators and booking portals. A payments ecosystem mostly dominated by major card networks and processors now includes closed loop systems such as Apple Pay, Google Wallet and others. When we add the Internet of Things (IoT), robotics and artificial intelligence (AI) to the mix, the networked society has become a monolith that we simply cannot ignore.

What is most concerning about the ubiquity of technology is the multitude of cyber threats which organizations and individuals have to contend with. While the risks to individuals are relatively high as it relates to invasion of privacy, identity theft and financial loss, cyber-attacks can have a particularly critical impact on businesses. Depending on market and jurisdictional realities, the consequences can include heavy regulatory penalties, plummeting stock prices, lawsuits or mass layoffs — The effect on a company’s bottom line can be catastrophic.

But how are corporations responding to this ever-evolving threat landscape? The resulting strategies fall mostly into the following categories. There are the large organizations which employ the ‘3 lines of defense’ approach where an IT department owns and manages cyber risks, the operational risk and/or compliance departments specialize in risk management (including cyber), and the internal audit function provides independent assurance that cyber risks are being effectively managed. This approach is resource intensive and demands highly specialized (and costly) personnel. There are the generally under-staffed companies that limp along from day-to-day reacting to cyber-attack after cyber-attack, many of them not even aware that their systems and networks have been compromised. And finally, there are the SMEs that basically stick their heads in the sand and pretend that their operation is too small or insignificant to be the target of cyber criminals.

More often than not, business leaders across the board fail to recognize that cybersecurity is no longer the domain of the IT organization. Cybersecurity strategy is now business strategy, and the response to cyber threats is the responsibility of every individual that works for or runs a company. And here are 8 key reasons why this is undeniably the case:

  1. Corporate governance – A 2016 survey by Goldsmiths that included responses from 1,530 non-executive directors and C-level executives in the United States, United Kingdom, Germany, Japan and Nordic countries showed that 90% of respondents admitted to not being able to read a cybersecurity report and were not prepared to respond to a major attack. Even more worrisome was the fact that over 40% of executives did not feel that cybersecurity or protection of customer data was their responsibility. Let that sink in for a moment. This is why ensuring that cybersecurity is a running topic at executive and board level meetings is imperative for organizations. Even more, greater ownership should be ascribed to all levels of personnel for cyber risks. Cybersecurity culture is a collective effort that starts at the top and works its way down through the organization.
  2. Regulatory and legal compliance – Certain industries like banking, healthcare and energy are subjected to heavy regulatory burdens. And many of these regulations include requirements pertaining to privacy, data protection, and network security. In the US there are HIPAA, Gramm-Leach-Bliley, and FISMA. The EU has the NIS Directive and the GDPR. To address cross-border data flows between the EU and the US, there is Privacy Shield. To comply with this multitude of regulations, deep cyber and risk management capabilities must be embedded across organizations. Failure to do so can affect a company’s ability to stay in business. Period.
  3. Competitive advantage – Developing robust and effective internal controls to safeguard against cyber-attacks can equate to market leadership, brand strengthening, and product / service differentiation. For example, as more businesses look to AI, IoT and robotics to streamline processes and improve business performance, ensuring that these technologies are secure […]

The full article can be found on the CircleID website at: https://goo.gl/zn7Yg9

ICT PULSE: Cyber threats and security in the Caribbean 2017 update – Interview with Niel Harper

ICT Pulse: Niel, give us a quick recap of what have been the most prevalent types of incidents in Barbados and/or in the Caribbean region over the past year or so? How has the threat landscape changed?

Niel Harper: Michele, it’s always difficult to quantify or qualify the number and types of cyber incidents that occur in the Caribbean because there are no mandatory breach notifications or transparency obligations in the various jurisdictions across the region. As such, public and private sector organizations do not notify the general public or individual data subjects when networks or personal data stores are compromised (yes I have said this a number of times, but it is still relevant and quite important). That being said, ransomware attacks have been quite prevalent across the region, and particularly targeting hospitals, educational institutions, government systems, financial services, and small-to-medium enterprises with insufficient resources to adequately respond to cyber threats.

ICTP: Over the past year, ransomware incidents appeared to have been quite plentiful across the region. Are they still as huge a threat?

NH: On a regional (and global) scale, ransomware has continued to be the most persistent business model for cybercriminals. One of the key reasons that ransomware has remained a major threat is because the tools used to initiate attacks are being continuously evolved and improved. For example, there was an over 150% increase in new ransomware variants in the first half of 2016. Moreover, cybercriminals are now operating Ransomware-as-a-Service (RaaS) with lower buy-in costs that allow less tech-savvy perpetrators to distribute ransomware. And the success of ransomware attacks is high because related exploit kits have been popping up more and more on legitimate websites.

ICTP: What are some of the new and emerging threats of which we should be more aware? And are there any particular areas of concern that you have for Caribbean organizations?

NH: One of my biggest concerns with regards to new and emerging threats is that nation states are increasingly developing offensive cyber capabilities, essentially weaponizing exploits and actively eroding trust online through disproportionate mass surveillance, targeted attacks, and information manipulation (fake news). On the other hand, threat actors are ramping up attacks against hardware and firmware vulnerabilities in processors, DRAM technologies, BIOS, and in firmware on devices such as USB, chargers, and external hard drives. IoT malware is on the rise and threatening individual privacy via regular household appliances and consumer devices. In 2017, ransomware continues to grow, and malware authors are focusing their efforts on mobile devices — attacking data repositories both on devices and in the cloud. ‘Dronejacking’ has become a growing threat with a noticeable increase in attacks due to consumer drones shipping with weak protection mechanisms. While not necessarily a new or emerging threats, the pervasive insecurity of IoT devices is fueling the perpetual threat of DDoS attacks, especially against ISPs with unsecured services such as DNS and BGP. All of these threat areas should be of concern to Caribbean organizations and individuals due to increased use of Internet-enabled devices at home and in the workplace […]

The entire interview can be found on the ICT Pulse website at: http://bit.ly/2oCxMzM

From Fragmentation to Integration to Harmonization: Outlining the Requirements for Effective Cyber Legislation Across CARICOM States

internet-law

The Caribbean Community (CARICOM) is comprised of 15 Member States. Its chief purposes are to promote economic integration and cooperation among its members, to ensure that the benefits of integration are equitably shared, and to coordinate foreign policy. As it relates to cybersecurity, there are several programmatic deficiencies and significant fragmentation of efforts across Members states, primarily with regards to legislation.

There has been limited research exploring the regional harmonization of cyber laws across CARICOM. For example, some authors have touched on cyber-readiness at a high level, examining the cyber response capabilities of a few countries in the Caribbean region. However, these academic works have not provided an in-depth analysis of cyber legislation or enunciated the key requirements for legal reform. Others have broadened the scope of their cyber-readiness research to include Latin America and the Caribbean. However, lumping the Caribbean together with Latin America with regards to harmonized cyber legislation can be problematic due to factors such as history, language, traditionally weak political and commercial ties, size of countries, and disparate economic scenarios. In general, it must also be mentioned that cyber-readiness indicators don’t actually translate into a successful legislative framework or adequate protections against threat actors. Studies also fall short in articulating why harmonization is necessary for CARICOM Member States, and how the region compares to the likes of Europe, Asia-Pacific, and Africa with regards to a harmonized cybersecurity legal framework.

The scholarly justification for this paper is to challenge the effectiveness of the existing fragmented approach by first explaining why a harmonized cybersecurity legislative framework is important. I will then discuss some of the legal challenges associated with such an undertaking. Next, I will perform a comparative legal analysis with other regions that have taken similar steps, and use this as a lead-in to a SWOT analysis of CARICOM’s present cybersecurity posture. And finally, I will propose a legal framework that enables stakeholders in CARICOM Members States to more capably respond to transnational cybercrime.

Keywords: Cybersecurity, Cybercrime, Harmonization, Fragmentation, Integration, Cooperation, Cyber legislation

Read the full academic paper at: http://bit.ly/2mu30IT

The Role of Governments in Ensuring a Consistent Legal Framework for Internet Governance

multi

The Internet is not an ethereal or otherworldly thing, and existing laws in the offline world are applicable to “cyberspace”. The Internet is for all intents and purposes a tool for making data available and for accessing it. But unfortunately, it is a tool that can be used by individuals and groups to conduct illegal activities. Similar to the offline world, governments have a social responsibility to develop laws that address criminal and illegal behaviors online. Hence, ensuring that an adequate and effective legal framework exists is an important role for governments.

Data protection and privacy

Data protection and privacy are high on top of the list of important legal issues, especially given that people are increasingly storing more of their data online and large amounts of data are collected, searched and manipulated electronically. In the EU, the Data Protection Directive 95/46/EC was established to provide a regulatory framework to guarantee secure and free movement of personal data across the national borders of the EU member countries, in addition to setting a baseline of security around personal information wherever it is stored, transmitted or processed.[1] However, although these laws conform to the Directive in terms of basic concepts and principles, they tend to be slightly different in many relevant details. The differences in the way that each Member State implemented the law have led to inconsistencies, which create complexity, legal uncertainty and administrative costs. This affects the trust and confidence of individuals and the competitiveness of the EU economy.

In January 2012, the European Commission (“the Commission”) presented a proposal for a General Data Protection Regulation (GDPR) to replace Directive 95/46/EC.[2] On 21 December 2015, the European Parliament and Council reached agreement on the data protection reform proposed by the Commission. The Regulation updates and modernizes the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights. It focuses on reinforcing individuals’ rights, strengthening the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards.

Responses to the reforms haven’t been all positive. Bird & Bird lawyer Gabriel Voisin strongly maintained that, “The text adopted at today’s plenary session of the European Parliament is over-prescriptive. It will hamper Europe’s ability to take advantage of new ways of using data. This will put Europe at a disadvantage to other parts of the world that are embracing the new technologies”.[3] Christian Toon, Head of Information Risk at Iron Mountain, told SCMagazineUK.com that,“While consumers will welcome the fact that the European Parliament has voted through the EU’s first major overhaul of data protection legislation since 1995, many European businesses will be feeling nervous… The reality is that many remain underprepared… Businesses that fail to address the issue now not only run the risk of significant financial penalties in the near future, but may also risk serious reputational damage that will make customer retention more complicated.”[4]A number of other subject matter experts had similar comments.

Whether these criticisms are real or perceived, they represent a failed attempt at consensus between the European political establishment and its stakeholders. This has happened due to the fact that the GDPR was agreed to without adequate consideration of the 4000 amendments tabled by stakeholders, and the lack of political agreement among Member States in the European Council.[5] Consensus building is a critical aspect of Internet governance. The input of committed and informed stakeholders in decision-making processes, in their substantive roles and responsibilities, is imperative to verifying that outcomes are both effective and accepted. It also guarantees that diverse stakeholders can directly contribute to activities and are privy to their results. Consensus essentially facilitates solutions that meet the diverse needs of the Internet ecosystem, and moves the governance structure from top down to bottom up.

International Cooperation

The Internet is a cross-border platform and many of its legal and enforcement mechanisms necessitate international cooperation. The specific challenge posed by the cross-border aspect of the Internet is that activities that are legal in one country maybe illegal in another. Governments need to promote bilateral and inter-governmental agreements that support enforcement of the law. However, this is also the case in the offline world, where law enforcement can be bolstered through international cooperation between agencies. Governments have a responsibility to its citizens to cooperatively work together through international organizations such as the WTO, WIPO, Interpol and others in order to successfully combat illegal activity online.

A significant amount of international efforts have gone into the development of model laws for international cooperation and harmonization of cyber crime legislation. One example is the Council of Europe’s Convention on Cyber Crime.[6] The first of its kind, and the only effective global treaty on cybercrime, it was developed to address Internet and computer crime by harmonizing national laws, improving investigative techniques, and fostering international cooperation among nations. It tackles broad subject matter, dealing with infringements of copyright, computer-related fraud, child pornography and violations of network security. It also contains a series of powers and procedures, such as the search of computer networks and interception. There have been other attempts at creating model laws such as the Commonwealth Model Law on Cyber Crime and the Three ITU Model Laws – HIPCAR (Caribbean), ICB4PAC (Pacific Islands), and HIPSSA (Sub-Sahara Africa).[7] The Commonwealth Model Law was not widely adopted by many States, but the fact that much of its framework has been integrated into the ITU model laws has subsequently resulted in many of its requirements being applied to legislation in African, Caribbean, and Pacific (ACP) states.

Attempts at international harmonization of laws can be rife with challenges. In several instances, the omission of necessary provisions, defective language, fragmented drafting, integration of obscure and unsafe offenses and their variance away from and contradiction with established best practices inflict great damage to the objective of enhancing international cooperation against cyber crime. In many developing countries, the main challenge has been the unavailability of subject matter expertise in drafting legislation and regulations on cybercrime and electronic evidence. To solve this, government should look at broadening the communities with which they engage. Inviting the private sector and academia to participate in developing model laws can drastically improve the quality of legislative outputs. Additionally, seeking technical assistance from international organizations can also yield substantial benefits.

Conclusion

Internet governance, and the multistakeholder model it employs, is a reflection of the open and inclusive nature of the global Internet and has been an integral reason behind its amazing growth and success. Many governments have realized that deeper stakeholder engagement — including governments, businesses, civil society, the technical community and academic institutions — is the optimal approach to sharing knowledge, experience, competences and best practices when developing policies to address new opportunities and respond to emerging challenges.

Traditional models of governance that would institutionalize control over the Internet by governments and inter-governmental bodies cannot achieve these goals. Such rigid decision-making processes are unable to maintain pace with rapidly changing technological advancements that characterize the Internet, and the ever-evolving requirements of Internet users. Any attempts to superimpose traditional models would dampen innovation and constrain realization of the limitless benefits of an open Internet. It would risk stifling the dynamism that has allowed the Internet to deliver so many benefits and opportunities for economic growth and social welfare.

A revisionist approach to governments’ involvement in Internet governance should focus on overhauling the rules of engagement. These new rules would allow government officials to participate in architecting a new ‘distributed global governance framework’, with defined restrictions and in their macro-level role as public policymakers for Internet-specific matters. Notably, this function should not undermine the globally accepted norms and principles of Internet governance. Within a multistakeholder environment, all concerned parties could contribute to building a platform for further public policy elaboration. This could set the stage for the transformation of Internet governance into a truly international policy-making process. But in order for that to occur, we need visionary leaders, a change in mindset from control to collaboration, and strong political will.

 

Does ICANN’s UDRP Preserve Free Speech and Allow Room for Criticism?

dot-sucks-600x400

Introduction

The phenomenal growth of the Internet has resulted in a proliferation of domain names. The explosion of ‘.com’ registrations coincided with an increase in domain name disputes, and with it the legal branch of intellectual property devolved into virtual mayhem. ICANN’s Uniform Domain-Name Dispute-Resolution Policy (UDRP) was created to allow for trademark holders to challenge domain owners, bring the respondents into binding arbitration, and possibly gain control of the domain name in question. The UDRP was brought into force in October 1999, and it can be said that it has contributed handily to the resolution of domain name disputes. However, deeper investigation into the UDRP paints a different picture.

The fair use of domain names relative to non-commercial negative or critical statements is the subject of many UDRP grievances. Nonetheless, panelists still express divergent views as to whether this constitutes ‘fair use’. The evaluation of fair use hangs on the importance a panel attributes to the registrant’s right to freedom of expression in each case. In some cases, free speech is not viewed as a legitimate right under the UDRP to register a domain that is ‘indistinguishable’ from a complainant’s trademark for the purpose of criticism, even in the absence of commercial intent. An opposing view is also taken, where it is argued that non-commercial free speech is the justifiable fair use of a domain name to criticize a trademark owner. As such, a major complaint about the UDRP is that it is unconstitutional with respect to the protection of free speech.

‘Sucks’-Type Cases

A problematic feature of UDRP cases regarding free speech, and one that is linked to the ‘WIPO Overview Majority View’ is where ‘sucks’-type domain names are deemed as confusingly similar to complainant trademarks.

For example, in Walmart Stores, Inc. v Richard MacLeod, the panel explained that its decision to transfer wal-martsucks.com to the complainant was based on its belief that “the phrase ‘identical or confusingly similar’ [is] greater than the sum of its parts”. The panel also concluded that their process does not examine if “the domain name causes confusion as to source… but instead whether the mark and domain name, when directly compared, have confusing similarity”. Taking into account that the respondent admitted that his original intention in registering the name was to sell it for profit, there was a strong argument for ruling in favor of the complainant based on the third element of the UDRP, which refers to a domain being used in bad faith. Moreover, the precedent established in Bally Total Fitness Holding Corp. v Faber should have been considered whereby it was held that the addition of “sucks” prevents any reasonable user from confusing that website with an official website.

In Royal Bank of Scotland Group plc v Pedro Lopez, the domain name <natwestbanksucks.com> was registered by the respondent, along with some other domain names that included the complainant’s mark. They all resolved to a site that incorporated criticisms of the complainant. Even though the domain name in question included ‘sucks’ after the mark, which could serve as a distinguishing factor, the panelist held that the use of a confusingly similar mark could not be determined as a legitimate non-commercial or fair use.

Another example is Chubb Security Australia Pty Ltd v Mr. Shahim Tahmasebi, where the respondent (a former employee of the complainant) utilized the <chubbsux.com> domain name for a website that detailed the complainant’s poor employee relations practices. Acknowledging that the parties had no relationship to the U.S., the panelist adhered to other decisions that adopted the majority view and resolved that a ‘gripe’ site does not automatically endow any right or legitimate interest in a domain name. The panelist ultimately ruled against the respondent, concluding that “it is not in this panel’s view legitimate to use the complainant’s own trademark as a platform for criticizing the complainant itself.” […]

The full article can be found on the CircleID website at: http://bit.ly/3aoy1WO

Internet Infrastructure Security in Africa

The Internet is becoming critical infrastructure for Africa. Across the continent, Africans increasingly depend on the Internet to communicate, socialize, and most importantly to conduct their day-to-day jobs and activities. A major outage of the Internet infrastructure is a prevailing fear for network operators, governments and users alike. But, has Africa secured its Internet Infrastructure?

I just finished participating in a panel discussion titled ‘Internet Infrastructure Security in Africa’ at the African Internet Summit (AIS) in Gaborone, Botswana. We sought to identify the major security challenges facing the Internet infrastructure driving Africa’s digital economies. This panel is a precursor to my participation in developing guidelines that will serve African countries in their efforts to protect their Internet Infrastructure from present and future threats.

My speaking points were specifically about existing mechanisms to combat various threats, and the cooperation between key stakeholders to defend their organizations/countries from and ever changing threat landscape. I also described what types of structures were needed at the national and regional level based on best practices from around the world.

ICT PULSE: Cyber Threats and Security in the Caribbean 2016 Update – Interview with Niel Harper

cyber security

ICT Pulse: Niel, it has been two years since our last Expert Insights Series, give us a quick recap of what have been the most prevalent incidents in Barbados and/or in the Caribbean region since 2014?

Niel Harper: Over the last 2 years, various government web sites in Barbados have been compromised and defaced by hackers. Websites included the Barbados Government Information Service (BGIS), Barbados Stock Exchange (BSE), Barbados Revenue Authority (BRA), Royal Barbados Police Force, and the Barbados Supreme Court, to name a few. Private websites such as the Barbados Advocate were hacked as well. There are still no data protection laws in the country, so due to absence of mandatory breach notifications, the few reported incidents are only the tip of the iceberg.

The prevalence of ATM skimming attacks have also increased. However, because the marketplace is dominated by mostly Canadian banks, Sarbanes-Oxley regulatory requirements have led to stronger controls, and many of the skimming attacks have resulted in arrests.

In the wider Caribbean, there have been similar trends of government websites being compromised. A number of organizations in St. Vincent, Grenada, St. Kitts & Nevis and other countries have been subject to malicious online attacks. One of the major commonalities across the region is that organizations with limited resources and untrained personnel have been the targets of successful attacks. This is a key reason why capacity building is critical to improving the region’s overall cyber response capabilities.

ICTP: How has the threat landscape changed over the past two years? Are there any particular areas of concern that you have for Caribbean organizations?

NH: The smartphone footprint continues to grow and with it the attack surface of mobile devices. That being said, many device manufacturers are focusing their efforts on enhanced security as a product differentiator. Still, end user education is necessary as an additional layer of protection against malicious threats.

Given the increased hardening of operating systems and applications, attackers are focusing on areas lower down the ‘stack’ such as BIOS, firmware, and graphics chipsets. Controls such as boot security, trusted execution, and active memory protecting are making these attacks more difficult, but I expect these types of threat vectors to increase.

Newer technologies such as IoT (Internet of Things), M2M (machine-to-machine) communication, Network Functions Virtualization (NFV), and Software Defined Networks (SDN) are growing in terms of their deployment base. But this also introduces significant challenges in terms of security: single points of failure, open source software, and complexity. The fact that commonly used items such as televisions, refrigerators, and even automobiles, are now accessible through the Internet has vastly changed the threat landscape, and should force manufacturers and end users alike to focus more on cybersecurity.

The explosion of cloud computing, the increasing popularity of crypto-currencies, and the emergence of mobile payments (e.g. Apple Pay, Google Wallet, etc.) are also areas for concern with regard to an expanding threat surface.

All of these areas are of particular concerns for Caribbean organizations, especially those who are seeking to be on the cutting edge […]

The entire interview can be found on the ICT Pulse website at: http://bit.ly/1T9iMQv

Why Domain Names Should Be Viewed as Property Rights

domains

The legal status of domain names is one of the most hotly debated topics with regards to evolving property rights and how they should be applied to technological and intellectual property ‘innovations’ in cyberspace. At present, there are two opposing factions on this topic: On one hand, there are those who maintain that domain names should be considered as contracts for services, which originate from the contractual agreement between the registrant and the registrar. On the other hand, we have the parties who contend that domain names are intangible property rights that reside with the domain name holder.

As the law has evolved, property has been defined as “an abstract right or legally constructed relationship among people with respect to things” or “a bundle of rights, powers, privileges and immunities that define one’s relationship to a resource.” These theories have been beneficial more so for normal property rights, but law courts have found it quite challenging when attempting to determine how these concepts apply to domain names.

In this theme report, I will discuss service contract rights and the ‘bundle of rights’ property theory, as well as examine case law in a number of jurisdictions, and present an argument for why domain names should be considered as ‘property rights’.

Domain Names as Contracts for Service

A number of courts have categorized domain names as contracts for service. This in itself is not incorrect, as domain names are transferred to an individual through a contractual agreement between them and the domain name registrar. The role of the registrar is to provide a functional mapping and translation between the domain name and an IP address. The registrant maintains their right to the domain name as long as they pay the associated fee to the registrar and ensure that the domain name is not utilized in bad faith or infringes on the intellectual property of others.

An analogy has been made between domain names and telephone numbers, accompanied by an argument that both domain names and telephone numbers are allocated and ultimately managed by either a registrar or a telephone company, and as such should be recognized as a contract for use and services. Hence, a person who registers a domain name or is assigned a telephone number is simply the contractual holder of that resource and does not become its owner. Ownership remains with the registrar or phone company.

Dorer v. Arel was the first litmus test of the theory that domain names form contracts for service, and that owners have no property rights to them […]

The full article can be found on the Circle ID website at: https://goo.gl/VkJsRb

 

Towards the Single Telecoms Market: Analyzing the Performance of the Body of European Regulators for Electronic Communications (BEREC)

BEREC

There is no doubt that BEREC’s performance to date has been generally satisfactory. It has so far fulfilled its functions in a commendable manner, most notably with regards to Article 7/7a procedures, in addition to its contributions to the dialogue on international roaming and net neutrality. It has federated the NRAs in a way that its predecessor failed to: it has compelled them to be more accountable to themselves and to consumers. It has enabled further harmonization and strengthened interactions between the Member States and the EU institutions. It can be said that BEREC’s uniqueness is based on two elements: On the one hand, it is a body uniting highly skilled professionals who perform their tasks independently from any public or private entity. On the other hand, BEREC comprises representatives of different Member States and allows for regular exchange and deliberation between them cascading the results of these processes to the European level.

BEREC’s independence, while imperfect, has proven to be a laudable feature of the organization. Its legal foundation (the Framework Directive) provides measures to ensure separation of powers and prevent unnecessary political or private sector capture. The mixed funding model in place serves to curtail any attempts by the providers of the body’s financing to obstruct the effectiveness of its activities in delivering trans-national or pan-European services. However, this is not to say that the independence of BEREC concerning the individual NRAs doesn’t require improvements, especially towards the goal of fashioning an overarching European groupthink that overrides the national interests of the constituent NRAs.

The current organizational structure from the technical to the decision-making level provides balance between stability and flexibility. It also leaves room for the negotiations to take place at different levels considering all views in an efficient manner. The EWGs have improved their performance and work in a more professional manner. In the last years, the quality of the reports has been enhanced at the same time that the deadlines are met in the practical totality of the cases. However, rules or guidelines for the EWG work may also be useful for the better functioning of BEREC.

BEREC’s lack of decision-making/enforcement powers can be a double-edged sword. On the one hand, it manifests as a weakness in cases where NRAs choose to reject opinions from BEREC, and pursue undertakings that run counter to the strengthening of the single market. On the other hand, it can serve as a balancing influence as it pertains to the regulatory powers of the Commission and the national regulators. Fortunately, BEREC has had a more balanced record whereby it has taken on several opinions that support the draft decisions of NRAs, and both the Commission and the national regulators have largely agreed with the opinions of BEREC in instances where there was divergence.

Clarity around its accountability continues to be a challenge for BEREC. The body was formed to provide expert opinions on relevant topics, define priorities and advise the EU institutions regarding the harmonization of the single market. It is of critical importance that BEREC demonstrate greater accountability for its own objectives. This can be achieved by documenting its commitments or tactical goals for each coming year, and then through reporting on its achievements to EU institutions at the close of the year.

Models of regulatory governance vary in the level of discretion granted to regulators. This determines the level of transparency required to reassure stakeholders and build legitimacy around regulatory decisions. European citizens and residents have very strong beliefs about the right to access information related to their political and legal institutions. Additionally, the Commission has been vigorously promoting open data and generating value through the re-use of a specific type of data – public sector information. Simply put, BEREC needs to demonstrate their commitment to openness and transparency to build greater trust and legitimacy among its stakeholders. There isn’t much more to it.

The ultimate success of the EU single market depends on the existence of a body that can effectively influence outcomes in national markets and begin to erode the pervasive ‘national’ market approach of Member States. The failure of the ERG is one of the main reasons why the European e-communications market remained a patchwork quilt of national markets for some time. BEREC has many of the elements to become a successful force in coordinating national approaches and bringing consistency through decentralized regulation. However, it could also become a major obstacle in harmonization policy of the Commission by becoming a center for European regulation that protects and lobbies national interests. The verdict is still out on which way the pendulum will swing.

The full academic paper can be found here: http://bit.ly/3mzDGLU