Telecom’s mixed legacy in New Zealand
“Marriage is like a tree: You can’t keep digging it up to take a look at the roots,” is a line from that literary ode to commerce, the Forsyte Saga. But can the same be said for a divorce? Once coupled together under the brand Telecom, Chorus and Spark—which were forcibly separated at the beginning of this decade—reported their annual financial results this week.
One looked to the past, the other to the future.
Chorus faces down threats
With the Ultra Fast Broadband rollout 88% complete, Chorus reported a net profit after tax of $52 million. But for investors, the good news is that they may be in line for larger dividends down the road. This year it was 24 cents per share and in FY21 its forecast to be 25 cents per share.
But when you are the most heavily regulated company in a regulated sector, so much depends on the Commerce Commission. We won’t bore you with acronyms from two sectors (finance and telco) but suffice to say that the new regulatory regime the commission is working through will determine what Chorus can charge upstream retailers for fibre connections post 2021.
Chorus CFO David Collins looked a little like a man holding his breath, hoping that everything will turn out OK, as he talked the analysts through the regulatory process. Collins emphasised that it’s been a tough road since 2011, pausing on a slide showing the debt burden with a big red box over FY14/FY15 when the company couldn’t issue new debt or pay dividends “due to the regulatory process”.
Seasoned telco watchers will recall that in 2011 Crown Infrastructure Partners (the government entity overseeing the UFB) agreed to invest $929 million in Chorus’s UFB rollout through a mix of non-voting shares and interest-free debt. The loan has been drawn down as on a “per premises passed” basis (that is, once the fibre is deployed in a street). The second part of the programme, UFB2, added $409 million to the overall CIP loan. Repayment on both UFB1 and UFB2 is not due to start until 2025 and it is scheduled to end in 2036.
With his CFO pondering the past, CEO JB Rousselot was free to focus on selling the vision. Having spent all that cash on a fibre network, his job is to make sure customers don’t forsake it in favour of wireless broadband. So, there was a lot of talk about the “fixed line renaissance” and how fibre is the “gold standard” for broadband, and the goal to get one million connections to Chorus fibre by 2022 (currently at 751,000). The battleground for connections looks like this:
- 420,000 addresses which aren’t connected to the fibre in their street
- 80,000 which have fibre to their premise, but they haven’t connected
- 80,000 addresses which are about to get UFB in their street once the second phase is complete
- 25,000 greenfield properties
What about unbundling? Could the retailers invest in their own equipment and grow their margins, as some did on the copper network? In theory yes. In reality, it’s a tough ask on a GPON network—check out Computerworld New Zealand’s guide to fibre unbundling in New Zealand.
Spark bets on 5G
Meanwhile, Spark reported a net profit after tax of $427 million, and a dividend which amounts to 25 cents per share in its annual result. Stripped of its wholesale network in the 2011 separation and forced to pay Chorus and local fibre companies for fibre connections, it found a way to regain margins by creating a wireless broadband product, which now accounts for 22% of its broadband customer base. Spark’s bullish forecast is that it will acquire more than 40,000 wireless broadband connections in the next financial year. Its once-dominant position in fixed-line broadband is declining, as this slide from Chorus’s results shows.
Once the dominant fixed-line broadband provider, Spark has seen its market share shrink to under half of all connections.
Since the 2011 divorce, (arguably) Spark has had the more interesting task of trying to stay ahead of the game, as core telco revenues are continually undercut by the competition. The company has made a few bets over the years. Here are three worth pondering:
- Wireless broadband, which it is aggressively pursuing (inspiring Vodafone to join the party) and which will be significantly boosted if it can execute on its 5G strategy.
- A content play which has been mixed—Spark Sport hangs on, while Lightbox was sold to SkyTV.
- Maintaining a suite of enterprise services that now include side bets such as the data analytics company Qrious.
COVID-19 casts a pall across FY21. International roaming fees have been scrapped due to New Zealand’s borders being closed, while economic conditions will reduce high-end spending on new mobile phones and increase the risk of bad debt as many customers struggle to pay their bills.
One area to watch will be Spark’s cloud, security and service management offering, which is targeted for 5%-8% growth in FY21. This is less than the 10.8% in cloud revenue ($443 million) in FY20. In part this is due to the uncertain economic climate, but how much are local providers like Spark going to be impacted by public cloud providers such as Microsoft setting up a data region here (although Spark does have an alliance with Microsoft Azure)?
The advantage local providers have had due to legal requirements to keep data onshore has to some extent kept the public cloud threat at bay at the big end of town. For a sense of how keen some of our biggest companies are to go full throttle into the public cloud, check out CIO New Zealand’s profile this week on the Bank of New Zealand’s multicloud strategy.
NZX under attack
It can’t have been easy for Spark CEO Jolie Hodson to deliver the annual result to analysts while one of her most high-profile customers—the NZX—was combatting a DDoS attack. The NZX website was down Tuesday afternoon, Wednesday and then again on Thursday—and it was kind of awful. This is our nation’s stock exchange, for goodness sake! And it’s the middle of earnings season!
(For a refresher on what a DDoS attack is, check out this CSO article.)
Other than short statements that it has been the subject of a sustained and reoccurring DDoS attack, NZX has been pretty quiet about what’s happening. This has left media to seek views from qualified cyber security observers who appear, in general, to be a little shocked by what’s going on. Here’s what University of Auckland Professor Giovanni Russello, an expert in cyber security, had to say when we asked for his reaction:
The main surprise for me is that NZX has done nothing to protect themselves from this attack to reoccur. I am not sure why this has not been deployed. If they have then it means that the attack is very sophisticated and state actors can be behind it—but not sure which country. To be honest, I do not believe that NZX is a very high-profile target. It could also be that this is just a training attack to go after more valuable targets (not necessarily here in NZ).
This kind of attack is very simple to mount but not so simple to protect against unless you use specific solutions: mainly you need to build redundant systems and have a filtering mechanism to block malicious traffic as far away as possible from your network.
Russello also noted that there are New Zealand companies that can protect against malicious traffic such as what appears to be affecting the NZX.
We then asked CERT NZ deputy director Declan Ingram to tell us what was going on. But he says CERT (Computer Emergency Response Team) doesn’t comment on specific attacks, even confirm or deny if they’re involved, because it’s important that organisations come to them in confidence. “If you have specific questions relating to an organisation that is having an incident, that is best directed to that organisation.”
Fair enough. But separately and in general, what do you do if you are under DDoS attack?
Every technical system has a limit to what it can process, and what it can manage and if you’re in a situation where your devices are getting overloaded, that’s when you’re going to have a denial of service attack.
If you don’t have anything in place and you are just getting flooded, what do you do? You call your internet service provider, or you call your upstream provider, and you see if you can get your traffic routed through them.
Exactly what they do will depend on what type of attack it is. Different traffic has a different footprint that can be handled in a different way. If it is just the traffic to your website, you could put in a cloud proxy and redirect it all through there—different specific technical solutions to different technical scenarios but the same principles apply. You need to get that scrubbing [determining if the packets of data are malicious and dropping them so only the “good” traffic gets through] happening and you need to push that out as far away from your infrastructure as possible.
Also, if the people attacking you are asking for money to stop the DDoS attack, don’t pay. That’s what CERT says.