How severe are the risks to the rest of society when hackers are determined to take networks down? Access to mobile networks and the internet has been a game-changer that has improved the lives of billions of people worldwide but this also means the disruption caused by a loss of service can be much more serious. What happens when individuals become dependent on networks for everyday tasks like paying their bus fare, doing their grocery shopping, obtaining credit, and interacting with the government? We talk about the fallout from the Anonymous Sudan attacks on Nigeria, Kenya and other countries, and the wider risk implications of becoming dependent on networks with two guests who will be familiar from previous episodes of the show: Kenyan telecoms consultant Joseph Nderitu, and Nixon Wampamba, currently at MTN Nigeria.
Other topical news are also discussed by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.
Transcript (auto-generated)
Hello, I'm Eric Priezkalns and this is The Communications Risk Show. Each week we talk about the risks faced by comms providers and their customers with contributions from industry insiders from around the world. Programs are streamed live so you can share your views too. Ask a question at any point during the show by typing into the window immediately beneath the live stream at our dedicated website tv.commsrisk.com. Messages are anonymous so type your name into the message if you want me to read it out. Programs are also streamed live to LinkedIn and to various other platforms. We'll keep an eye on any comments left over there during the show and I'll try to read out as many as I can as time permits. For today's show, the theme will be the anonymous Sudan denial of service attacks on Nigeria, Kenya and other countries, plus the wider risks that societies are taking by becoming so dependent on networks for many aspects of life, especially since the pandemic sped up transition towards cashless societies. We'll be talking about these subjects with two of our favorite guests from previous shows, the well-traveled and highly experienced risk telecoms and mobile money consultant Joseph Nderetu and the even more widely traveled Nixon Wampamba, who currently works at MTN Nigeria. But before we're joined by Joseph and Nixon, let's say hello to my regular co-presenters, Ed Finegold and Lee Scargall, who are here to discuss topical issues from around the communications industry. Ed's an industry analyst, widely published author and a strategic advisor to tech and telecoms businesses. He joins us from Chicago. And Lee is an executive and consultant who has managed risk on behalf of comms providers in the Middle East, Europe, Caribbean and Asia. Currently, Lee is working in Bahrain. Guys, want to get your opinions on something that really stood out for me, although there's been so much news this week, it's hard sometimes to know where to begin. But talking about war, and in particular, in this particular situation about the Sudan civil war, we were going to mention them anyway later in the show as a result of the attacks launched by Anonymous Sudan. But coincidentally, hot news is that researchers have just demonstrated that messages shared on TikTok that seemingly come from Omar al-Bashir, former leader of Sudan, were actually clones of his voice. So we're talking about propaganda here, messages. It sounds like overhearing a telephone conversation and then sharing the recording the rest of the world, actually a digital clone of somebody's voice, a reproduction, not the original person speaking. Now, Professor Hani Farid of the University of California, Berkeley, one of the world's foremost experts on digital forensics and misinformation, determined that a segment of a recently shared recording purporting to be taken from a phone conversation involving Omar al-Bashir, this, though disseminated on TikTok, matched a segment from a different conversation shared on the Facebook live streaming service. The voice was not identical to the human ear, but the words and the pacing of the words were identical between the two streams. So they perfectly synced, indicating that at least one had been made artificially by digitizing and then synthetically reproducing the voice. Lee, my opening question for you on today's show, I know you've got some strong feelings about voice cloning. Last week, we had Stefan Wolff, Randy Warshaw, and Timothy Ruff on the show arguing we need secure and verifiable forms of digital identity so we know who is the true origin of anything we see or hear electronically. And they cited the example of a recent deepfake involving film actor Tom Hanks. Does this latest example involving the former leader of Sudan illustrate that misinformation designed to influence the outcome of wars, not just corroborates what they're saying about the need for a universal method for identifying everybody uses comms? Or does it indicate that actually that we need to be thinking more imaginatively about the risks being posed to anybody and everybody else around the world, not just a few famous celebrities? So this actually happened in the UK yesterday when a news story broke about there was a deepfake video, sorry, audio of Kia Starmer. And he was actually appearing to bully staffers at the Labour Party conference. And then a few weeks before, we actually had another deepfake audio of the leader of the progressive Slovakia party. He was actually talking to a journalist discussing how to rig an election. Now he actually lost that election. Now deepfake audios, they are becoming a real issue, right? And it's a threat to democracy, right? Because there's a lot of people out there that are starting to believe this type of stuff. And it's incredibly realistic. Next year, we've got elections in the UK, US, EU, and also in India. So I expect these deepfake audios, they're going to be a bit more prevalent. But to answer your question is, no, it doesn't just apply to politicians and the famous, it applies to everybody, to the ordinary people as well. So you've got things like voice cloning, this is going to impact everything, right? Even from accessing your bank accounts, if you're using voice ID for authentication, right? So if you are, right, then you really need to change that immediately, right? I'm still surprised that my bank in the UK, they're actually promoting voice authentication, right? Every time when I ring them up to use telephone banking. So we really do need, right, we need technology which is able to spot these deepfakes and the authentication technology that we talked about on last week's show. But is this another example of what we were talking about last week in terms of why we need self-sovereign ID, a mechanism that can be applied globally, which the user controls, not businesses controlling it, not governments controlling, the user has ultimate control over the ID. But nevertheless, a universal mechanism so that whether you're Tom Hanks, whether you're the former leader of Sedan, whether you're Keir Starmer, or whether you're you and me talking to our bank, we can definitively prove who we are and other people can't pretend to be us. Yeah, absolutely. We need it. We need it. We need it right now, because let's say that we're hearing about all of these things, Tom Hanks was last week, this week, you had Keir Starmer, you know, it's just going to grow and grow and grow. And the quicker we can get on top of this, the better. Now, Ed, I want to bring you in here. Now, there's a lot of prejudice in the world, of course, especially when it comes to people having views about which countries are advanced, compared to those which are considered backwards. One reason I cited this particular example from Sedan is that cloning the voice of a former leader of Sedan challenges stereotypes about who uses advanced technology for which nefarious purposes, just as stereotypes have been challenged by sophistication of North Korean hackers stealing cryptocurrency, or the abuse of global titles belonging to Pacific Island telcos to monitor the movements of people all across the globe. With that in mind, is the threat of clones and deepfakes more severe in rich countries, more profitable to steal from rich people? Or is it the poorer countries, where there are fewer alternative and authoritative sources of truth, that will be most at risk because their inability to counter misinformation? Yes, it depends on how we measure the severity of threat, right? Because the example you gave in Sudan, right, was like a very high stakes political type of threat, right, where someone that influences the lives of a lot of people was targeted, you know, using technology. And quickly, I want to just make the point you're asking about the disparity, let's not make an assumption that because someone's from a country that you think is developing or emerging or third world or whatever disparaging term someone would want to apply to such a thing. You know, look, one of the things we've really tried to do in the communications industry for better or worse is put mobility everywhere, put connectivity and access everywhere, you know, and on the positive side, that's an economic enabler, right? And having access to the internet and those devices is an economic enabler for a lot of people. So, you know, the fact that that technology is in place, and then can be used, right, by criminals for nefarious reasons in any place shouldn't surprise anyone, right? So having a bias that says, Oh, this country is too backward to have technically sophisticated criminals like that's absurd. And we know that that's absurd, because it doesn't require an enormous amount of technical sophistication. It requires access to the right types of information and common tools, really, and things that are out there being available on the web. So I think all of those kinds of assumptions go away. I'm meandering a bit here. And I'm not sure I'm answering your question. I did want to get to your point about, like, just dispelling that one myth, you know, that there'd be a disparity. There's one thing I'll say to you, I recommend there's a great film. I like it a lot. I'll call it a great film. Other people can be critics, you know, film critics, but it's called Chappy. It's by a gentleman named Neil Blomkamp, who you've probably heard of. And it really deals with a lot of these issues really well. But point, but it deals very specifically with the idea that what happens when people who you think of as unsophisticated, get their hands on really sophisticated, in that case, AI technology and robotics technology, and what are they going to do with it? And they end up using it to do better with therapy, which is steel, you know, so like, it's kind of this one of those issues that's in the zeitgeist that I think it's like, really, blind to assume that because someone's from a, you know, a place that's socioeconomically deprived, that they may not have access to technology and knowledge. Well, I think it goes further than that, because, you know, the association is that technology is accessible if you have wealth. And there's an extent to which that's true. But the pervasiveness of networks, the pervasiveness of computing power, crime is committed by people, often because they feel economic need. Poverty is a factor that encourages crime. It isn't that expensive to go online. It isn't that expensive to have a computer. If you're clever, you're capable, and you have restricted chances to succeed in life, why wouldn't you commit crime through a computer, through a network, through a phone, if you've got limited other chances? We're seeing people do it in wealthy countries, and they're wealthy countries, but we're talking about teenage kids and the like. So you don't need an enormous amount of resources to get a foot on the ladder here. Why wouldn't you be doing this if you're doing it in a poor country too? And this is why you end up with the rationalization of the scam call centers in places like India, who are targeting people elsewhere in the world. And we're hearing more and more horrendous scams. In fact, Joseph was pointing out one of our, when he comes on later in the show, he might was pointing out about how loan apps are now raiding people's data from their phones. So somebody is short of money. They download an app to their phone because they want to borrow money quickly. The app raids the data from their phone. They've got now, the people who provided the loan now have access to knowledge about all your contacts. So if you don't pay your debts on time, you start getting humiliated. You start getting abused. All your friends, all your contacts presented and increasingly shocking stories about misinformation, nude photographs, faked nude photographs being shared by people. So the potential to make money over networks, it's grim. It's grim at times. Let's take a break. Let's have an ad break and come back and reconvene and talk about this. Let's talk about a feature from our sponsors, Symmetry Solutions and their Prism Fraud Intelligence team. Now, each week they share with us an interesting fact of the week. And this week, let's talk about Ukraine. Ukraine continues to be targeted by international telecoms fraudsters that exploit the war and the displacement of large numbers of people. To counter this, Symmetry Solutions continues to provide their fraud intelligence without charge to any telco seeking to minimize the abuse of calls made to Ukraine. Their most recent intelligence update identified 62,223 phone numbers that terminate in Ukraine and have been made available to fraudsters. That figure has been rising, demonstrating that fraudsters remain focused on profiting from the conflict. Contact Symmetry Solutions if you work for communicators and wish to obtain their intelligence about Ukrainian numbers used for fraud. The intelligence about Ukrainian numbers is offered by Symmetry Solutions without any obligation and will remain available to businesses, even if they're not customers of Symmetry for as long as the war continues. One way to reach out to them is via their website at SymmetrySolutions.co.uk. Okay, guys, back to the chat. It's often said that anyone can fall for a scam, but I don't agree. I don't think that's true. I actually think that assertion is deeply unhelpful. Research with phishing emails suggests that some people have a perfect record to identifying scam emails, whilst other people in the same company who've received the same awareness training will literally click on almost every dodgy link that's sent to them. So that's my prelude to talk about recent news that affects me personally. A few weeks ago, I warned that Commerce Risk is now having to compete with websites that engage in plagiarism by scraping other people's articles from the web, then using AI to reword them so they appear to be new and unique. Last week, I noticed I'd gained a new follower on LinkedIn, and the account was leaving quite a surprising number of comments on my posts. When I examined the comments left by this account in response to other people's posts, it became very apparent that these were comments generated by an AI-powered bot. And sadly, a lot of other people had been duped into believing they were real comments from a person, even engaging in a kind of conversation with this bot. So my question for both of you, and perhaps you want to go first, Ed. If a lot of people cannot tell the difference between words produced by a machine and words produced by a human being, and machines are left free to do whatever they like on the web and social media, does that mean it is now game over for human-to-human interaction via these channels? Because those machines will ultimately produce far more output than humans can. So if I think of some analogies here, I hate using snail mail because of all the junk mail that shows up in your inbox, right? And a lot of people, myself included, don't answer the phone anymore because of all the robocalling that goes on. So it seems to me that it stands to reason in that technological progression, that the same thing that you're describing can very well happen here. And part of me hopes it does, I hate to say, but just in the sense that, yeah, I mean, I think you get to the point where those channels could become noisy and irrelevant enough that they are going to have to take a really, really hard look at how they deal and how they have really, I think, inconsistently dealt with all these content issues and rules in the past. They're going to need to figure out ways to deal with not just filtering out that fake traffic, but all the other issues that are going to come out of it. And I'm not an expert on where all that's going to go, but I could see where that only is going to become a lot more complicated on all the social media channels, especially when you still have a lot of people feel like that's somehow a public trust that they're entitled to, which creates a lot of outrage. Right or wrong, it creates a lot of outrage. I think it's wrong, but it creates a ton of outrage, right? And so I think that, yeah, I think there is a risk that all those businesses face where they will more or less get denial of service attacked with the amount of blah, blah from bots so that it blots out anything meaningful that could possibly happen there. And they're supposed to be places where dialogue happens. So if you eliminate the dialogue part, it's only one way. I think they become substantially less valuable to people, right? If you don't have a voice that can be heard, what good is that anymore? You're just watching TV. Yeah, exactly. Lee, is there a way forward here? Is it just that networks are just going to get flooded with more and more and more, for want of a better word, more and more crap, more and more garbage, more and more machine generated nonsense that looks like a human being, but which has nothing to do with human beings? Is that inevitable or is there a way to turn the corner on this and reign it in? Well, I can actually tell the difference between a chat bot and a human, right? So, and I'll give you an example. So last week I contacted my service provider back in the UK. Now I wanted to exchange or give my son my data tariff because I don't use it anymore. Now, I started off, I was communicating, I could tell I was communicating with a chat bot through the mobile app. Now, at some point I knew this is kind of an unusual request. I'm going to get handed over to a human at some point, right? Now, do you know how I could tell when it switched? I do think so. Because the responses I got back, right, they were full of grammatical mistakes and it took an age, it took an age for them to, for me to get a reply, right? So bots are really, chat bots, I find quite easily detectable, unlike deep fake voice cloning. I think that is quite very hard to detect. So you're saying that we don't, well, I mean, so you can detect a chat bot, but isn't this, isn't this part of the problem? Isn't this part of the problem that we have, you know, businesses? I mean, you mentioned you didn't like the fact that your bank, people might use their voice to identify themselves to a bank. We've seen this happen again and again in so many generations of security failing. It started with the dot-com boom and, oh, well, we need an account. Okay, just set up an account with a password. Nothing can go wrong. We'll just have a password. Nothing can go wrong because it's your responsibility, user, your password. If anything went wrong, it's your fault. Nonsense, of course. Many, many companies allowed that password data to be stolen and therefore it wasn't the user's fault that the accounts were being compromised. The fault was with the companies who greedily grabbed as many users as they could online with the thinnest, weakest form of security they possibly can, because they didn't want to encumber the customer with a greater burden in order to get a service. And we do this over and over and over again. We rationalize. We don't want to encumber customers. Okay. And we want to save money. We want to have a better service. So we create chatbots when obviously the chatbots are going to be subverted by criminals. They're going to be turned and used against the companies before very long, because now the companies are going to receive thousands, if not millions of phony requests that come from users who aren't really users. They're just another version of technology that the company developed because they were trying to save money and be more efficient. We keep shooting ourselves in the foot. So what's the solution? Are we doomed? Is it that grim? Is the human race doomed to never, ever learn from past mistakes? Or can we find a different way forward? Well, what's really spooky, right, is this week actually Snapchat, they actually got into a bit of trouble with the ICO in the UK for a potential breach of data protection laws. They've actually been capturing location data for teenagers. Now, this is a bit spooky. This is the bit which freaks me out a little bit. Now, they've actually created this. It's a built-in chat buddy, is what they call it. And it's called My AI. And it's supposed to be there as your friendly buddy for these teenagers to ask questions. And who's the best football? It becomes an online friend. But this is the real strange thing about My AI. And that's actually Snapchat. They actually warn the users that it may answer incorrectly and provide biased answers, right? It's a not to rely on its advice. And this is all in the small print, right? So it just begs belief, right? Just what the heck are we allowing our kids to be exposed to? I mean, yeah, kids, the general public professionals too. You reminded me now that I read an article earlier this week, because I monitor news about Stirshaken, of course, viewers, regular viewers will know my thoughts upon Stirshaken. And I've spoken to people like Jim McEachin of ATIS in the past about the myths surrounding Stirshaken. And I've said that the telecoms industry has been guilty of promoting those myths. Because if you create a positive myth, you can so quietly say in private circles, industry circles, well, we never said that was true. We never said we could do that. But you're quite happy for the general public to believe this stuff, that this technology is going to deliver these amazing results, because it doesn't harm you in your business case when you're selling it. So I read a remarkable article this week. And again, talk about AI produced articles. And it was exactly the product that you would expect to get if AI took the mythology that it could take from around the web and turned it into the most ridiculous falsehood propaganda piece you could ever have. And yet, it's ostensibly an article about how technology works and how it makes the world a better place. So it's a technology works and how it makes the world a better place. So we're producing the raw material for misinformation, naturally. And now all we've done is we've supercharged it with things like AI that can super hoover up all that information and produce, on one hand, a fantasy and misinformation, something that should have a warning sticker attached. But on the other hand, it just accelerates the problem of not being able to distinguish between fact and fiction anymore. Drawing the line that we ourselves quite often are very bad at being straightforward and honest with our customers. And if we're not straightforward and honest about the accuracy of our statements that we communicate to the world, what will this say about being gatekeepers that are going to stop anybody else providing misinformation? Yeah. So just one other thing about Snapchat's MyAI. Now, it's free to everybody in the UK. They have about 21 million users in the UK. And it's pinned right at the top of your board. And if you want to remove it, you can only remove it if you subscribe and you actually take out a subscription. Let's take an ad break because this ad break that comes up is the most positive, happy part of the show. And I think we need a couple of happy minutes now to interject into the clue. It's time for another sponsored feature from our friends at OneRoot, the experts in call authentication, fraud prevention, and geolocation. Every Wednesday, they take us on a journey via the phones in our pockets, reminding us what everyone has in common and what makes different peoples unique. Here's Jeffrey Ross of OneRoot. And this week, the destinations is the Philippines. Roll VT. Hey, everyone. From OneRoot, I'm Jeffrey Ross, and this is The World in Your Phone. Let's talk about the Philippines. The Philippines is a popular tourist destination for backpackers and travelers due to its pristine beaches, crystal clear waters, and teeming marine life. Whether you want to snorkel with whale sharks, sip coconuts on the beach, or try your hand at some adventurous activities, this country has it all. Now, the Philippines is viewed as a promising market in the telecom industry. The main drivers include an ever-increasing population and smartphone services for remote work and streaming purposes. The Philippines continue to strategize on making products and services more affordable while expanding its network. In fact, in 2022, financing was secured by Tiger Infrastructure Partners to build 380 new towers in the southern Philippines. The funded initiative will allow for common tower sharing, meaning multiple mobile network operators can lease the exact same location. Be sure to read our blog about this at onerootgroup.com to learn more. I found it interesting that the Philippines is the second largest archipelago in the world with over 7,000 islands and 2,000 of them inhabited. There are over 100 languages spoken in the Philippines. It's home to the world's longest underground river, and it's home to Asia's first basketball league. The Philippines also supply more nurses globally than anywhere else, and for our beer connoisseurs out there, the ever-popular San Miguel beer, that some assume is a Spanish beer, is actually from the Philippines. Be sure to tune in and subscribe to our YouTube channel where you can watch the One Route Roundup, a show that spotlights individuals and companies making a positive difference in the telecom industry. One more fun fact that I found out about the Philippines, you can actually have and find banana flavored ketchup in the Philippines. Now, on that note, Eric, back to you and some more of this great communications risk show. Cheers. Thanks, Jeffrey. I will remember the banana ketchup when I traveled around the Philippines, and I wonder how many viewers will remember that San Miguel used to be a major player in the telecoms market before selling its telecoms assets in 2016. I was looking forward to return to the Philippines when we're planning a RAC conference to be held in Manila, but that was sadly scheduled for the year when everything was cancelled because of the COVID pandemic. Let's hope there'll be another opportunity to return to the Philippines in future. But now, we switch our focus from Asia to Africa and the disruption caused by anonymous Sudan. Joining us to talk about that are Joseph Nterotu, a risk, fraud, and revenue assurance consultant who originates from Kenya, who started his career at Safaricom and has since worked with telcos from all around sub-Saharan Africa. Today, he joins us from South Africa. Nixon Wampamba comes to us from Nigeria, where he is the General Manager for Business Assurance and Fraud Management at MTN Nigeria. Nixon is somebody who has worked for an even wider range of telcos across Africa, Europe, and the Americas. So welcome, both of you. Great to have you back on the show today. So much to talk about, and I wanted to bring you both on because Anonymous Sudan, they're a hacker collective, launched their first attack this year, so not a long track record, in January, shortly after opening a channel on Telegram. They say they're motivated by religion. They say they choose targets because of the anti-Muslim behavior of other countries. However, many cyber security experts believe they're actually an aspect of Russia's cyber war on the West because their targets tend to match the targets selected by pro-Russian hacker groups as well, and they never seem to be involved with countries that support the invasion of Ukraine. But let's not speculate about the motives. I'm very keen to have your points of view on the impact that Anonymous Sudan has had and what it says about the threat to networks that we face, not just from Anonymous Sudan, but in general going forward. So Joseph, you're an expert on mobile money. It was widely reported that Anonymous Sudan interfered with the use of mobile money. Thank you, Eric, and thank you for having me on the show. So you know, to answer the question, really, there was an attack and two anonymous Sudan did claim responsibility for the attack, for the distributed denial-of-service attack. It affected mobile money services in Kenya and lasted a couple of hours. In terms of whether the claims were exaggerated, I think we would just look at the user feedback, what people are saying in the social media, and really many users were complaining that they are not able to use mobile money services, especially in making payments. It affected several interfaces. One of the key ones was really the e-Citizen platform, which is used by the government to provide services in terms of applying for your driving license, applying for passport renewals, paying your land rates. That was just one of them. It also affected things like paying for your railway service tickets. It affected the purchase of electricity tokens, so Kenyan power was also affected. A couple of banks' interfaces were also affected. I saw ABSA customers complaining, I also saw NCBA customers complaining. In terms of the attack, it really did happen, and the users, just looking at what people are saying on the social media, you could see they were affected. It did take some time for the government to issue a statement, but in a matter of two days later, there was a statement from the Ministry of ICT confirming that the attack actually happened, although the minister was saying that it was an attempt. As you know, if really the users could not access the services, as far as I'm concerned, I think I would consider it a successful attempt. That's what it looks like. It did happen, and the responsibility was claimed by Anonymous Sudan. That's troubling, and that's such a broad range of impacts there, hopefully not over a very long period of time, but nevertheless troubling that there was such a broad range of impacts. Similar question for you, to bring you into conversation. It was reported that MTN was attacked in order to threaten the Nigerian government not to intervene in the overthrow of the government in neighboring Niger. Was MTN attacked by Anonymous Sudan, and how much harm did they cause? Thank you, Eric. Yes. So yes, I mean, literally, there was a lot of networks which were attacked, as well as similar to what Joseph mentioned, other businesses also was attacked, as well as even government infrastructure was attacked. So the idea was obviously trying to attack infrastructure that was Nigerian in a basis. I don't know if we were the only specific operator in Nigeria who were attacked, but yes, we definitely had a huge DDoS attack, yeah. Did it have a negative impact at all? Can I ask you that question? Yes, you can ask me that question. We had an impact, obviously, on some of the customer facing interfaces, you know, things like our website, things like the mobile money platforms. But again, I mean, luckily, we're a large organization, not just based in Nigeria, we're based throughout Africa. We were able to really overcome the DDoS itself. I guess there is no cure for DDoS unless you have infinite capacity, which obviously doesn't exist. But our systems and because of the kind of work that we deal with and in the environment we're in, we're quite prepared for a lot of security issues. So our IT security have recently been beefed up, not just recently, but a couple of years. We've been really looking at that as an area where we know it could be a problem, especially when you are running mobile money platforms, you try to be really, really try to be more secure than a normal business, I guess. So the question for both of you, maybe you can start with this one, Nixon. Was the perception that the attack was especially sophisticated, or is the belief that attacks like this could come from many different parties around the world because it isn't that sophisticated an attack? It was a sophisticated DDoS attack. In general, what I would say is that I think we have to be very careful. And also, it is not clear if it was Anonymous Sudan who was doing this. From my own research, which I looked at, if you look at some of the public forums that host Anonymous Sudan, their aim is very different, how they word their wording, a lot of the stuff they use is in Arabic. Whereas when you look at the Telegram page that they were posting their messages on, it was very specific and very targeted, there was no Arabic, it was all in English. So again, was it them? Was it somebody else imitating them? We talked about imitation before. Was it somebody else pretending to be them and using their name for this? I don't know. We don't know. Yeah. But yes, the attack was as sophisticated as any other DDoS attack that has happened in Europe or against companies like Google or any of them. Yeah. And is that the perception too in Kenya, Joseph, about the attacks that they've been suffering there? Yeah, there was, to Nixon's point, there was an element of quite a bit of obfuscation. So in the Kenya case, for example, it came just after the president of Kenya had got into a war of words with the generals who took over power in Sudan. And so just a couple of days later, then we had this attack. But it then looked like somebody was chancing on that to create an impression that, in fact, Anonymous Sudan is based in Sudan or acts in the interest of Sudan. I think, though, in terms of what finally then happens to the customers and to the networks and the general public, it may not really matter so much where does the threat come from, except you can actually see that it went through. It happened. And I think also Ed raised a point where even though a country may be not very socio-economically powerful, sometimes access to technologies that can be perpetrated to perform those attacks is easy. And in the case of Kenya, for example, we have had quite a long time where there's a town actually in the Rift Valley province where we know that those attacks are normally those types of attacks are normally perpetrated from a lot of SIM swaps, a lot of social engineering is done from there. A lot of, you know, cloning of digital banking account is also carried out from there. And so what I was I've also been having discussions with RAFN people in Kenya and asking them, are you are we able to identify and say for sure it was Anonymous Sudan? We may not be able to, but in the final analysis, I think the effect on our customers is there. The effect on our platforms is there. And it also then raises the questions, are we also putting in, for example, the efforts at beefing up IT security as Nixon has mentioned that in Nigeria. And sometimes you don't get the clarity that all operators are doing that. And that that's a worrying point. And there's also the element of what then does government do to coordinate those things? Because an attack on mobile money right now is really attacking the financial system and therefore should be a national incident. I think you make so many excellent points. I want to bring in Lee and Ed as well as the next question I want to ask, because we're kind of slipping into a certain pattern that these conversations always slip into, which is we're not entirely clear on who's behind the attack. We are starting to talk about defending ourselves from the attack, protecting ourselves, security, creating a safe perimeter, if you like, for our networks. Is there not a danger here that if we don't stay focused on the motivation for an attack, if you don't stay focused on the motivation, what the attackers are hoping to accomplish, then you lose the ability to go out and to deal with the attackers, whether that be compromise, if you were that way inclined, or putting them into a back of a van and sticking them in a prison. Because in the end, there's got to be a reason, unless we really think that these people are just nihilists. They're just destroying for the sake of destroying. So therefore there's no goal. But clearly some of the attacks are not just nihilism. I don't know, Joseph, if we can stay focused, particularly when we think about what's been happening in Sudan, when we think about, I don't know if you're listening, we were talking earlier about the voice cloning of the former leader of Sudan. Is it just nihilism? Is it just creating confusion and making it uncertain what's going on? Or could we, if we were staying focused, start to identify the motives and then maybe go about tackling this problem in a different way, rather than there was just security and defences? I think it's a question of whether this method to the madness and whether we are putting in the relevant analysis and looking at the geopolitics feature of the whole attack and saying, what could be happening here? And I think, especially in the case of Kenya, I certainly did not see that level of coordination between government and all the organisations that were attacked. I did look through the site that is managed by the communications authority. We do have a national cyber incident response commission or team. And this whole thing did not even feature there in terms of the minister who, for example, be in charge of the policy and coordination of the various government organs and engaging with the public or rather engaging the private sector. That was also sorely missing. So I think there's a sense in which you feel that there's a reactive, we are quite reactive to this type of thing. And the conversations that need to happen between the various state actors and the private corporations are not happening. And as a result, it's like we're waiting for the next thing to happen. I think that that whole conversation is not being had at the right levels. And it's not any surprise. I think it is going to happen again. We can almost forecast that it's going to happen again. But to your point, I think you're right. If we don't identify what are the motivations, then it's difficult to pin who are the actors and then what's the correct method to address that. Does it require government? Does it require the private sectors? Otherwise, then everyone is stuck on a best effort mechanism. Ed, let's bring you in here. Do you get concerned, Ed, about we're looking in the right places? So should we be looking around the Rift Valley that Joseph was just talking about there to see who's doing it, why they're doing it? Or is that pointless to try to look around and scout around for motives? Well, the thing I wonder, just thinking about this from a sociological or even from a storytelling perspective, is we're very focused on what the crooks are doing. And Joseph, you mentioned a certain group of thieves, let's say, that are doing certain scams and SIM swaps. And they happen to be in this area in the Rift Valley. And what that suggests to me is that they have access. And you were talking about this before. They have access to technology. They must have access to connectivity, which means that that's in the area. I can't imagine that they're an isolated group. There have to be other businesses, other groups. And the point of having put that technology in there in the first place is to spur economic activity. And from that is what you're going to have grow. Unfortunately, our criminals that use the technology that way. But what I wonder is, aren't there other businesses that are using this technology in positive ways? That it's also important to remember, we're protecting those businesses from thieves like this. Those are the ones that are being attacked by thieves and having their identity stolen or SIM swapped or accounts taken over and that sort of thing. Is that a fair perspective? Yeah, I think it is. So in terms of the use of technology and access to the technology, whatever technology you access, you probably could make a case that there are positive use cases and there are negative use cases. For example, a pocket sniffer, you know, a pocket sniffer can be used for good purposes. You know, you want to know what's happening on your network because you want to protect certain elements on your network. But likewise, it could also be used for nefarious purposes. What has, however, been happening is, and I've seen this not just in Kenya, but also in Tanzania and also Mozambique where I previously worked, operators are able to pinpoint some of these things happening. And they are able also to raise cases to the police for investigation. And there have also been convictions of people who were identified and arrested because of engaging in such activities. However, to the point that Eric was raising, which is just, you know, beyond that, beyond identifying the one individual here and the group of individuals there and having the police take action on them, are we looking at who are the attackers, where are they obtaining this technology? Could they also be used by bigger groups who are able to target bigger targets within the country or within the region? And I think that is still sorely lacking. So I think it comes back to that point I was making that we're still addressing this case by case, incident by incident. And that's just not adequate. Eric, it seems to me that there's, if I may, there's three things. So just quickly to kind of wrap up in this, there's three things that seem to come up as we talk about this that are, you know, you think of bookends as two things, I'm thinking of a triangle of bookends here. So, all right, so one of them is policy, obviously, right, just what is the basis of the policy. Another, I think, are the socioeconomic impacts that you're talking about, where like the less desperation you have, the less you're going to have people driven to crime, right, there's that aspect. But, and again, I'm echoing Tom Walker here again, forgive me, but it's, I have been sold on the idea that enforcement has to be done. So the aspect of, you know, can you go single out one person, I don't know how to answer that question. But there has to be, I think, consistent enforcement that people that commit these crimes do end up in prison, or they just keep going, right. And those three things together, we're not consistently seeing pretty much anywhere, I feel like. So, sorry, I'll carry on. But I do, I do think that those are the three key pieces there. It's a conversation, Sean, I just want to make sure Lee gets a little bit into the conversation too. So, Lee, we were talking a while back about Myanmar on one of the shows, and you were, you were, you were reflecting on the fact that, that, you know, that's, you know, there are places in Myanmar where it's susceptible to setting up criminal enterprises. Do you get the impression that this is a recurring pattern around the world, that there are certain places in the world where it becomes hotbeds for criminal activity? Because as long as you've got access to a network, and you don't have the authorities trying to stop you in any way, you're just going to draw the people down and make it into a successful criminal enterprise. Oh, for sure, for sure, Eric, for sure. So, I mean, just to go back to some of the things you were saying earlier, attribution, okay, is really difficult when it comes to cybersecurity. Okay, on the internet, you're anonymous, nobody knows who you are, nobody knows where you are. So attribution is really difficult. But what I will say is, you know, distributed denial of service is pretty low tech, right? It's not sophisticated. You can download ZMap off GitHub, right? ZMap actually maps the network, the entire internet sends out packets, and then comes back and it maps the internet. If you did that on a, on a local area network, it would just grind it to a halt for hours, right? So what they tend to do is they'll download ZMap, you spoof that return address to a particular IP in Niger, just fire that off, and you will bring it to a complete standstill. Now, it is very low tech, I would say my eight year old kid could do that, right, with a bit of coaching. It really isn't sophisticated, but the damage what it can cause is just, it's just, it's unspeakable really what they can do. But are we looking at attribution in the wrong way here? To come back to the point I was making earlier about motivation. If somebody's telling you, for example, somebody is attacking Nixon's network, and the message is don't get involved in this coup in Niger, what you don't need to know specifically who's attacking Nixon's network to know it's being motivated by the people who want a coup in Niger. Now, okay, maybe that's a more complicated example, because who wants to have a coup in Niger? But clearly the people who had the coup in Niger want a coup in Niger. So at a governmental level, at a national level, you can start talking and thinking about boycotts, sanctions, penalties for countries that don't abide by the rules, for countries that generate and are source and are responsible. And yes, of course, anyone can go, oh, we didn't know, we weren't aware, they were freelance hackers. But I'll tell you what, if there was a lot more sanctions, a lot more penalties, they'd get a lot better very quickly at working out who within the country is responsible for what, and only using these methods, these techniques, when it is sanctioned by people in power. So we'd have a better way of ganging up against forces. Isn't that really the point, Lee, that we're tending to treat this like a police matter of how do you get a specific individual into a court and give them a trial, and then go through that process, and then you hand out the justice, justice system hands out a sentence and the rest of it, when we should be saying some countries are behaving well, some countries are behaving badly, some network operators are responsible, some are lapse, are loose, and don't take their responsibilities seriously. And we should be focusing on the bigger targets rather than trying to find an individual and levying sanctions, imposing trade barriers, using those levers instead, Lee. The problem is it comes back to, again, attribution. Now, anybody using, say, proxy chains or Tor, maybe in both in combination, you are just completely invisible to anybody. They cannot track you, or it's very difficult to track where you are. It's not impossible, but it's very difficult to do. What you could do is, if you wanted to do, you could make an attack appear to come from a particular country, when it actually doesn't. It could be done on the other side of the world. And we see that quite a bit, where it appears to come from, you know, the US, for example. We see a lot of targets or attacks coming in from the US, but we know it's not coming from the US. It's coming from somewhere else, but they're just bouncing off servers in the US. It's very difficult. Nixon, let's move the conversation forward here. Now, obviously, you deal with fraud, you're concerned about protecting the business, but you also deal with revenue assurance, too, in your role in MTN Nigeria. How much do and how much should, if the answer is different, how much do and should modern telcos look at the loss of revenues that occurs during an outage, and use that to motivate expenditure on steps to improve security and resilience of networks? Well, they should really look at anything that affects your bottom line. You should be using that to help you, obviously, motivate and get the right buy-in by management, as well as the rest of your teams, to protect the business. Now, if you look at outages, which are caused by, let's say, cyber attacks, it is similar to an outage that happens because, you know, you've got a cable cut, somebody cut, you know, a whole set of cables that were linking your cell sites and, obviously, lead to leakage. So, again, this is an area where you will look at everything as a risk and understand how that risk will affect the business. So, it is very critical for that, yes. That was a bit of a soft answer, Nixon. I'm not going to let you give me that answer, because you've been... I've picked you up twice now about how you've been all over the world. Not everybody's doing as good a job, are they, as each other. How good is the job, in your experience, of linking outages, whether it's a hacker, a denial-of-service attack, or, as you say, a mistake, or, you know, somebody, some troll is dragging their anchor along the seabed and they cut a certain cable. How much is the cost of the outage, the risk of the outage, the revenue loss of the outage, being linked to motivating the investment to stop the outages occurring? Is it being done consistently well? Is it consistently poorly? Does it vary from telco to telco? It does vary from telco to telco. It also varies from what region you are, because, again, your environment, you know, also has an input. And if you look at, in our specific cases, you know, things like fiber cuts and things that affect our customers are very, very critical to us. Whereas, in other jurisdictions, there are probably things that do not occur on a regular basis. So, again, it depends on how, you know, what is the likelihood of something happening, and what is the impact it's going to be on your business. So, yes, some people do that poorly. Yeah, but I think any business that is really trying to survive in this era should be doing it very well, because it's very important. It's very easy to really move from a number one, to a number two, or number three, because you've had a huge incident that, you know, affects your bottom line. Well, okay, I've got a better answer eventually. I'm going to turn the same question to you now, Joseph. Again, your experience, are there clear leaders in terms of companies that do a good job of integrating, connecting the revenue assurance aspects of an outage to say, the security aspects, the business continuity aspects, or is generally sometimes there's some dissatisfaction, these things are not being connected as well as they should be? Yeah, I think Nixon is quite right. It varies from country to country, operator to operator, and I'll give two cases, without disclosing which company, of course. There was a risk management committee set up in a company that I used to work in, and revenue assurance and fraud management would be represented, I would represent the team in that. And we would just have one page or one slide, and it used to have things like revenue loss, revenue loss prevented, opportunity loss, fraud loss, and revenue recovery, those basic metrics. And I remember in the case of one company, the MD would always attend the risk management committee without fail. If he was not available, it would have to be moved. And he would spend quite a good amount of time looking at those numbers and asking, what led to this? And how can I support you in getting this fixed? That's one company. In the other company that I worked, we also had something, risk management committee, or I think it was called something different. And the managing director would not even attend the risk management committee, would mostly delegate it. And sometimes would go for three, six months without having a session. So I think it depends, again, I know we like the term, the tone at the top, and I know it's probably overused, but I think it depends exactly on the top management, how serious do they take this thing? And if they don't take it serious, you could have your revenue assurance and fraud management guy doing excellent quantification and nobody looking at it. So I think to Nixon's point, yeah, it does vary. I think of course we would wish to have the MD support, like what I described in the first case, but the fact of the matter is that we don't always have that kind of support. Yeah. And one of the big driver is obviously to have a big incident, right? It's a big driver. I mean, it literally, and any revenue assurance person who's on this line and is listening, if you have a big incident, you need to milk that incident as much as you can to get as much support. Yeah. Because if you don't do that, you're at a loss, right? Ed, did you want to jump in here? Yeah. Just in that reminder, we were talking last week about some of the attacks that we've seen. And one of the things that came up was that there were folks that went into ethical hacking in theory with, here you go again, good intentions, but in theory, trying to do the right thing or to have a legitimate business, let's say. And were spurned and came out and said, oh, folks just didn't take this seriously enough. And so to make money, we turned to ransomware. And that alone, I think speaks to what Joseph's talking about, about the apathy towards this set of issues or perspective of like, gosh, I have this pile of security boxes. I spend all this money on, what is this for? And we're finding out, obviously, every single day, how bad a perspective that actually has been and how irresponsible it actually is. And so I just wanted to back that up because I think, Joseph, beyond your personal experience, this is being seen across industries. And again, and again, and again, every time I read one of these stories. One other thing I wanted to mention that was in the news, responding to something Lee said earlier, there's a tendency to think of things like denial of service attacks and maybe even other brute force attacks as being not very sophisticated or not very dangerous for that reason. And that's obviously not true at all. And I saw a good article that was in Dark Reading by Tara Seals this morning that was talking about security researchers identifying and speaking of a new wave of DDoS attacks that are happening at unprecedented levels of volume that folks should be very aware of. And I definitely recommend reading more about that. And so, again, it's easy to think of this thing as, oh, it's not sophisticated, very popular, very highly used, and now apparently being used at levels never seen before. So like Lee was saying, please take that very seriously. It doesn't surprise me, though. It doesn't surprise me, though, because the huge problem with denial of service attacks is that every successful attack is a signal to every other attacker that they can succeed by doing the same thing. Or am I wrong? Am I wrong? Does anybody dispute my point of view there? I mean, to take your point, Nixon, about jumping on the bandwagon when the attack takes place, when the outage occurs, are we actually getting better because then when something happens, there is a response, there is an improvement in response? Or are we always falling into the trap of too little, too late, wait until something happens, then we kind of respond, but we still remain vulnerable afterwards? Yeah, we're not really very good at detecting something where it is human based. Yeah. And I think what that That is a fundamental problem. Maybe AI will come in and help us, but it's always difficult to detect something where somebody is really trying to avoid being detected. And again, as we talked about this DDoS, you have bots all over the world, servers being infected by these bots and sending out this traffic. Now maybe there needs to be some rules or games of play here where we try to ensure that every single server out in the world is upgraded and has the right security to prevent this kind of thing happening. Because again, when you look at the DDoS, it's not happening from one specific server. It's happening from a lot of bot armies, which have been installed all over the place. So it is difficult to predict what is going to happen. And probably we also don't convey that message very well to management to understand that look, I can have as many controls as I have, but look, these guys will find a way around that. And in some cases, that way around is a human, because humans are fallible. And the end result, I think Ed and also Lee touched on that, so DDoS is not complicated, but the effect is felt, it achieves what it set out to do. And I was just reminded this, so after the attack in Kenya, I was talking to someone and saying, of course, this is very sad, it affected a lot of people. And the person told me, there are two types of effects when the M-Pesa services are down. There are people like us who, because you have an income, you don't make your income because of M-Pesa. You only use the service, you pay your bills every now and then, you pay your ticket, you basically just, you're affected, but you're not so much affected, if I could say that. But there are people now using mobile financial services as their means of earning a livelihood. And he gave me an example, he's actually doing a master's degree studying the effect of mobile money on the slum dwellers, on people living in informal settlements. And he says there are some who actually, every morning they do a borrowing, they take a loan on M-Pesa, and that loan is the one they use as working capital for that day. They go to the market, the central market, they buy a bunch of bananas, and they sell them in the traffic jam. If they sell the bananas, their kids will eat in the evening. If they don't sell the bananas, the kids will not eat in the evening. So he was just drawing that line, that there's the effect of, a DDoS attack for me just means that I can pay my electricity bill tomorrow. For that guy, a DDoS attack means that the one meal that that family has for that day will not happen. Fantastic point. I'm just going to read out a couple of questions from the audience here. One of those exactly links to what you've just been saying, Joseph. So a question that came in, anonymous viewer asked a question specifically for you, Joseph. Is it your opinion that the impact of the anonymous Sudan attack in Kenya is amplified because Kenyans have become so used to depending upon M-Pesa in their daily life? But before you get a chance to answer that, I'll also read out a question for you, Nixon, as well. George Woodworth asks, there is currently an incident that they're investigating, or he comments, there's currently an incident they're investigating, and it's affected a lot of change and attention from key stakeholders. So George is saying you're correct there, Nixon, that in fact, big incidents can motivate change. So they're saying that you're consistent there. Again, Nixon, just to emphasize there, how big does an incident need to be, though, in order to motivate change? Does it need to be the point where the companies like the shareholders are going to start screaming if something goes wrong? Or can we start taking smaller incidents seriously as well? Well, it's all to do with materiality, I guess, right? Yeah. And of course, similar to yourself as a person, right? If you have a health scare, if you have a very small health scare, you're probably not going to change your lifestyle. But if you have a drastic health scare where the doctor tells you, look, if you don't change your ways, you're not going to live till next week, then you do change your ways. So it's relative, right? It's relative. Again, some companies will take even small things which you can see that could have become a big problem. And again, it's up to us as practitioners of revenue assurance to exploit, to explain that to management, to show them that, look, even though this incident was actually quite small because we caught it quickly, it could have become something larger. But again, you might have places where maybe they don't have the resources to do that. And it has to be something very large for them to then be able to portray that message. But again, the message is the same. Any incident that happens, use that incident to get buy-in with management because you have something tangible that you can use. And Joseph, the question for you, just to reiterate, asking about is the impact of the attack being magnified because people are now so dependent because M-PES has been successful in Kenya? Yeah, and the short answer is yes. And just to give an illustration, I don't worry if I forget my wallet in the house as long as I have my phone because anything I can do using my phone. If I forget my wallet, that's not a problem. If my phone runs out of charge, that might be a problem. So that's really the fact that your payments, your school fees, your transport, your railways, your power is all based on that. And that affects pretty much everybody from the top class to the lower class. And that's why we've got to get it right. Lee, did you want to jump in? Yeah, just to reiterate what Ed was saying there is, it doesn't surprise me at all that these attacks, DDoS attacks are increasing just because it's so easy to do that anybody could do it. But this kind of links back to, we're talking about the attribution, who would do a DDoS attack? Well, first of all, like I was saying, it's not sophisticated, right? So it's very unlikely to be a nation state actor. Nation state actors would get into a telcos network and for them, they want to remain hidden. They want to remain quiet and they just pass around the network. They do do DDoS attacks, but that is like the nuclear option. It's more likely somebody doing this DDoS attack is probably low level criminal, not really used to high sophisticated attacks of a nation state standard. And Ed, did you want to comment or ask about the nature of these attacks? Yeah, well, one thing that we talked about a lot, amongst the hosts of the show is that we have the tech stack growing complexity, a lot of it changing and being replaced with new things that are unproven, right? We've had a few conversations about that. And so one of the things Nixon, you were talking about earlier, just spurred this, and then we're talking about this specific denial of service attack that I was referring to is on just one protocol. I'm not an expert on this at all, but it's like an HTTP2 protocol that it's something like 60% of websites use. And for basically pre-reading, like instantly pre-reading the content that a browser uses to instantly pre-read the content of a website. And so what they do is they just jam, obviously a ton of these requests and then cancel requests in to break it down. And the point though, is that it's just this one simple protocol amongst many, many, many in the tech stack, right? Which can be attacked and affect a huge number of systems that are out there. 60% of websites use this protocol and can be affected by this. And so my question to you is that as you're sitting there and stepping back and looking at the enterprise and you're seeing this whole tech stack that you have some responsibility over, right? Or there's risks that come out of it that you're responsible for and it keeps changing, right? How do you start to wrap your mind around that as a professional and look at the fact that all of these new vulnerabilities are being exposed probably at a faster rate than they ever have. And it's kind of your job to keep track of it at the very least and know where the problems are. Yeah. Well, it's not really my job, right? We have a chief of IT security who looks after that. But you're right, it is a significant problem. And again, you obviously need to understand what vulnerabilities do you have and make sure that those vulnerabilities are all plugged up. But again, it's not just us. Again, like Budidios is probably coming from lots of other servers, which have probably never been upgraded from other people. So it is very scary. And again, it is not just... And I think when Eric mentioned the fact that, for example, in Kenya, everyone is reliant on their phone. But if I look at when I'm in the UK, I'm reliant very heavily on my phone. I even use my phone to access my car. And we all use our cards to buy things in the shops. So even a DDoS attack in the UK could be a significant problem if you're attacking the banks. And again, Kenya is a good example where they've really, really moved over to M-Pesa. But when we look at this in general, it is really, really very difficult to try and encompass and understand the gravity of the situation that we are all in and trying to get all the teams aligned to make sure that the IT security teams are always abreast in what needs to be done. In some cases, some of the operators, obviously, are using third parties as well to try and support them to ensure that their systems are secure. I don't know if I answered your question. I think you're crazy, man. I think you're crazy. What are you doing? Why don't you just use your car keys? What do you need to have? What do you think? What we're talking about becoming less, you know, protecting ourselves here. But when Joseph was talking about, you know, going out and not taking his wallet, when I'm in the UK, I don't touch my wallet. I can't remember the last time I've held cash in the UK. I literally have my phone and I use my Apple Watch if I'm going on the tube or those kind of things. So it's really internet-based life, right? I hear you. I mean, I wish that... You're right for a DDoS attack. So I think Vincent is right for a DDoS attack, eh? Yeah. Yeah. I mean, let's not encourage them. You know, let's not encourage the hackers. I try to always hide my, you know, on your phone or whatever, you can hide your true IP address, especially on your iPhones and Apple devices. So I always do that. But I think that the other maybe angle that we, I know we are talking a lot about the mobile money and all that. But the thing we also need to remember is that, you know, these core mobile money systems are then integrated to a lot of other systems through open APIs and things like that. And therefore, it's becoming a problem for even just our own IT security teams within the companies. You could secure the core system, but it's only as strong as the weakest API link you have outside there. And this happened in Uganda, for example, when the system integrator integrating into mobile money there was compromised. So I think it's going to take more. It's really looking at the whole landscape and saying, okay, fine, the chief IT security officer is looking into these core vulnerabilities. But what is he then doing to evangelize and make sure that the systems and the integrations into that core system are actually safe? And I think that it means the challenge keeps with every new integration you get in, you have a new vulnerability front. Absolutely. And I think it's also very important to not get narrow here in our risk thinking. This is a risk for this person. This is a risk for that person. I think it's very important that the finance side of the business retains a good handle on this because there's increasingly been a tendency, I think, for the finance side of communications providers to say, well, we look at these revenues from these customers. We look at these projections. Do we understand these costs? They should be looking at the return on investment for things which may not be huge mega projects, but which are being done because they're slipping underneath the threshold for anyone's visibility. And whether it be the IT director, the network director, whatever, it's not high on their priority too, but it is leading to outages. It is leading to customer dissatisfaction. It's costing the company in the end. Why are we not spending our money? We talk about it being tough times. We're seeing a lot of job cuts because companies are saying we need to cut the number of staff in order to stay profitable. We're seeing European telcos crying day and night going, oh, boo hoo, we're not making enough money to invest in 5G. So please, American internet tech firms, give us a big subsidy. And yet we're leaving money on the table day in and day out because we have this kind of attitude of it's small stuff. We don't need to worry about it. It's little things, investments that should be made. And perhaps we need people with a financial bent as well as a technological bent driving forward and always asking the question, why are we not improving? Why did we take that outage? I mean, George Woodworth makes a good point here in response to you, Nixon. He says he finds the links between the smaller incidents and the major ones. It's up to people like us to... Ed, are you wanting to jump in here? Am I stopping you jumping in? But honestly, this is like a true story. You should go on. It's your show, Eric. Please. I want to rant here now. I want to rant here now, because if anybody's watching in the UK who shops at Tesco's, okay, I'm super angry at Tesco's right now, right? Okay? And it's totally relevant to this show. Yesterday, I drove my car to Tesco's because I'm very low on petrol and I wanted to fill up, and I usually fill up at the local Tesco's, okay? But I thought I'd pop into the supermarket to buy just a tiny number of items. I bought, just picked four items off the shelf, and I went to go pay for them. I couldn't pay for them. Why can't I pay for them? Because their tills were not connecting to the network at that point in time. So you, oh, that card didn't go through, sir. Would you like to try another card? Oh, that card didn't go through, sir. Hey, it's not the cards. It's you. It's your network's not connected, okay? Oh, well, maybe we hold on to your things and you can go outside to the cash machine and take cash out. So the cash machine's connected to a network, and when I go to the petrol pump, that's connected to a network and I can make payment, but you've just thrown away sales. I would have bought those four items. It's like, okay, I take out the shopping bag. I'm out of here. I'm wasting too much time. There's this real-life impact on business, and yet we're just ignoring that these things add up over time. So this leads me very nicely, I think, apologies to my final question because we're running out of time, but Joseph, you're in the Republic of South Africa, so we've talked a lot about Kenya and the impact of anonymous Sudan on Kenya, but you spent the last few months in South Africa, and of course, one of the big stories coming out of South Africa is the rolling power outages and the terrible impact that has upon a lot of people in South Africa, small business people, affecting people's lives. People can't keep their refrigerators running and so on and so forth. The impact is bad. South Africans have tried to adapt. If the outages that you're seeing for power in South Africa were replicated with the same frequency in terms of mobile money being unavailable in Kenya, would Kenyans be able to adapt, or is it now too hard to go back to the way things were before? I think it would be extremely difficult. You would lose a lot of efficiencies that you have built into the national payments. There would, of course, be businesses that would go out completely. There are businesses that only do their whole product proposition is based on mobile financial services. There are a lot of fintech innovations that are being carried out using M-Pesa as well. So I think it would be very difficult for Kenya to adapt to this level of disruption. Now, of course, there are some things that you would still be able to do cash, the same way that you do right now. If M-Pesa suffers that once in a blue moon outage, you would revert to cash. But I think there are some level of businesses that just would not be able to survive that. Because people have migrated their whole mindset and their whole way of operation. Institutions have also changed the way they think of money. They think of it in terms of mobile money. So the much then that would happen is a fold up of some businesses or, you know, it would definitely be a very difficult, difficult time for the economy. And the last, very final question for you, Nixon. Mobile money, of course, has also become very profitable for MTN Group, very important to MTN Group. Is there a concern that denial of service attacks could ultimately, if they continue, destabilise the service? Look, it's a risk, but again, we we try to make sure that we have the right implementations in place to safeguard us from this kind of attacks. Similar to the attack that happened in Nigeria, we managed to, you know, literally manage to that very well. So I think we're prepared to protect ourselves against this kind of attacks. It's a good place to learn as well, because obviously that whole exercise taught us to understand how we can manage our resources between the different opcodes as well. Yeah. And just to add to what Joseph mentioned about, I think you're asking about having outages. I think, you know, here in Nigeria, we are most of the time we're not on the grid. So and we've survived very well. So I don't know why South Africa is not surviving by not being on the grid. Well, you get used to things, don't you? You get used to having the utilities. I mean, you know, I always find it ridiculous when we have like Western experts on things like business continuity. Well, they know about business continuity. Things are working. It's where you're somewhere where things aren't working, that you learn how to cope and survive and adapt. So I have great respect for the work you're doing. I think just to address your question, Eric, I think this is not a problem just for us. It's a problem for for everybody, for it's not it's not just us. And we, again, are implementing the best of the best to try to ensure that we protect ourselves. I know it's a problem for everybody, Nick, and that's why I've got two of the world's leading experts, you and Joseph, on the show, so that people know who to go to to get the answers when they want to protect themselves. Thank you so much, guys. We've overrun for time. There's loads more questions. I would like to, I'm sure Ed and Lee would like to ask more questions. And there was more also that came in from the viewers I didn't have a chance to read out. But Nixon, Joseph, it's been an absolute pleasure to have this conversation with you today. Thank you for joining us today. Thank you. Thank you. Great to have you on the show, guys. That is it. Time's up. Join us next Wednesday, October 18th. When we'll be discussing refiling fraud with Arne Baranofsky, CEO of Oculus. The live stream begins at 11 a.m. U.S. East, 4 p.m. U.K., 8.30 p.m. India. Apologies for not listing everybody's time zone. Visit tv.commsrisk.com and click on the link to automatically save the show to your diary in the right time zone for you. Or better still, subscribe to our broadcast schedule and have every weekly show saved to your diary automatically. Thanks again to today's guests, Joseph Nderitu and Nixon Wampamba. Thanks to my co-presenters, Ed Finegold and Lee Scargall. And to the producer of today's show, James Greenley. I'm Eric Priezkalns and you've been watching episode eight of the second season of the Communications Risk Show. Visit the show's dedicated website at tv.commsrisk.com for recordings of all our previous shows. Be sure to check out all the news and views at our main site, commsrisk.com. And risk professionals who work for coms providers should make use of the great resources provided free of charge by the Risk and Assurance Group at riskandassurancegroup.org. Thanks for watching today's show. We'll see you next Wednesday.