Quantum computers are difficult to build today, but their radically different design means they can rapidly crack encryption codes that would defeat any other computer. Many encryption algorithms that currently protect the privacy of electronic comms and banking transactions will soon be rendered ineffective. Comms providers already need to be conscious of the risks of messages being intercepted today just so they can be decrypted and exploited in future. We discuss the timescales for the evolution of quantum computing and the enhanced security measures already needed to protect our way of life with Ian Deakin, Principal Technologist at the Alliance for Telecommunications Industry Solutions (ATIS).

Topical news items are also debated by the show’s presenters: Lee Scargall, a senior risk executive and consultant with considerable international experience; Eric Priezkalns, Editor of Commsrisk; and Sarah Delphey, formerly of Bandwidth and now VP of Trust Solutions at Numeracle.

Transcript (auto-generated)

Hi, my name is Eric Priezkalns and you're watching The Communications Risk Show. Every
Wednesday we stream live so you can join a conversation about the risks faced by comms
providers and their customers. Share your comments and questions during the show by
typing into our real-time messaging system as found immediately beneath the stream on
our website at tv.commsrisk.com. Messages are anonymous, so include your name if you
want me to read it out. You can also watch this live stream at LinkedIn. A member of
our team will forward any comments left over there. I'll read out as many of your observations
as time allows. Now, later in the show, we'll be joined by Ian Deakin, Principal Technologist
at the Alliance for Telecommunications Industry Solutions, ATIS. Ian will tell us about the
risk of encrypted comms data being stolen so it can later be decrypted by quantum computers.
But first, let's chat about recent events with my co-presenters, Sarah Delphey and Lee
Scargall. Regular viewers will surely know Lee already. He's been my regular wingman
since the very first pilot episode of this show. He's an executive and consultant that
has managed the risks of comms providers in the Middle East, Europe, Caribbean, and Asia,
and today he joins us from Bahrain. Sarah Delphey is joining us as a co-presenter for
the first time, though she has previously appeared as an expert guest. Her expertise
is very apparent to anyone who speaks to her for even the briefest time. Sarah was recruited
by Identity Experts Numerical a year ago, where she serves as Vice President of Trust
Solutions. Previously, she was Director of Abuse and Risk Operations at Bandwidth, and
she joins us today from her home in North Carolina. Hello, Sarah. Hello, Lee. Great
to have you on the show. But straight away, I want to pick your brains about a thorny,
difficult topic that not many people want to talk about, but I think we do need to talk
about because it's very relevant to all the work that we do. Big job cuts being made by
telcos all around the world. Very recently, T-Mobile US cut 5,000 staff, that's about
7% of their workforce, after announcing they were going for an industry-leading growth
in customers and profitability. Other announcements this year, 55,000 to go at BT over the next
10 years, 11,000 for Vodafone Group over the next three years, that's about 10% of their
staff, 2,000 at Telecom Italia, 6,000 at Telus, the Canadian operator, 4,000 at their main
business, 2,000 at the international subsidiary, 1,300 to go at Bell Canada Enterprises, 8,500
to go at Ericsson, 472 to go at Telstra, and Australia is a very unionized country, so
472 is a lot to lose. Even Nigeria's Association of Licensed Telecommunications Operators was
willing that smaller Nigerian telcos will look to cut jobs to compensate for a fall in the country's
currency, and AT&T, well, they shed so many staff over so many years, they've stopped announcing
job cuts, though they did announce that their existing cost-cutting program would look to make
another $2 billion worth of cuts over the next three years, and their HR chief, also to boot,
will be leaving at the end of this month after presiding over the cutting of 74,130 staff,
almost a third of their workforce, since the beginning of 2021. So my question to both of you,
starting with you, Sarah, is it time for revenue assurance and data analytics teams
to refocus on cost assurance and cost reduction before they also get the chop?
Yeah, it's a good question, and those numbers are really impactful across the board. I think yes,
I think yes is the answer, but I think they were already focused on those things. I think they
were already focused on cutting costs as much as they should, and if they haven't done it already,
for most people I know, it's because they don't have the resources or the capability or the
dev work that needs to get done. So I think yes, they should keep focusing on what they're focusing
on and make it clear that cost cutting in their department is a priority in those efforts, but
I think at this point, it's unlikely that anything you do now is really going to have a major impact
on the cuts that are happening today. I think a lot of that is larger business trends that are
already in motion, and just from what we've seen in terms of who has been laid off, really doesn't
seem like there's a lot of concern thought going into losing some of these really experienced
professionals that are on the bedrock of all the intelligence that we've gathered as a community.
Well, I have to say, Sarah, straight away you've been more pessimistic than I'm usually the top
pessimist on the show, and I agree with you entirely. Maybe Lee is going to be a bit more
optimistic. Lee, what can experienced professionals do, as Sarah say, to increase
their chances of surviving this very tough job market? Well, Eric, I mean, what surprises me
first is that we're the fifth episode in, and this is the first question about revenue assurance,
but I like what you've done there, actually. You've linked revenue assurance to actually job
losses. So, but anyway, look, from my experience, most RA teams have actually transitioned to
something that we refer to as business assurance anyway. So, they do look at things like cost and
margin assurance. What I find in particular, you know, is using technology like AI, right,
and how we can use that to automate jobs, to free up the vital resources and then deploy them
elsewhere. A lot of the work my team actually does these days is actually around cost assurance. I
would say probably around about 25% of their day is spent on cost assurance, looking at that. So,
yeah, I think they just have to refocus, but it's using these tools and technologies,
which are coming on stream now, and how do you get the efficiencies from those?
But is the transition happening quickly enough? I mean, business assurance is a pretty vague term.
It can be used to cover a lot of different things. Are those teams looking at enough of the costs?
Are they spending enough time dealing with costs? Well, like I said, about 25% of our time
is actually looking at cost or even margin analysis. So, I think we are transitioning
away from the traditional revenue assurance and more into what we term the business assurance
aspect of it. I'm going to keep on poking away here, but I'll bring in Sarah to see if she's
on my side on this one. Data analytics, use of data, there's a lot of costs in the telco,
including capital costs as well as operating costs. Has there been a tendency for telecommunications
operators to diffuse a set of responsibilities for who's looking at optimizing the capital
side of investment? This includes things like not just massive mega projects where you're rolling
out things like 5G, but it also includes things like leasing land because you have to have
somewhere to put your base stations. Is this an area where there's been a lack of intelligence,
joined up intelligence, you might say, about managing costs over the years?
I think definitely. I think what we've seen a lot, what I've seen in different organizations,
is kind of a post-COVID sprawl where to meet the needs of a COVID environment, a lot of telcos
have expanded very rapidly. They've hired, they've done, they've brought on whole teams,
products, et cetera, to deal with additional capacity needs. But when it comes down to it,
a lot of that stuff was done very quickly and it's not managed very well across teams.
So I lived in the fraud world. We were focused on fraud costs and risk management, just in general
customer-based risks. And I didn't really interface that much with some of the other
revenue assurance teams and the other operating cost teams and really looked at, I think a lot
of that does get lost when you roll it up to executive leadership in terms of, okay,
which priorities and which ones are easiest to understand? So when it comes to, I can buy this
piece of land and I can create a new office, I understand as a chief executive what that means.
I can invest in a new piece of fraud mitigation software or a new data analysis that might
uncover some as yet undiscovered costs that I could then cut or fraud that I could then mitigate.
That's difficult for me to understand and that's not concrete. And there's no asset that's
associated with that, that I know I'll have regardless. So I feel like when those things
get rolled up, a lot of our needs really just get lost. And I don't mean to be pessimistic, but-
No, be pessimistic because I like pessimism. Yeah. It's refreshing. Everyone's too optimistic
in this industry. What's the point of being optimistic and then people are losing their
jobs? I'd rather have pessimism right now and people being clever and finding other ways to
cut costs. And then maybe a few people save their jobs as a result. Then everyone stays optimistic
and then boom, before they know it, they're suddenly out there asking, where am I going to
get another job? Because if everyone's cutting jobs, of course, it's going to be harder to
find an equivalent job. So we're being pessimistically, but I'll bring you in here
to perhaps see if we can make you the optimist in our dialectic discussion here. As Sarah was
pointing out, you can have a number of different teams, fraud teams, revenue assurance teams,
teams working in different parts of finance. They're all essentially building upon the same
delta, extracting the same data, analyzing it. There have been telcos with data science,
data analytics teams that almost lend themselves out to different parts of the business like
revenue assurance, like fraud to do work. Is there some value perhaps in going back and re-exploring
that model so that it isn't the case that you've got people with data analytics skills spread
around the business with different objectives, perhaps missing opportunities to take a more
holistic view? And if that was a possibility, would you be the kind of guy grabbing that job, Lee?
Yeah, for sure. I mean, it makes perfect sense that Eric, rather than having multiple kind of
data sets, which is kind of managed and processed by different teams, have a centralized function,
which kind of takes in the data, processes it, and then people kind of dip into that.
That's nothing new. I think there's some telcos around there that have been doing that for a while.
But yeah, I mean, I would say the majority of telcos are based on this kind of this fractured
silo-based mentality still. So yes, I completely agree with you, Eric, on that score. There could
be some value in bringing those all together. Yeah. And on an optimistic note, you'd get a
bigger job, a more senior job, and that'd make you happy for a starter. Enough with the fun.
I'm afraid I have to take a quick ad break here. I always enter an ad break with a quick gyber,
Lee. He'll get me back in the next section. Apologies, Lee. Each episode, we share a new
insight from one of our sponsors, Symmetry Solutions. Their prism fraud intelligence
team provides us with an interesting fact of the week. And this week, it is the outcome
of a new case study. A comms provider recently...
contacted Symmetry after customers started complaining
about some new games they had been offered over the phone.
Without the data in the PRISM fraud database,
it was not immediately apparent to the telco
if the SMS messages sent by the games companies
were legitimate or not.
But when PRISM was used to analyze the traffic,
a whopping 42% of the messages
matched the PRISM repository
of intelligence associated with SMS abuses.
It soon became apparent that the companies behind these games
were bogus entities set up by fraudsters.
Their spam SMS messages were designed
to lure unwary phone users into installing phony games
that would leave victims vulnerable to theft.
To learn more about how to protect your customers from crime,
speak to the PRISM Fraud Intelligence Team at Symmetry.
Their URL is symmetrysolutions.co.uk.
Now let's continue talking about topical matters.
Now, a few weeks ago,
I was on a call with the CEO of a big carrier,
and I was trying to persuade him to take an interest
in enhancing fraud controls for voice and messaging.
And he wasn't interested in discussing fraud reduction at all.
He was very clear about the reasons why.
Fraud reduction stops being so important
if you already expect a product is in terminal decline.
His voice and messaging revenues are in decline,
so he was interested in generating revenues
from new kinds of services,
some of which would not be commonly associated
with the historical role of telcos.
And we've already discussed cost management
and cost reduction.
My question for you both now, my fellow panelists,
and also for viewers, please do send in those questions.
We're keen to read them out.
We already had a few for our guest star, Ian,
later on today, but the three of us,
we know plenty about telcos too,
so you can ask us questions as well.
My question, starting with you, Lee,
do the people working in fraud management do enough
to show the benefit they add to the business?
This one's always a difficult question to answer,
or it's always difficult to kind of explain to executives
what is the value of the fraud function,
because really you want to try and keep those losses
to a minimum, right?
But the concept that I always sell to the executives
is it's actually the cost of not having the fraud team
that matters, right?
Now, if you get hit with a big fraud,
some of these can run into millions of dollars,
and you really don't want to be having that conversation
with your chief executive, right?
So most telcos that I know,
they only think about establishing a fraud function
after they've suffered horrendous losses.
And at that point, it's too late.
In fact, the company that I'm with now,
we actually had a fraud team several years ago.
We got hit with a huge roaming fraud issue over one weekend,
and that was the trigger point
to go for a 24 by seven monitoring service.
So I think it's only when you have these big hits,
does it kind of drive that conversation,
okay, we need to improve.
But as I said, I think it's always very difficult
to sell the benefits of a fraud team,
but it's actually the cost
of actually not having the fraud team that matters.
Okay, Sarah, I'll bring you in here.
Yeah, I agree with Lee 100%.
I think a lot of times fraud mitigation gets invested in
when there's a giant fraud event and it's done reactively,
which creates a challenge
for professionals in the business, right?
If you're doing everything right,
and you are mitigating fraud,
there's an initial impact that can happen
when you make a big change or you implement a team,
but let's say you've had a successful program
that's been going on for years
and there hasn't been a major incident.
It can become easy to believe
that there's the sky is falling syndrome, right?
We don't believe you anymore.
We don't believe that there's so much
that you're holding back against the company,
and there's only so much you can do to demonstrate that,
events that aren't occurring.
So it becomes difficult, right?
And I think a lot of us got into this business,
not because we're passionate about cutting costs
for large telecom operations.
We got into this business because we care
about stopping fraud and protecting consumers
and businesses from being defrauded
and stopping criminal activity, right?
And so a lot of us don't have a background in,
or training in how to really present a monetary model
or argument for what they're doing
in terms of risk prevention
and risk management for a business.
And so it's a challenge, right?
But I think there's a lot more that we could do.
And I think if we can articulate better as an industry,
just what that value is and what's on the other side,
and maybe the fact that we shouldn't be taken for granted,
it would be to everyone's benefit.
Okay, but let's be the pessimists.
Let's just say that we're not respected.
Let's just say, what can we do
to bump up the amount of attention?
You said something very important there.
You referred to the fact that it's protecting customers
as well as protecting the business.
And forgive me, Lee, I'm gonna speak on behalf,
but jump in if you disagree.
I think this tendency to wait for a big hit to happen,
that also encourages you to wait for a big hit
to happen to your company,
because you feel differently
about whether your company's lost money
versus whether your consumers have lost money.
Has there been too much emphasis on protecting the company
rather than its consumers?
And is that now starting to bite us
because our consumers will not be using services
as much as they might've done
because of the track record of failure
when it comes to protecting them?
Oh, yes, absolutely.
I 100% agree.
And going back to your CEO earlier
and thinking about voice and messaging services declining
and the adoption of that system declining among consumers,
100%, I mean, it's the exact backwards way
of thinking of it, right?
We have created a problem,
which is a lack of trust for consumers,
for users of the telecommunications ecosystem.
And then we've given up, right?
We've said, oh, well, you don't trust it anymore.
You're migrating.
We should just move on and serve those other industries.
No, absolutely not.
We shouldn't give up on it.
And this is where we do need to be thinking
about our customers and our customer experience.
That's what it is.
And that's really what I think we need to pivot to
as an industry is to talk about what it does
to the customer's experience of our services
if we allow them to be defrauded.
And that's focused more on consumer business services,
but even for those of us that serve wholesale,
business outbound traffic,
and we don't necessarily have a direct connection
to the individual consumers that are using those services,
nonetheless, our customers, our businesses,
they are impacted on an inbound basis.
And we as consumers can understand what that does
and why our business customers' traffic
isn't gonna be effective.
It's not gonna be picked up.
It's gonna be labeled as spam, scam, blocked.
And we're not gonna make money, right?
So it's also revenue preservation
and traffic preservation to be thinking about
how do we mitigate fraud?
How do we create that trusted ecosystem
so that we can continue to make money as a business
and continue to thrive?
Thanks, Sarah.
Now, Lee, again, I'm gonna test you here.
I'm sorry, Lee,
but you've been in this industry for a long time.
So you get the difficult questions as a result.
From my experience, as far as I can judge,
the American professionals like Sarah
are actually a lot more acutely aware
of the impact on customers
and trying to protect customers from fraud
than I've seen in telcos elsewhere in the world.
Apologies to generalize,
but nevertheless, that's my overall impression.
Have we been falling into a trap, Lee?
Well, I like to call the 3% trap.
You bring up a percentage.
You say, this is the amount you're losing.
And by making it a percentage,
again, it's the amount you're losing
relative to the company's revenues,
relative to what the company is making.
When there's enormous amounts
that your customers could be losing
as a result of mistakes made by the company.
And let me give an illustration.
A SIM swap takes place.
Well, you don't have a simple linear relationship
between a SIM swap occurring
and the amount the customer's going to lose.
Because if the fraudsters conduct a SIM swap,
but the customer's got good protection
around their online accounts,
or they don't have much money in their online accounts,
well, they're not going to lose anything or lose much.
Whereas of course, if they've got weak protection
around a cryptocurrency account
that has $20 million in it,
$20 million is gone.
Have we really been focusing too much
on this simplistic percentage style argument
when we should have been emphasizing
that the reputation takes an enormous hit
when you get these scare stories
about everybody's in danger because of a SIM swap
or other kinds of frauds
that we might have done more to prevent?
Yeah, I think it's more these days around,
it's about having a duty of care
to protect the customers.
And I'm starting to see this
in quite a few of the operators
that I kind of consult for.
I'll just give you an example around about duty of care.
Now, my neighbor in the UK,
she actually received a smishing message, right?
And it appeared to be from her service provider,
and it was actually requesting her to make bill payment.
Right, that SMS record that,
sorry, the SMS actually originated on their own network,
right, it traversed through the network,
it reached her handset.
There, she was actually able to click on a link
in that message, right?
And it took her to an identical copy
of her service provider's website.
She entered in her card details
and she was taken for 10,000 pounds, right?
10,000 pounds was just the max limit on the card.
But if it was unlimited, could have been unlimited, right?
So, that's just one particular example where the fraud,
it was actually committed entirely
on that operator's network.
Now, as a service provider,
they have a duty of care, right,
to prevent that from happening, and they can, right?
So there's things around what they could have done
is better KYC, implementing SMS firewalls,
content filtering, right,
removing suspicious URLs in that message.
So, when you look at that particular case,
if you're not doing that as an operator for your customer,
then as far as I'm concerned, you're negligent.
Okay, a few comments come in here from viewers,
one of them anonymous,
I work in revenue assurance,
but as I understand it,
we're doing a lot to protect banks from fraud.
Is there a possibility to turn this
into a revenue generating opportunity?
Another comment here from Henk van Hastre,
hello Henk, always a pleasure to have you watching the show.
He says, fraud only stops.
when you stop it. So if there's a fraud going on, what would it cost the company if you did not
stop it? Great point, Hank. Do you want to take that question, Lee, about whether there's a
revenue opportunity, or is that not realistic because we should be keeping our own house in
order without seeking to make money? Yeah, I mean, I'm not really sure of what role the
revenue assurance team would be doing there. It's probably more on the fraud side. But
actually, this came up in conversation today with some of the SMS product manager. So
we were actually talking about looking around this, you know, guaranteeing the security
of the SMS messages with particular banks in the country I'm in now. And obviously,
we could probably look to monetize that in some particular way, if we can guarantee that those
SMS messages came from a particular bank. But that means us kind of blocking and making sure
no other smishing messages would come onto our network. So we've got a lot of work to do,
but looking at that, but I think it's actually a valuable proposition, which we could do. However,
I've never been an advocate of receiving OTPs over SMS anyway, right? So my recommendation would be
banks shouldn't be even getting involved in this type of stuff.
And I agree with you, Lee, but it's a good source of revenue for telco.
I'll jump in on that one as well and say, you know, the last couple conferences that I've been
to to talk about telecom fraud, the financial institutions are seeking us out because they
have a big problem and it's starting to hurt them and their security professionals in a big way. I
mean, just sip-knock last week here in the US and DC, we had two different major financial
institutions that took it on their own initiative to attend and really talk about the impact to
their customers. Within the last couple of years, we've had Zelle, the consumer-to-consumer money
transfer service in the US. A lot of heads of banks were called before Congress to testify
on that fraud that's happening. And a lot of it is being perpetrated over voice and SMS is really
where a lot of that's starting. And there's pressure put on financial institutions to make
their customers whole in those instances of fraud. And that creates a monetary incentive for them to
do something about that fraud. So we've sort of outsourced the losses in a way to those financial
institutions. And they are looking to us for solutions and they are clear that they will pay
for solutions. Obviously, they don't want to pay anything more than they have to, but they want
secure channels to ensure that the folks that are impersonating their businesses are prevented from
doing so. And so I agree with Lee that if we can come up with a way to do secure identified
communications end to end, so we know it's coming from your bank and we can prevent impersonation
attempts. There's plenty of money to be made there, I think, from a product perspective,
both from financial institutions who will pay for that protection, as well as other businesses
and consumers who want to be assured that they're not being defrauded. So this leads me to a question
I hadn't thought of before this show and what you've just said there, Sarah. When we talk about
fraud management, fraud prevention, is this really now something that needs to be in some sense
merged with identity management, knowing who your customer is, whether the lines between these two
things, is there an interface? Should they be all in one? How should the relationship evolve over
time between these goals, these objectives? Yeah, I think it's one and the same, right? I think
that's how we align fraud mitigation with identity and trust as a product, right? I think
consumers and businesses are so eager for secure channels of communication that they can
exercise more control over. I'm so tired of receiving anonymous phone calls or if I'm
expecting an important phone call, having to answer or interrupt things on the hopes that
the person on the other end is the person that I actually want to talk to. We can do better and
there's a lot of conversation going on right now about ways, the right way to do that,
but it is possible. This is a solvable problem and the thing for folks to remember too is that,
you know, we are currently the embedded channel. If we can solve for identity in voice and in text
messaging, which is what folks use today, then one, they're going to use those services for longer
and two, even if there is a future service, if we created an embedded system for identity and
validation of end users, that's going to persist. That data will be used in any
communication system moving forward. So it is both, you know, protecting and future-proofing.
You know, and the interesting thing is that CEO was talking about at the top of this segment,
he was talking about identity as one of the areas he was going to make money from in future. But Lee,
to back this back to you and bring you in again here, of the majority of fraud management teams
around the world working in telcos, are they ready for this intellectual leap that Sarah's
asking them to make here in terms of connecting their work, which maybe historically has been
look for anomalies in data, open up some kind of case in your case management tool,
see what happened and react to it. Are they ready for this leap forward to, we know who our customer
is, and we're going to ensure that we can validate, demonstrate who's making a call and stop
frauds before they can happen? No, I think there's a big gap there, Eric, if I'm being honest.
They're just not geared up for this right now. That's a huge step what you're talking about there.
So how do we make the step? Sarah's being the optimistic one now. She can do it. She believes in
it. She led her team in that direction. How can we do it in other teams too, Lee?
Well, I think there's just going on what Sarah was saying that I agree with all of that. And I think
just to pick up there is, I think there needs to be this kind of merger between,
you know, digital identities, KYC, and then kind of exploiting. If you do that right,
then it makes everything else a lot easier down the line, right? But we're not there yet, Eric.
And this is my fear. I think there's a big opportunity here for somebody to come in to
step into this space. I mean, that's for sure. Big opportunity for you, Lee, Director of Risk
Management, Chief Risk Officer. This seems set up for someone like you to say, let's clean house
and solve a lot of these problems at the same time by taking a joined up view where we actually
know who's using the network. Well, just the interesting thing is we actually have like a
digital solutions team, right, which actually sells these products to enterprise customers,
right? So they can do their KYC on their customers where they have liveliness on the video,
and they can do all that. But we kind of sell this stuff. But, you know, there's that saying,
drinking your own champagne or eating your own dog food, right? We don't seem to be doing that
in the industry. I hear you. I hear you. We're going to keep moving forward, because I know that
our guest, when we bring him on, he may want to talk a little bit about these topics, too. We've
got questions already coming in for him. So let's keep the show moving forward. But thank you both
for that fascinating conversation about that topic. Now, it's time for another of our sponsored
features. Every week, Geoffrey Ross of Call Authentication, Fraud Prevention and Geolocation
Specialists, OneRoot, takes us on a tour of the world in our phone. This week, Geoffrey's taking
us to Nicaragua. Roll VT. Hey, everyone. From OneRoot, I'm Geoffrey Ross, and this is The World
in Your Phone. Hablemos de Nicaragua. Let's talk about Nicaragua. Known as the land of fire and
water, Nicaragua is one of the most naturally blessed countries in the world, well known for
its biodiversity, rich culture, and eventful history. But did you know that in June 2023,
Nicaragua's legislative branch, the National Assembly, approved an overhaul of the country's
telecom regulator, Telcor, with the aim of expanding regulatory power. It was stated that
the reform is intended to provide clarity and explicitness in relation to Telcor's powers
and attributions in terms of regulation, control of the sector, as well as the promotion of innovation
and investments. Opponents, meanwhile, have suggested that the reforms will make it easier
for the state to practice espionage and repression. We would be more interested to hear what your
thoughts are on this. Some other interesting facts I found out about Nicaragua are that Nicaragua
did not directly fight for its independence, but rather, it gained independence due to the
Mexican Revolution from Spain. It is the second poorest country in Central America. However,
it holds the lowest crime rate and is considered one of the safest countries in Central America to
travel to. The only freshwater sharks in the world can be found in Lake Nicaragua, and for the
stargazers in our audience, you can see 86 of the 88 constellations during a night in Nicaragua.
Be sure to subscribe to OneRoute on YouTube, where you can catch up on the world in your phone,
and watch the OneRoute Roundup, the show that spotlights individuals and companies making a
positive difference in the telecom industry. One more fun fact I found out about Nicaragua,
the streets have no names, and places are referred to in relation to landmarks.
Eric, back to you and more of the Great Communications Risho. Cheers.
Thanks, Jeffrey. Jeffrey's musings about various countries always makes me more mindful of what
is common to all people and what sets us apart. So, if you've now got the U2 song,
where the streets have no name, playing in your head, like I'm sure many of you do,
then you may also be aware that they were writing about the denizens of Belfast, where you can tell
somebody's wealth and religion based upon the name of the streets upon which they lived. But did you
know that Bono's inspiration for that song occurred when he was walking around the nameless streets of
Ethiopia? But now, let's introduce today's special guest, joining us live from his home in Ireland.
Did you see what I did there? We have Ian Deacon. Ian Deacon is the Principal Technologist at the
Alliance for Telecommunications Industry Solutions, ATIS. Welcome, Ian. Now, that title doesn't do
justice to all your varied experience in the telecoms industry over the last 30 years. I
won't try and do every single point on your CV. We'd be here for the next half hour if we did that,
but you're the CEO and founder of Pervenio, which has grown a product business providing
mobile device analytics for cellular networks, which was then later acquired by FinePoint
Technologies. As CTO of FinePoint Technologies, you were provider of convergent fixed mobile
device management. As head of technology and product innovation at iConnective, you took on
that role when your business was acquired, when FinePoint was acquired.
The CV is so complicated, like I can't even get it out, Ian.
And of course, this is even before I mentioned the fact that you're responsible for GSM standards,
including GPRS and UMTS billing standards, and you served as chairman of the 3GPP
billing group whilst you were at Motorola. And once upon a time, you were a technology
program manager at UK mobile operator CellNet, back when most people still weren't aware of
what mobile phones were. Although it doesn't look it, looking at you today, Ian, no one would know
you'd had such a long industry in the telecoms looking at you. Thank you for joining us today.
You have a fascinating role. You have a fascinating role, Ian, you really do at ATIS,
managing the innovation agenda, driving several initiatives to examine how emerging technologies
and technology trends are causing disruption for the communications industry. One of those,
the one we're going to focus on, though I know you could have talked just as long as anybody else
could about the topics we've just been discussing between myself, Sarah and Lee. But one of the
topics that's been your focus at ATIS recently is quantum computing. For the benefit of those
viewers who are not so up to speed with quantum computing, can you help us out, Ian? What is
quantum computing? And why does it pose a risk to communications?
Yeah, I suppose I won't go into the detailed physics of it all, but it differs obviously
from traditional computing. The ones that we're all used to uses ones and zeros and it's
binary output. And the quantum computers use qubits, the equivalent of a bit, and they
actually can represent one and zero in superposition states at the same time. Yeah, it's a bit of a
head wreck, I know, so I won't go into it. But maybe it's easier to sort of think of it in the
way that, you know, if I was to use a classical computer to crack ciphertext, and when we're
talking about security and cryptography, you know, I keep trying different permutations of that by,
you know, testing, you know, is it this key? Will this crack it? And, you know, for a normal
computer to go through that, it could take thousands of years to do that. But the way that
a quantum computer works is, you know, it can test all permutations simultaneously to determine
if, you know, a particular answer will be able to crack the code. And it can do that in, you know,
potentially a number of seconds. So you can see that, you know, things like current cryptography
or security as it exists today, that, you know, could take, you know, computers and that's the
basis of it is that it would take thousands of years to crack that. But you know, this new type
of quantum computer can potentially crack it in just a matter of seconds. So that's the basis of
it without going into the physics in heavy detail. But everything that we know today, primarily is
built on two types of encryption, asymmetric cryptography, or PKI, as people know it, that
uses RSA or elliptic curve algorithms, and symmetric key cryptography. So if we look at
asymmetric encryption, using RSA as an example, is that, you know, that the basis of that is
factorizing two large prime numbers. And, you know, as I say, classical computers to hack a
2048 bit RSA key could take, you know, hundreds of years. And there was a mathematician in 1994,
Peter Shaw, and he came up with a theoretical quantum algorithm called Shaw's algorithm,
of course, that could actually find the prime numbers of an integer, you know, using a quantum
algorithm quite easily. So that could actually crack then, you know, RSA or elliptic curve,
Diffie-Hellman key exchanges quite easily. Now that was all theoretical, of course. And when we
look at the symmetric key encryption, again, another mathematician, Love Grover, in 1996,
came up with an algorithm, a quantum algorithm, that refers to quantum search, which what that
means is that you can search for in unstructured text. So this will be looking for maybe a key to
find the how it will crack a ciphertext, optimally using a quantum computer. And the way it would do
that is that it presents all the possible permutations, as I was explaining before,
and it looks at the probability of the outcome. And it uses a way to amplify that output,
so that you can see that in all probability, this is what the solution or the code that would
crack that ciphertext would be. And you know, I might not get it right the first time, but you can
replay it a number of times. And by doing that, you can, through a number of iterations,
determine what the output of that is. So what we've got is a quantum computer that's in its
infancy, you know, it's still being developed. And, you know, I can come back to that maybe in
a while. But, you know, and a couple of key algorithms that have been developed by
mathematicians that could be used to easily crack current cryptography, you know, asymmetric,
asymmetric key cryptography. So that presents, you know, risks to all IT systems, but as it
relates to communications, I suppose that, you know, it's SIM cards, you know, they use symmetric
key encryption with VPN, DNSs, secure DNSs, routers, gateways, routing protocols, interconnect
protocols, AAA protocols. And one subject we were just talking about, StairShake, and it's based on
public key cryptography. So, you know, that's potentially a threat, you know, in the years to
come. So hopefully, I don't know, does that give you kind of a flavor for what it is and what it
can do? Well, I think you've scared the pants off everybody who didn't appreciate the risks before
now, because what you're essentially saying is that, again, without going into the detail of
how the quantum realm works, effectively, the mathematics of the quantum realm shortcut right
through the basis, the basics of how we protect so many computerized services, so many of the remote
communications that we have today, because they're all protected by this notion that it takes time,
it takes time to work through very many possible options for how to determine the key to unlock
those codes. So in theory, you could get lucky first time, but in reality, you're going to be
spending decades, hundreds of years. And by that point in time, it's, you know, it's becomes
irrelevant, you're not going to have a machine running for the extraordinary lengths of time.
But because of this quantum superposition, the mathematics of the quantum realm,
it makes your code transparent, almost straight away, because the mathematics has been worked out.
We just don't at this moment in time, have the processing power to do this on a sensible,
meaningful scale. But as soon as we make those breakthroughs on a technological level,
we start making those qubits in enough of a kind of repetitive mass process,
which will be expensive to begin with, and which maybe nation states will be focused on to begin
with. But as soon as they exist, this concept of things taking hundreds of years to crack,
like you say, it will be no time at all. And that means everything we've been relying upon,
which often is public key infrastructure, falls away, falls away. So that's very scary.
It's very scary, Ian. It's very obvious that there's a risk there. How much are we replying,
depending too much on the fact that the qubits don't currently exist? How soon might those qubits
exist? Yeah, well, I mean, that's a good point. Look, it's a developing technology,
and we're only at the beginning of the maturity cycle of a quantum computer. There's a lot of
vendors working on it today, and they're all promoting their roadmaps to have more and more
qubits. There's other aspects that limit, I suppose, the usability of a quantum computer
as well. There's what's called quantum gates or gates. They're the logics that allow you to create
the I.O. that gets the information in and out of a quantum computer. And the noisier they are,
and they're quite noisy at the moment, means more errors you get. So you have two dimensions,
really. The amount of quantum gates and how, I suppose, how little noise there is created by
them, and the number of qubits is going to help the dimensions of that. And it's going to be some
time. And there's an organization called the Risk Institute. They produce this quantum threat
timeline report each year, and the most recent publication of that surveyed 40 of the industry
leaders that were looking at quantum science and technology and where we are in that kind of
maturity cycle. And half of the respondents indicated that there was a high probability
of the threat timeline being most likely in the next 15 years, within 15 years, I should say,
not within, but within at about 15 years. So that's before 2030. So it's not too far away.
But I mean, if we look at what that means, realistically, is there's two challenges.
One is that I suppose that when we look back over time, when we move from SHA-1 to SHA-2,
it took over 10 years to actually transition between those two algorithms, really. And that's
a huge amount of time. So that was just one, I suppose, protocol, one algorithm, if you want to
look at it, everything that we're going to be doing needs to change, really. And the other risk
that's probably more at play, and I think you intimated on this, is that if you have the ability
to harvest information that's encrypted today, and potentially by a nation state, that that
information, you know, they could sit on that until they actually have a quantum computer that's
actually able to crack that. And, you know, what does that mean, really, I suppose, is that, you
know, that nation states have the ability to look at, you know, people's names don't change,
you know, their addresses, telephone numbers, maybe, but certainly social security numbers.
So what that means is that, you know, you could actually harvest the information now,
and it's still be relevant in 15 years time when you could crack it and cause disruption.
And that's just with individuals, you know, corporations might have strategic information,
certainly governments are going to have strategic and quite sensitive information that might be,
you know, of interest to, you know, a nation state. But, you know, if we look at kind of
maybe where the investments are going currently in quantum computing worldwide, there's, I think,
over the last year was 38 billion invested in development of quantum computing. 15 billion of
that alone was invested by China. That's 40% of the total worldwide investment. Compare that with
a billion in the EU, and I suppose 3.75 in the US, it's clear to see where the strategic value
of this technology lies and how it can be used. And, you know, you could say that, you know,
it's equivalent to a technological arms race that we're approaching and that
the value of using this technology to potentially get ahead of the game and maybe cause disruption
as well. Let me bring Lee in here on that specific point. Lee, I mean, I know that you have to look
at the security perspective too when you're looking at the risks for Telco. Are you concerned
that we're having here the equivalent of some kind of Cold War gap opening here, where powers like
China will be far in advance of the Western powers when it comes to quantum computing and
that a lot of the things that we rely upon in order to maintain, sustain these advanced economies,
they'll be broken apart as a result of the potential risk that a foreign power can undermine
or intercept or gather data from you as and when they choose? Yeah, I mean, it is an arms race at
the end of the day. And it's the ones, you know, whoever has that technological advantage over the
others, you know, obviously, it's a major advantage for them. I mean, China, I know they're using,
or they've been trialing some kind of quantum communications as well. They seem to be leading
in that space. But it's a, you know, it is scary. And if you look at the whole of the internet
today, is what it what what is based on is that, you know, you could have people who can
crack it and pull it apart. And are we underestimating this? Is there insufficient
attention being paid to this issue in Western countries? I think those that know, know, right.
And I think are obviously concerned by this. But I think the vast majority of people, I mean,
if you were to ask your, you know, Joe public, you know, they cared about, you know, do they
understand about quantum computing and the impact that's going to have on them and on the internet
and, you know, using things like blockchain, NFTs, all this type of stuff? Yeah. Is that still going
to work? Yeah. It's credit cards, isn't it? It's the basics of how we currently run our economy.
We're moving towards a cashless economy, at the same time as the underlying infrastructure for
the cashless economy could be rent asunder as a result of quantum computers, if they're in the
wrong hands. Well, we do need time to transition and we do have time to transition. But you know,
we need to start working now. And, you know, there's a lot of education of the industry to go
on. People, as Lee says, that, you know, those that know, know, you know, risk managers know.
But, you know, there's a lot is still done, you know, and that's part of my role in ATIS is really
kind of educating the industry about what this is, what the threat is, how it might affect
certain communications, certain services, and what needs to be done, you know, how you can
approach this, you know, how you actually assess the risk, the threat, quantify it in terms of,
you know, its value, you know, and how you actually go about it. But it starts really from,
I suppose, standardization to a certain degree, and standardization of what is the new sort of
cryptography that's going to replace that current cryptography that will make, you know, everything
secure again. And NIST started running a competition actually in 2016. So a long time ago,
they started looking at new algorithms that could actually be quantum secure or post-quantum
cryptography, as it's called really today. And they started testing, you know, several, you know,
tens of different algorithms. And over this rigorous testing over the number of years,
some fell by the wayside because they didn't cut the mustard, so to speak. And over a long
process, really kind of rigorous testing, you know, they've recently settled in the last round
on a number of algorithms for standardization. And they're not standardized, there's draft
reports actually issued just this year. And they view that they'll be actually published
as standards next year, all being well, you know, that there's no compromises of those.
There's, they're called Crystals Kyber, that's the public key encapsulation. And then there's
Crystals Dilithium, Falcon, and Sphinx for digital signatures as well. So there's other algorithms
still being looked at and being analyzed at the moment, and they might be standardized later. But
at the moment, there are some algorithms being produced or standards for algorithms being
produced. Big organizations are testing them, you know, the big cloud service providers have
already done a lot of work to actually secure their own infrastructure using, you know,
their versions of, you know, pre-standardization versions of this, these algorithms to make sure
that their own infrastructure is secure and safe from harvest now, decrypt later.
But again, let me jump in here. Let me, let me jump in here, Ian, because
one thing that you brought up already is the timeframe, the timeframe for change. You're
saying that we need to change now and forgive me, perhaps a pessimist listens in and they hear,
well, that was, everyone's always saying we need to do things now because there's something in the
future. For example, global warming, we've been hearing that we need to do something now about
global warming, and then people can even become jaded because they've been hearing how often,
how many years they've been hearing now. And it's a similar thing here where it's difficult
to evaluate this. And I want to bring in Sarah on this point as well, because we were talking about,
we had this vision, authentication, knowing who the person is. It's almost as if it sounds to me,
and correct me if you think I'm wrong, because you're both in a better position to understand
this than I am. It's almost as if on the one hand, we've got people working away
and areas like authentication, and we're going to solve that problem. We're going to be better
and better in that sphere. And yet meantime, Ian, you're telling me we need to now be working
on the quantum problem. Is there not a threat that this wonderful work that's being done in
authentication immediately gets ruined, gets pulled apart because it wasn't quantum proof?
Am I misunderstanding something here? Is the work that's being done for authentication quantum proof,
or has that been somehow, that's the thing that will be dealt with later? Sarah, Ian,
what do we think? Well, I'll just jump in and say, you know, I'm closer to Joe Public on this
particular topic, so I'll defer to Ian. But frankly, we have a lot of work to do on getting
to a future of identity. It's a marriage of both getting qualified good information and then
securely transmitting it. There's a lot that we could be doing today. We're really far off on the
just the validating the identity in the first place. So my hope and my partnership with folks
like Ian and Pierce Gorman on our team is, you know, let's work on this first part, at least
even getting that information while we have others that are working on, you know, how do we,
do we need to rethink the fundamentals behind the transmission for, that we're using for
STIR-SHAKEN? What else do we need to do to ensure that that can be transmitted securely?
Yeah, exactly. So look, I think the two coexist. One, as Sarah says, exactly like, you know, we
need to start looking at kind of like, where are the gaps in the whole identity sort of ecosystem
to ensure that, you know, when someone that places a call is who they are claiming to be, and the
person that you're intending to actually talk to on the end of that phone is actually the person
that you're actually speaking to, you know, that's maybe me talking to a bank or a bank talking to
me, you know, we need to have this mutual authentication, not, you know, just a half way,
sort of something in the middle, which is what we have at the moment, you know, and obviously,
to secure that, it's always based on sort of cryptography, and we've got cryptography today,
but we are, we'll have to transition that cryptography in the future. So, you know,
there are sort of, there is a lot of work going on in how we can transition from, for example,
like, you know, PKI, which Shaken is based on is, you know, how do we migrate from current RSA or
elliptic curve in the case of Shaken cryptography to the future one, and the realistic sort of
situation is that the two will have to coexist, you know, there's not going to be like the Y2K,
so to speak, where, you know, someone clicks their fingers, and then everyone's post quantum
crypto algorithms overnight, there's going to be kind of a transitional period whereby some people
will have it, some people won't, some devices will never be able to be upgraded, because
the hardware that they're actually working on could be an IoT device, you know, whatever it is,
the encryption technology might be built within the hardware, so it can never be upgraded. So,
it's basically, when you do your risk assessment of that, you actually say, well, actually,
we have to wait until we end the life that and we need new hardware to sort of replace that. So,
all of that is built into your risk assessment, but sticking with kind of the identity side of it
is, you know, we need to sort of have this, I suppose, view of how we can secure the identity,
obviously, it's going to be secured, ultimately, through encryption, and that's going to be by a
crypto algorithm. And at some point, they will need to transition to a quantum resistant version
of that, whichever is going to be the best algorithm for that piece of, let's say, our
application, so to speak. But is there a risk here, Ian, again, sorry to put it in plain terms,
but I'm a simple guy. And when I talk to people who are executives, or used to talk to people
who are executives and board members, in some ways, they're even simpler, they need to keep
it simple. So, is there, to some extent, a risk here, that the infrastructure being put in place
in some countries to authenticate cars could be, if it's not quantum safe, if it can be hacked
using quantum computers, this could be turned into the most devilish surveillance engine for
foreign powers imaginable. Because it wasn't that long ago that Ed Snowden ran away from the USA,
because he was pointing out how the NSA was gathering data, essentially signals intelligence,
who is calling who. Except now, you're creating an infrastructure, which if it gets
intercepted, cracked, is visible to a foreign power. Now, who is calling who is a foreign power
knowing who is calling who within the United States, America, or other countries, gathering
an enormous amount of intelligence. Am I hypothesizing some unrealistic threat, or is that
a real danger? Well, I think that, first and foremost, is that who is calling who is
not encrypted anyway. So, that's not encrypted, but that can be gleaned from the
internet maybe today. But if you're saying, if that's inbound within a VPN, to make sure it is
kind of, then obviously, using a quantum computer to crack the VPN, that that information
is still not within, then yes, of course. But I think that maybe that I would imagine nation
states are probably more interested in other information than who's calling who, I would
imagine. Sorry. Okay. Fair point. Fair point. I'll read out some questions from the audience now for
you. I'm just conscious that we've actually had quite a lot of questions, and we've not read them
out. So, I'm not going to have time to read them all out, everybody who's watching. But I'll just
read out a bunch, and I'll let you...
If qubits and quantum computing existed in a meaningful way today, it would likely be
under the control of nation-state actors, who would be very likely to keep that fact
as secret as possible, as long as possible, not unlike the UK after they had hacked Germany's
Enigma encryption machine during World War II.
Which then leads me to sort of a sideline question. Well, does that mean that we could
be massively underestimating how much we need to be hurrying towards a solution? Because
if they have a quantum computer, we're not necessarily going to know about it. Randy
Warshaw asks, are there commercial quantum-proof cryptographic schemes available for use today?
If so, can you provide some examples and any reason why they wouldn't start to be used
deployed today? And I'm going to throw a third question at you. I know it's too many,
but I'll read them out again if you need some help, Ian. Jerry Christensen says, this is
an interesting topic. Ian, will quantum computing destroy blockchain, among other things? So
where would you like to start with all those questions, Ian?
I want to do them in order. Well, I think Pierce is right. I mean, look, I would imagine
that anybody that is developing a quantum computer at scale that has the capability
to potentially crack cryptography and has intentions of using that for strategic advantage,
I would certainly imagine that they're not going to actually publish it in the Daily
Mirror, so to speak. They're not going to let other nation states know that they've
got the upper hand. As we talked about before, I would imagine it's kind of strategically
of high value. So I can't imagine that we'll know about it. The only companies that you
probably will know about is the likes of IBM, Google, et cetera, that are obviously trying
to sort of get an upper hand on marketing to say, we've got our new chipset and we can
do it faster than the other guys. But certainly within a nation state, I doubt that you're
going to find out until it's already happened. The second one, Randi, yes, there are publicly
available companies developing post-quantum crypto. In fact, actually, artists are actually
working on an open source post-quantum crypto stack. And we're using that with a lot of
our members so that they can actually test on their platforms with IoT devices, containerized
platforms or, you know, COTS. That's standard hardware on the shelf. And the idea is that
behind that is that they can test this different cryptography on different platforms. We can
publish the results of that so that people can see that how, I suppose, the effects of
post-quantum crypto would operate in certain conditions. And I know this is a bit of a longer
answer, but so, for example, you know, if we look at 5G and all the promise of what 5G should have
been and we look at ultra-low latency communications and certainly moving forward to 6G, which I'm
working on at the moment, is that even that latency gets even lower. But if you've got
crypto algorithms that require significantly more processing power to make sure that they're
secure, then, you know, what effect would that have on a remote operating on someone's brain?
You know, you want it to be secure, but obviously you don't want to have latency in it. So,
you know, these algorithms are going to have different sort of performance characteristics.
And we're trying to sort of understand what that characteristic profile would be in certain
operating conditions on a constrained device, you know, maybe on a mobile device, maybe on a
server and maybe on a container and, you know, different types of applications so that we can
build a picture of, you know, maybe going forward because it's unlikely that post-quantum
cryptography is going to be standardized for 5G because the way the 3GPP works in their release
cycle is that, you know, it's not going to hit one of those release cycles. So it's more likely that
quantum secure algorithms are going to be part of 6G. So getting an understanding of that now.
And there are many vendors and, you know, we've worked with a company from Castle Shield as
one example. They're a small organization in North America, but they've actually been selling a lot of
prepackaged post-quantum crypto for different applications like
email, VPNs, et cetera, as well. So maybe that's a little shout out for them.
Oh, the last one. Blockchain. Yeah, Armageddon. So, look, it's not an easy one to answer. And I saw
Jerry posted that on LinkedIn. But I mean, certainly, look, it's built on asymmetric
cryptography. So it will need to transition. And obviously, you know, blockchain in itself is
its integrity is built around that you can actually quantify every transaction from the
genesis block that was originally sort of there and everything tied back to that cryptographically.
So, but blockchains have actually forked and, you know, for different reasons in the past,
you know, not talking about anyone in particular, but they will need to transition.
The challenge would be on these public blockchains like Bitcoin as an example.
And if you ever watch Silicon Valley and your man sort of rummaging around the dumpster sites
trying to find his PC with his key on it, his private key so he can find his billions,
you know, these dormant accounts where people have probably lost their key that, you know,
had a Bitcoin in it, you know, when they were only probably worth, you know, a few cents, you know,
you know, like Bitcoin is worth $5,000 or something now at the moment that, you know,
for someone to sort of reverse engineer that, there's great value to be gained from that. So,
yeah, there's going to be people interested in trying to scoop up all of these dormant accounts.
But unless someone's actually transacted on their account on Bitcoin's blockchain,
their public key won't be published. So you've got that advantage if you didn't actually
transact with your account that you haven't published your public key. So it's more difficult
to sort of reverse engineer. But obviously, if you have transacted, then, you know,
potentially there's loss there. So, yeah, it's going to be challenging for those guys to
transition. I don't know how they're going to go about it. I don't have the answer,
but I'm sure there's a lot of clever mathematicians working on that at the moment.
Now, we've been talking a lot about very clever mathematics. And we've been talking a lot about
things that are in the future. But you did mention, as you were talking, Ian, the risk,
the threat that people will steal data today with the intention of decrypting it later,
because that data may still be very valuable later on. So they may intercept communications,
for example, sensitive communications, or they may gain information about financial transactions.
Like, what practically, and so this is not about waiting for somebody else to have an algorithm,
what practically do communications providers need to be doing today with that specific threat in
mind? I suppose it's in exactly the same way as they do risk assessment today, but certainly
doing quantum threat risk assessment. And again, we're working on kind of how to go about it. We're
trying to educate the industry and executives specifically on how you go about quantum threat
risk assessment. And it's actually the first and foremost is having an inventory of all of your
cryptography, you know, having an inventory of all of how your data, where it's stored,
how it's transmitted, and what it's secured by. And once you have that, then you can understand
what is a risk, what's the potential threat of that being exposed, and then what you need to
transition to, and how long it's going to take you to get to that. And that's all part of doing
risk management and actually assessing it. So, you know, that's going to take people
that understand it, it's going to, it's going to require budgets, because it's going to cost money,
for sure. And it's going to take time. So, you know, all of that builds a risk profile. And part
of that is called, I suppose, part of it is how flexible you are to that is a term called crypto
agility, how agile is my systems to be to changing out a current crypto algorithm. And it might be
that one of these algorithms that NIST has proposed does get hacked, that happens, you know,
we've seen sort of different algorithms in the past being hacked. So it's, it's not about changing
to a crypto algorithm, a new one, it's basically the potential that that could be hacked again,
and how, how adaptable are we, how agile are we to then changing into something new again. So I
think the new sort of, let's say, the new process that people need to get used to is how we become
crypto agile, and how can we go down this path of being crypto agile, and it's going to take a whole
new way of thinking, a whole new sort of set of people with different skills. So all those people
that you talked about that was out of work, maybe they might find themselves if they're in this space.
I want to bring Sarah in, I want to bring Sarah in, because we were chatting earlier, Sarah,
and we were talking about how difficult it can be to persuade, when you're in the trenches,
to persuade the executives to give the budget to hire the people. I mean, are we a little bit
in a situation here where we can all agree emotionally with Ian, and intellectually with Ian,
and yet it's quite hard to envisage? How would you make the argument? How would you go out there,
actually get the resources, when the company is currently cutting costs, laying people off,
how would you approach it, Sarah? A couple of different ways. One is, I say,
Ian was talking about this agile approach to discovering new threats and reacting to them.
I think that's a skill set that the risk management and fraud mitigation world has had
for a long time, and those folks, I think, are primed to be able to have that mindset,
the sort of threat detection and agility process. But separately, I'm practical. Frankly, I would
imagine that the threat to the actual communications network itself and the sanctity thereof
is going to take a lot more precedence for individual communications providers than it is
somebody being able to crack surshaken tokens or other pieces. So I would rely on that,
sort of the sanctity of the network itself and the opportunity and the capability of it
potentially being compromised or accessed and having a data breach. And I would let those
folks, InfoSec folks, take the weight and the brunt of making that argument and just try and
be in that conversation to be able to reuse some of that focus, energy, and those resources to say,
hey, also, while you're at it and looking at vendors, I would like to be in on that
conversation to make sure that they can potentially help me with my applications.
Right, thanks, Sarah. And Lee, I want to bring you in on this one here, because this is both for you
and for Ian, perhaps our concluding question of the day. I love this concept of quantum agility,
Ian. But if, say, you're the Chief Risk Officer, let's put Lee into those shoes, the shoes that
he could easily fulfill for a telco, the kind of job he's been doing all around the world.
How does a Chief Risk Officer measure the progress towards quantum agility? Is this something where
ATIS can give some practical advice to a guy like Lee, or is it up to you, Lee,
to work it out for yourself how you're measuring how quantum agile you are?
That's something I've not even thought about, Eric. But listen, I'll tell you something about
if you look at the way 5G and the 5G network is where you have, you know, it's predominantly,
it's all cloud-based, you know, a lot of stuff in the cloud. You've got edge processing,
data centers, this type of stuff. When you start to think about this and how quantum's going to
impact that, right, then it becomes a, it's a massive risk.
Ian, is there something you can do, though, to help in terms of practical steps and making
progress and getting it on the agenda, in particular with bearing in mind this threat,
stealing data now, decrypting it later, as well as the move towards becoming quantum agile,
breaking it down? Because if it's too big, if it's too complicated, there'll be no progress
made, is my fear. So what could an organization like ATIS do to help break it down, to help make
it a more practical agenda for people like Lee? Yeah, so I suppose what we're looking at at the
moment and what we're actually in the process of developing a report on is how you can quantify it
exactly as you say, is that from an operational point of view, from a product technology point of
view, and ultimately on how you interact with other people, you know, executive, sorry,
vendors or interconnect providers, service providers, cloud service providers. So you need
to, and it's crypto agile that we were talking about, is, you know, how, you know, quantum safe
are you and how crypto agile are you so that, you know, I understand how my business is going to be
impacted by the services that I'm interacting with Yvonne. And we need to have sort of quantifiable
measures of that, you know, and define what those measures are so that like KPIs, you know, simple
KPIs that we can actually quantify them so that when I talk to someone else is I can actually say,
right, what are your quantifiable measures across A, B, C, D, E, and they're in this score
range or a percentage, you know, that I know that as an example, you know, I know that, you know,
50% of my staff are trained in what the quantum threat is, and what to look for, you know, I know
that, you know, and that maybe that's a quantifiable measure, as an just as an example, you know,
how many of my vendors have told me that they have actually got, you know, a quantum threat
program in place and are adopting quantum resistant algorithms. So these are all kind of measures that
and they're only relevant if they're like for like, you know, everyone's talking apples and apples.
So by being able to define them as a standards organization that, you know, we can actually say,
look, these are the measures that need to be reported on that, you know, I can interact with
other people. So that when I actually see this, and it's this result, I know how I measure it.
And then I can build that into my risk assessment. So I know that, you know, and it could be that,
you know, it makes decisions about who you do business with down the road. You know, obviously,
you know, it's, you know, how, how advanced are there in their maturity cycle to be crypto agile
and quantum resistant. So I think that's really what we're doing as an organization is that we
can build these kind of, you know, standards frameworks that people then can actually
interact. But obviously, in absence of that technology being built into the standards yet,
you know, as I say, the algorithms are not being defined by NIST. And until that's happened,
IETF can't build them into their protocols. And obviously, those IETF protocols are being used by
3GPP for the cellular infrastructure. So, you know, there's a long way to go. But there are
some practical things that can be done today. And certainly, you know, by understanding,
whereas, whereas my data may be the biggest threat of being, you know, exposed, and what can I do
today, in absence of the standards, you know, and there are things that can be done. And there are
vendors out there that will potentially help you to sort of overcome those challenges as well.
Thank you, Ian. It's a lot of work to do. Keep us posted about the progress you're making at ATIS.
And I hope we'll have you back in future. I'm sorry, there was lots of questions for you today,
Ian, and to the viewers as well. I'm sorry, I didn't get to read out all of them. But clearly,
this is a topic we need to have you back and talking about again in future with us, Ian.
Thank you very much for joining us on today's show.
Welcome. Take care.
Well, that's all we have time for today. Tune in next Wednesday, September 27th,
when the interview will be with Divya Shridhar, former Senior Assurance Manager at BT,
former RA and Data Consultant at Tech Mahindra, now returning as an independent consultant
after taking a career break. Divya will tell us about how to succeed in a career
dedicated to extracting value from data and her own struggle with adversity.
The live broadcast will begin at 11 a.m. at U.S. East, 4 p.m. UK, 8.30 p.m. India.
We're full of facts on this show. So you may be surprised to learn that there are actually 40,
not 24, 40 time zones worldwide. So instead of waiting for me to read out your particular time
zone, save me the trouble by saving next week's live stream to your diary by clicking on the
appropriate link on our homepage, tv.commsrisk.com. Or whilst you're there, subscribe to our broadcast
schedule and have every live stream added to your diary automatically.
Thanks to my co-presenters today, Sarah Delphey and Lee Scargall. It's been a pleasure to have you
both on the show and to have such an engrossing conversation with you both.
Thanks to our production team, James Greenley and Matthew Carter. The show wouldn't be possible
without their hard work. You've been watching episode five of the second season,
You've been watching episode five of the second season of the Communications Risk Show,
and I've been your host, Eric Priezkalns. Recordings of all our shows can be found on
our dedicated show website, tv.commsrisk.com. Be sure to regularly visit our main site
at commsrisk.com. Stay informed about risks in the communications industry and take advantage of
the free resources of the Risk and Assurance Group, including the fraud and leakage catalogs
available for download from riskandassurancegroup.org. Thanks for watching. We'll see you next Wednesday.