Quantum computers are difficult to build today, but their radically different design means they can rapidly crack encryption codes that would defeat any other computer. Many encryption algorithms that currently protect the privacy of electronic comms and banking transactions will soon be rendered ineffective. Comms providers already need to be conscious of the risks of messages being intercepted today just so they can be decrypted and exploited in future. We discuss the timescales for the evolution of quantum computing and the enhanced security measures already needed to protect our way of life with Ian Deakin, Principal Technologist at the Alliance for Telecommunications Industry Solutions (ATIS).
Topical news items are also debated by the show’s presenters: Lee Scargall, a senior risk executive and consultant with considerable international experience; Eric Priezkalns, Editor of Commsrisk; and Sarah Delphey, formerly of Bandwidth and now VP of Trust Solutions at Numeracle.
Hi, my name is Eric Priezkalns and you're watching The Communications Risk Show. Every Wednesday we stream live so you can join a conversation about the risks faced by comms providers and their customers. Share your comments and questions during the show by typing into our real-time messaging system as found immediately beneath the stream on our website at tv.commsrisk.com. Messages are anonymous, so include your name if you want me to read it out. You can also watch this live stream at LinkedIn. A member of our team will forward any comments left over there. I'll read out as many of your observations as time allows. Now, later in the show, we'll be joined by Ian Deakin, Principal Technologist at the Alliance for Telecommunications Industry Solutions, ATIS. Ian will tell us about the risk of encrypted comms data being stolen so it can later be decrypted by quantum computers. But first, let's chat about recent events with my co-presenters, Sarah Delphey and Lee Scargall. Regular viewers will surely know Lee already. He's been my regular wingman since the very first pilot episode of this show. He's an executive and consultant that has managed the risks of comms providers in the Middle East, Europe, Caribbean, and Asia, and today he joins us from Bahrain. Sarah Delphey is joining us as a co-presenter for the first time, though she has previously appeared as an expert guest. Her expertise is very apparent to anyone who speaks to her for even the briefest time. Sarah was recruited by Identity Experts Numerical a year ago, where she serves as Vice President of Trust Solutions. Previously, she was Director of Abuse and Risk Operations at Bandwidth, and she joins us today from her home in North Carolina. Hello, Sarah. Hello, Lee. Great to have you on the show. But straight away, I want to pick your brains about a thorny, difficult topic that not many people want to talk about, but I think we do need to talk about because it's very relevant to all the work that we do. Big job cuts being made by telcos all around the world. Very recently, T-Mobile US cut 5,000 staff, that's about 7% of their workforce, after announcing they were going for an industry-leading growth in customers and profitability. Other announcements this year, 55,000 to go at BT over the next 10 years, 11,000 for Vodafone Group over the next three years, that's about 10% of their staff, 2,000 at Telecom Italia, 6,000 at Telus, the Canadian operator, 4,000 at their main business, 2,000 at the international subsidiary, 1,300 to go at Bell Canada Enterprises, 8,500 to go at Ericsson, 472 to go at Telstra, and Australia is a very unionized country, so 472 is a lot to lose. Even Nigeria's Association of Licensed Telecommunications Operators was willing that smaller Nigerian telcos will look to cut jobs to compensate for a fall in the country's currency, and AT&T, well, they shed so many staff over so many years, they've stopped announcing job cuts, though they did announce that their existing cost-cutting program would look to make another $2 billion worth of cuts over the next three years, and their HR chief, also to boot, will be leaving at the end of this month after presiding over the cutting of 74,130 staff, almost a third of their workforce, since the beginning of 2021. So my question to both of you, starting with you, Sarah, is it time for revenue assurance and data analytics teams to refocus on cost assurance and cost reduction before they also get the chop? Yeah, it's a good question, and those numbers are really impactful across the board. I think yes, I think yes is the answer, but I think they were already focused on those things. I think they were already focused on cutting costs as much as they should, and if they haven't done it already, for most people I know, it's because they don't have the resources or the capability or the dev work that needs to get done. So I think yes, they should keep focusing on what they're focusing on and make it clear that cost cutting in their department is a priority in those efforts, but I think at this point, it's unlikely that anything you do now is really going to have a major impact on the cuts that are happening today. I think a lot of that is larger business trends that are already in motion, and just from what we've seen in terms of who has been laid off, really doesn't seem like there's a lot of concern thought going into losing some of these really experienced professionals that are on the bedrock of all the intelligence that we've gathered as a community. Well, I have to say, Sarah, straight away you've been more pessimistic than I'm usually the top pessimist on the show, and I agree with you entirely. Maybe Lee is going to be a bit more optimistic. Lee, what can experienced professionals do, as Sarah say, to increase their chances of surviving this very tough job market? Well, Eric, I mean, what surprises me first is that we're the fifth episode in, and this is the first question about revenue assurance, but I like what you've done there, actually. You've linked revenue assurance to actually job losses. So, but anyway, look, from my experience, most RA teams have actually transitioned to something that we refer to as business assurance anyway. So, they do look at things like cost and margin assurance. What I find in particular, you know, is using technology like AI, right, and how we can use that to automate jobs, to free up the vital resources and then deploy them elsewhere. A lot of the work my team actually does these days is actually around cost assurance. I would say probably around about 25% of their day is spent on cost assurance, looking at that. So, yeah, I think they just have to refocus, but it's using these tools and technologies, which are coming on stream now, and how do you get the efficiencies from those? But is the transition happening quickly enough? I mean, business assurance is a pretty vague term. It can be used to cover a lot of different things. Are those teams looking at enough of the costs? Are they spending enough time dealing with costs? Well, like I said, about 25% of our time is actually looking at cost or even margin analysis. So, I think we are transitioning away from the traditional revenue assurance and more into what we term the business assurance aspect of it. I'm going to keep on poking away here, but I'll bring in Sarah to see if she's on my side on this one. Data analytics, use of data, there's a lot of costs in the telco, including capital costs as well as operating costs. Has there been a tendency for telecommunications operators to diffuse a set of responsibilities for who's looking at optimizing the capital side of investment? This includes things like not just massive mega projects where you're rolling out things like 5G, but it also includes things like leasing land because you have to have somewhere to put your base stations. Is this an area where there's been a lack of intelligence, joined up intelligence, you might say, about managing costs over the years? I think definitely. I think what we've seen a lot, what I've seen in different organizations, is kind of a post-COVID sprawl where to meet the needs of a COVID environment, a lot of telcos have expanded very rapidly. They've hired, they've done, they've brought on whole teams, products, et cetera, to deal with additional capacity needs. But when it comes down to it, a lot of that stuff was done very quickly and it's not managed very well across teams. So I lived in the fraud world. We were focused on fraud costs and risk management, just in general customer-based risks. And I didn't really interface that much with some of the other revenue assurance teams and the other operating cost teams and really looked at, I think a lot of that does get lost when you roll it up to executive leadership in terms of, okay, which priorities and which ones are easiest to understand? So when it comes to, I can buy this piece of land and I can create a new office, I understand as a chief executive what that means. I can invest in a new piece of fraud mitigation software or a new data analysis that might uncover some as yet undiscovered costs that I could then cut or fraud that I could then mitigate. That's difficult for me to understand and that's not concrete. And there's no asset that's associated with that, that I know I'll have regardless. So I feel like when those things get rolled up, a lot of our needs really just get lost. And I don't mean to be pessimistic, but- No, be pessimistic because I like pessimism. Yeah. It's refreshing. Everyone's too optimistic in this industry. What's the point of being optimistic and then people are losing their jobs? I'd rather have pessimism right now and people being clever and finding other ways to cut costs. And then maybe a few people save their jobs as a result. Then everyone stays optimistic and then boom, before they know it, they're suddenly out there asking, where am I going to get another job? Because if everyone's cutting jobs, of course, it's going to be harder to find an equivalent job. So we're being pessimistically, but I'll bring you in here to perhaps see if we can make you the optimist in our dialectic discussion here. As Sarah was pointing out, you can have a number of different teams, fraud teams, revenue assurance teams, teams working in different parts of finance. They're all essentially building upon the same delta, extracting the same data, analyzing it. There have been telcos with data science, data analytics teams that almost lend themselves out to different parts of the business like revenue assurance, like fraud to do work. Is there some value perhaps in going back and re-exploring that model so that it isn't the case that you've got people with data analytics skills spread around the business with different objectives, perhaps missing opportunities to take a more holistic view? And if that was a possibility, would you be the kind of guy grabbing that job, Lee? Yeah, for sure. I mean, it makes perfect sense that Eric, rather than having multiple kind of data sets, which is kind of managed and processed by different teams, have a centralized function, which kind of takes in the data, processes it, and then people kind of dip into that. That's nothing new. I think there's some telcos around there that have been doing that for a while. But yeah, I mean, I would say the majority of telcos are based on this kind of this fractured silo-based mentality still. So yes, I completely agree with you, Eric, on that score. There could be some value in bringing those all together. Yeah. And on an optimistic note, you'd get a bigger job, a more senior job, and that'd make you happy for a starter. Enough with the fun. I'm afraid I have to take a quick ad break here. I always enter an ad break with a quick gyber, Lee. He'll get me back in the next section. Apologies, Lee. Each episode, we share a new insight from one of our sponsors, Symmetry Solutions. Their prism fraud intelligence team provides us with an interesting fact of the week. And this week, it is the outcome of a new case study. A comms provider recently... contacted Symmetry after customers started complaining about some new games they had been offered over the phone. Without the data in the PRISM fraud database, it was not immediately apparent to the telco if the SMS messages sent by the games companies were legitimate or not. But when PRISM was used to analyze the traffic, a whopping 42% of the messages matched the PRISM repository of intelligence associated with SMS abuses. It soon became apparent that the companies behind these games were bogus entities set up by fraudsters. Their spam SMS messages were designed to lure unwary phone users into installing phony games that would leave victims vulnerable to theft. To learn more about how to protect your customers from crime, speak to the PRISM Fraud Intelligence Team at Symmetry. Their URL is symmetrysolutions.co.uk. Now let's continue talking about topical matters. Now, a few weeks ago, I was on a call with the CEO of a big carrier, and I was trying to persuade him to take an interest in enhancing fraud controls for voice and messaging. And he wasn't interested in discussing fraud reduction at all. He was very clear about the reasons why. Fraud reduction stops being so important if you already expect a product is in terminal decline. His voice and messaging revenues are in decline, so he was interested in generating revenues from new kinds of services, some of which would not be commonly associated with the historical role of telcos. And we've already discussed cost management and cost reduction. My question for you both now, my fellow panelists, and also for viewers, please do send in those questions. We're keen to read them out. We already had a few for our guest star, Ian, later on today, but the three of us, we know plenty about telcos too, so you can ask us questions as well. My question, starting with you, Lee, do the people working in fraud management do enough to show the benefit they add to the business? This one's always a difficult question to answer, or it's always difficult to kind of explain to executives what is the value of the fraud function, because really you want to try and keep those losses to a minimum, right? But the concept that I always sell to the executives is it's actually the cost of not having the fraud team that matters, right? Now, if you get hit with a big fraud, some of these can run into millions of dollars, and you really don't want to be having that conversation with your chief executive, right? So most telcos that I know, they only think about establishing a fraud function after they've suffered horrendous losses. And at that point, it's too late. In fact, the company that I'm with now, we actually had a fraud team several years ago. We got hit with a huge roaming fraud issue over one weekend, and that was the trigger point to go for a 24 by seven monitoring service. So I think it's only when you have these big hits, does it kind of drive that conversation, okay, we need to improve. But as I said, I think it's always very difficult to sell the benefits of a fraud team, but it's actually the cost of actually not having the fraud team that matters. Okay, Sarah, I'll bring you in here. Yeah, I agree with Lee 100%. I think a lot of times fraud mitigation gets invested in when there's a giant fraud event and it's done reactively, which creates a challenge for professionals in the business, right? If you're doing everything right, and you are mitigating fraud, there's an initial impact that can happen when you make a big change or you implement a team, but let's say you've had a successful program that's been going on for years and there hasn't been a major incident. It can become easy to believe that there's the sky is falling syndrome, right? We don't believe you anymore. We don't believe that there's so much that you're holding back against the company, and there's only so much you can do to demonstrate that, events that aren't occurring. So it becomes difficult, right? And I think a lot of us got into this business, not because we're passionate about cutting costs for large telecom operations. We got into this business because we care about stopping fraud and protecting consumers and businesses from being defrauded and stopping criminal activity, right? And so a lot of us don't have a background in, or training in how to really present a monetary model or argument for what they're doing in terms of risk prevention and risk management for a business. And so it's a challenge, right? But I think there's a lot more that we could do. And I think if we can articulate better as an industry, just what that value is and what's on the other side, and maybe the fact that we shouldn't be taken for granted, it would be to everyone's benefit. Okay, but let's be the pessimists. Let's just say that we're not respected. Let's just say, what can we do to bump up the amount of attention? You said something very important there. You referred to the fact that it's protecting customers as well as protecting the business. And forgive me, Lee, I'm gonna speak on behalf, but jump in if you disagree. I think this tendency to wait for a big hit to happen, that also encourages you to wait for a big hit to happen to your company, because you feel differently about whether your company's lost money versus whether your consumers have lost money. Has there been too much emphasis on protecting the company rather than its consumers? And is that now starting to bite us because our consumers will not be using services as much as they might've done because of the track record of failure when it comes to protecting them? Sarah. Oh, yes, absolutely. I 100% agree. And going back to your CEO earlier and thinking about voice and messaging services declining and the adoption of that system declining among consumers, 100%, I mean, it's the exact backwards way of thinking of it, right? We have created a problem, which is a lack of trust for consumers, for users of the telecommunications ecosystem. And then we've given up, right? We've said, oh, well, you don't trust it anymore. You're migrating. We should just move on and serve those other industries. No, absolutely not. We shouldn't give up on it. And this is where we do need to be thinking about our customers and our customer experience. That's what it is. And that's really what I think we need to pivot to as an industry is to talk about what it does to the customer's experience of our services if we allow them to be defrauded. And that's focused more on consumer business services, but even for those of us that serve wholesale, business outbound traffic, and we don't necessarily have a direct connection to the individual consumers that are using those services, nonetheless, our customers, our businesses, they are impacted on an inbound basis. And we as consumers can understand what that does and why our business customers' traffic isn't gonna be effective. It's not gonna be picked up. It's gonna be labeled as spam, scam, blocked. And we're not gonna make money, right? So it's also revenue preservation and traffic preservation to be thinking about how do we mitigate fraud? How do we create that trusted ecosystem so that we can continue to make money as a business and continue to thrive? Thanks, Sarah. Now, Lee, again, I'm gonna test you here. I'm sorry, Lee, but you've been in this industry for a long time. So you get the difficult questions as a result. From my experience, as far as I can judge, the American professionals like Sarah are actually a lot more acutely aware of the impact on customers and trying to protect customers from fraud than I've seen in telcos elsewhere in the world. Apologies to generalize, but nevertheless, that's my overall impression. Have we been falling into a trap, Lee? Well, I like to call the 3% trap. You bring up a percentage. You say, this is the amount you're losing. And by making it a percentage, again, it's the amount you're losing relative to the company's revenues, relative to what the company is making. When there's enormous amounts that your customers could be losing as a result of mistakes made by the company. And let me give an illustration. A SIM swap takes place. Well, you don't have a simple linear relationship between a SIM swap occurring and the amount the customer's going to lose. Because if the fraudsters conduct a SIM swap, but the customer's got good protection around their online accounts, or they don't have much money in their online accounts, well, they're not going to lose anything or lose much. Whereas of course, if they've got weak protection around a cryptocurrency account that has $20 million in it, $20 million is gone. Have we really been focusing too much on this simplistic percentage style argument when we should have been emphasizing that the reputation takes an enormous hit when you get these scare stories about everybody's in danger because of a SIM swap or other kinds of frauds that we might have done more to prevent? Yeah, I think it's more these days around, it's about having a duty of care to protect the customers. And I'm starting to see this in quite a few of the operators that I kind of consult for. I'll just give you an example around about duty of care. Now, my neighbor in the UK, she actually received a smishing message, right? And it appeared to be from her service provider, and it was actually requesting her to make bill payment. Right, that SMS record that, sorry, the SMS actually originated on their own network, right, it traversed through the network, it reached her handset. There, she was actually able to click on a link in that message, right? And it took her to an identical copy of her service provider's website. She entered in her card details and she was taken for 10,000 pounds, right? 10,000 pounds was just the max limit on the card. But if it was unlimited, could have been unlimited, right? So, that's just one particular example where the fraud, it was actually committed entirely on that operator's network. Now, as a service provider, they have a duty of care, right, to prevent that from happening, and they can, right? So there's things around what they could have done is better KYC, implementing SMS firewalls, content filtering, right, removing suspicious URLs in that message. So, when you look at that particular case, if you're not doing that as an operator for your customer, then as far as I'm concerned, you're negligent. Okay, a few comments come in here from viewers, one of them anonymous, I work in revenue assurance, but as I understand it, we're doing a lot to protect banks from fraud. Is there a possibility to turn this into a revenue generating opportunity? Another comment here from Henk van Hastre, hello Henk, always a pleasure to have you watching the show. He says, fraud only stops. when you stop it. So if there's a fraud going on, what would it cost the company if you did not stop it? Great point, Hank. Do you want to take that question, Lee, about whether there's a revenue opportunity, or is that not realistic because we should be keeping our own house in order without seeking to make money? Yeah, I mean, I'm not really sure of what role the revenue assurance team would be doing there. It's probably more on the fraud side. But actually, this came up in conversation today with some of the SMS product manager. So we were actually talking about looking around this, you know, guaranteeing the security of the SMS messages with particular banks in the country I'm in now. And obviously, we could probably look to monetize that in some particular way, if we can guarantee that those SMS messages came from a particular bank. But that means us kind of blocking and making sure no other smishing messages would come onto our network. So we've got a lot of work to do, but looking at that, but I think it's actually a valuable proposition, which we could do. However, I've never been an advocate of receiving OTPs over SMS anyway, right? So my recommendation would be banks shouldn't be even getting involved in this type of stuff. And I agree with you, Lee, but it's a good source of revenue for telco. I'll jump in on that one as well and say, you know, the last couple conferences that I've been to to talk about telecom fraud, the financial institutions are seeking us out because they have a big problem and it's starting to hurt them and their security professionals in a big way. I mean, just sip-knock last week here in the US and DC, we had two different major financial institutions that took it on their own initiative to attend and really talk about the impact to their customers. Within the last couple of years, we've had Zelle, the consumer-to-consumer money transfer service in the US. A lot of heads of banks were called before Congress to testify on that fraud that's happening. And a lot of it is being perpetrated over voice and SMS is really where a lot of that's starting. And there's pressure put on financial institutions to make their customers whole in those instances of fraud. And that creates a monetary incentive for them to do something about that fraud. So we've sort of outsourced the losses in a way to those financial institutions. And they are looking to us for solutions and they are clear that they will pay for solutions. Obviously, they don't want to pay anything more than they have to, but they want secure channels to ensure that the folks that are impersonating their businesses are prevented from doing so. And so I agree with Lee that if we can come up with a way to do secure identified communications end to end, so we know it's coming from your bank and we can prevent impersonation attempts. There's plenty of money to be made there, I think, from a product perspective, both from financial institutions who will pay for that protection, as well as other businesses and consumers who want to be assured that they're not being defrauded. So this leads me to a question I hadn't thought of before this show and what you've just said there, Sarah. When we talk about fraud management, fraud prevention, is this really now something that needs to be in some sense merged with identity management, knowing who your customer is, whether the lines between these two things, is there an interface? Should they be all in one? How should the relationship evolve over time between these goals, these objectives? Yeah, I think it's one and the same, right? I think that's how we align fraud mitigation with identity and trust as a product, right? I think consumers and businesses are so eager for secure channels of communication that they can exercise more control over. I'm so tired of receiving anonymous phone calls or if I'm expecting an important phone call, having to answer or interrupt things on the hopes that the person on the other end is the person that I actually want to talk to. We can do better and there's a lot of conversation going on right now about ways, the right way to do that, but it is possible. This is a solvable problem and the thing for folks to remember too is that, you know, we are currently the embedded channel. If we can solve for identity in voice and in text messaging, which is what folks use today, then one, they're going to use those services for longer and two, even if there is a future service, if we created an embedded system for identity and validation of end users, that's going to persist. That data will be used in any communication system moving forward. So it is both, you know, protecting and future-proofing. You know, and the interesting thing is that CEO was talking about at the top of this segment, he was talking about identity as one of the areas he was going to make money from in future. But Lee, to back this back to you and bring you in again here, of the majority of fraud management teams around the world working in telcos, are they ready for this intellectual leap that Sarah's asking them to make here in terms of connecting their work, which maybe historically has been look for anomalies in data, open up some kind of case in your case management tool, see what happened and react to it. Are they ready for this leap forward to, we know who our customer is, and we're going to ensure that we can validate, demonstrate who's making a call and stop frauds before they can happen? No, I think there's a big gap there, Eric, if I'm being honest. They're just not geared up for this right now. That's a huge step what you're talking about there. So how do we make the step? Sarah's being the optimistic one now. She can do it. She believes in it. She led her team in that direction. How can we do it in other teams too, Lee? Well, I think there's just going on what Sarah was saying that I agree with all of that. And I think just to pick up there is, I think there needs to be this kind of merger between, you know, digital identities, KYC, and then kind of exploiting. If you do that right, then it makes everything else a lot easier down the line, right? But we're not there yet, Eric. And this is my fear. I think there's a big opportunity here for somebody to come in to step into this space. I mean, that's for sure. Big opportunity for you, Lee, Director of Risk Management, Chief Risk Officer. This seems set up for someone like you to say, let's clean house and solve a lot of these problems at the same time by taking a joined up view where we actually know who's using the network. Well, just the interesting thing is we actually have like a digital solutions team, right, which actually sells these products to enterprise customers, right? So they can do their KYC on their customers where they have liveliness on the video, and they can do all that. But we kind of sell this stuff. But, you know, there's that saying, drinking your own champagne or eating your own dog food, right? We don't seem to be doing that in the industry. I hear you. I hear you. We're going to keep moving forward, because I know that our guest, when we bring him on, he may want to talk a little bit about these topics, too. We've got questions already coming in for him. So let's keep the show moving forward. But thank you both for that fascinating conversation about that topic. Now, it's time for another of our sponsored features. Every week, Geoffrey Ross of Call Authentication, Fraud Prevention and Geolocation Specialists, OneRoot, takes us on a tour of the world in our phone. This week, Geoffrey's taking us to Nicaragua. Roll VT. Hey, everyone. From OneRoot, I'm Geoffrey Ross, and this is The World in Your Phone. Hablemos de Nicaragua. Let's talk about Nicaragua. Known as the land of fire and water, Nicaragua is one of the most naturally blessed countries in the world, well known for its biodiversity, rich culture, and eventful history. But did you know that in June 2023, Nicaragua's legislative branch, the National Assembly, approved an overhaul of the country's telecom regulator, Telcor, with the aim of expanding regulatory power. It was stated that the reform is intended to provide clarity and explicitness in relation to Telcor's powers and attributions in terms of regulation, control of the sector, as well as the promotion of innovation and investments. Opponents, meanwhile, have suggested that the reforms will make it easier for the state to practice espionage and repression. We would be more interested to hear what your thoughts are on this. Some other interesting facts I found out about Nicaragua are that Nicaragua did not directly fight for its independence, but rather, it gained independence due to the Mexican Revolution from Spain. It is the second poorest country in Central America. However, it holds the lowest crime rate and is considered one of the safest countries in Central America to travel to. The only freshwater sharks in the world can be found in Lake Nicaragua, and for the stargazers in our audience, you can see 86 of the 88 constellations during a night in Nicaragua. Be sure to subscribe to OneRoute on YouTube, where you can catch up on the world in your phone, and watch the OneRoute Roundup, the show that spotlights individuals and companies making a positive difference in the telecom industry. One more fun fact I found out about Nicaragua, the streets have no names, and places are referred to in relation to landmarks. Eric, back to you and more of the Great Communications Risho. Cheers. Thanks, Jeffrey. Jeffrey's musings about various countries always makes me more mindful of what is common to all people and what sets us apart. So, if you've now got the U2 song, where the streets have no name, playing in your head, like I'm sure many of you do, then you may also be aware that they were writing about the denizens of Belfast, where you can tell somebody's wealth and religion based upon the name of the streets upon which they lived. But did you know that Bono's inspiration for that song occurred when he was walking around the nameless streets of Ethiopia? But now, let's introduce today's special guest, joining us live from his home in Ireland. Did you see what I did there? We have Ian Deacon. Ian Deacon is the Principal Technologist at the Alliance for Telecommunications Industry Solutions, ATIS. Welcome, Ian. Now, that title doesn't do justice to all your varied experience in the telecoms industry over the last 30 years. I won't try and do every single point on your CV. We'd be here for the next half hour if we did that, but you're the CEO and founder of Pervenio, which has grown a product business providing mobile device analytics for cellular networks, which was then later acquired by FinePoint Technologies. As CTO of FinePoint Technologies, you were provider of convergent fixed mobile device management. As head of technology and product innovation at iConnective, you took on that role when your business was acquired, when FinePoint was acquired. The CV is so complicated, like I can't even get it out, Ian. And of course, this is even before I mentioned the fact that you're responsible for GSM standards, including GPRS and UMTS billing standards, and you served as chairman of the 3GPP billing group whilst you were at Motorola. And once upon a time, you were a technology program manager at UK mobile operator CellNet, back when most people still weren't aware of what mobile phones were. Although it doesn't look it, looking at you today, Ian, no one would know you'd had such a long industry in the telecoms looking at you. Thank you for joining us today. You have a fascinating role. You have a fascinating role, Ian, you really do at ATIS, managing the innovation agenda, driving several initiatives to examine how emerging technologies and technology trends are causing disruption for the communications industry. One of those, the one we're going to focus on, though I know you could have talked just as long as anybody else could about the topics we've just been discussing between myself, Sarah and Lee. But one of the topics that's been your focus at ATIS recently is quantum computing. For the benefit of those viewers who are not so up to speed with quantum computing, can you help us out, Ian? What is quantum computing? And why does it pose a risk to communications? Yeah, I suppose I won't go into the detailed physics of it all, but it differs obviously from traditional computing. The ones that we're all used to uses ones and zeros and it's binary output. And the quantum computers use qubits, the equivalent of a bit, and they actually can represent one and zero in superposition states at the same time. Yeah, it's a bit of a head wreck, I know, so I won't go into it. But maybe it's easier to sort of think of it in the way that, you know, if I was to use a classical computer to crack ciphertext, and when we're talking about security and cryptography, you know, I keep trying different permutations of that by, you know, testing, you know, is it this key? Will this crack it? And, you know, for a normal computer to go through that, it could take thousands of years to do that. But the way that a quantum computer works is, you know, it can test all permutations simultaneously to determine if, you know, a particular answer will be able to crack the code. And it can do that in, you know, potentially a number of seconds. So you can see that, you know, things like current cryptography or security as it exists today, that, you know, could take, you know, computers and that's the basis of it is that it would take thousands of years to crack that. But you know, this new type of quantum computer can potentially crack it in just a matter of seconds. So that's the basis of it without going into the physics in heavy detail. But everything that we know today, primarily is built on two types of encryption, asymmetric cryptography, or PKI, as people know it, that uses RSA or elliptic curve algorithms, and symmetric key cryptography. So if we look at asymmetric encryption, using RSA as an example, is that, you know, that the basis of that is factorizing two large prime numbers. And, you know, as I say, classical computers to hack a 2048 bit RSA key could take, you know, hundreds of years. And there was a mathematician in 1994, Peter Shaw, and he came up with a theoretical quantum algorithm called Shaw's algorithm, of course, that could actually find the prime numbers of an integer, you know, using a quantum algorithm quite easily. So that could actually crack then, you know, RSA or elliptic curve, Diffie-Hellman key exchanges quite easily. Now that was all theoretical, of course. And when we look at the symmetric key encryption, again, another mathematician, Love Grover, in 1996, came up with an algorithm, a quantum algorithm, that refers to quantum search, which what that means is that you can search for in unstructured text. So this will be looking for maybe a key to find the how it will crack a ciphertext, optimally using a quantum computer. And the way it would do that is that it presents all the possible permutations, as I was explaining before, and it looks at the probability of the outcome. And it uses a way to amplify that output, so that you can see that in all probability, this is what the solution or the code that would crack that ciphertext would be. And you know, I might not get it right the first time, but you can replay it a number of times. And by doing that, you can, through a number of iterations, determine what the output of that is. So what we've got is a quantum computer that's in its infancy, you know, it's still being developed. And, you know, I can come back to that maybe in a while. But, you know, and a couple of key algorithms that have been developed by mathematicians that could be used to easily crack current cryptography, you know, asymmetric, asymmetric key cryptography. So that presents, you know, risks to all IT systems, but as it relates to communications, I suppose that, you know, it's SIM cards, you know, they use symmetric key encryption with VPN, DNSs, secure DNSs, routers, gateways, routing protocols, interconnect protocols, AAA protocols. And one subject we were just talking about, StairShake, and it's based on public key cryptography. So, you know, that's potentially a threat, you know, in the years to come. So hopefully, I don't know, does that give you kind of a flavor for what it is and what it can do? Well, I think you've scared the pants off everybody who didn't appreciate the risks before now, because what you're essentially saying is that, again, without going into the detail of how the quantum realm works, effectively, the mathematics of the quantum realm shortcut right through the basis, the basics of how we protect so many computerized services, so many of the remote communications that we have today, because they're all protected by this notion that it takes time, it takes time to work through very many possible options for how to determine the key to unlock those codes. So in theory, you could get lucky first time, but in reality, you're going to be spending decades, hundreds of years. And by that point in time, it's, you know, it's becomes irrelevant, you're not going to have a machine running for the extraordinary lengths of time. But because of this quantum superposition, the mathematics of the quantum realm, it makes your code transparent, almost straight away, because the mathematics has been worked out. We just don't at this moment in time, have the processing power to do this on a sensible, meaningful scale. But as soon as we make those breakthroughs on a technological level, we start making those qubits in enough of a kind of repetitive mass process, which will be expensive to begin with, and which maybe nation states will be focused on to begin with. But as soon as they exist, this concept of things taking hundreds of years to crack, like you say, it will be no time at all. And that means everything we've been relying upon, which often is public key infrastructure, falls away, falls away. So that's very scary. It's very scary, Ian. It's very obvious that there's a risk there. How much are we replying, depending too much on the fact that the qubits don't currently exist? How soon might those qubits exist? Yeah, well, I mean, that's a good point. Look, it's a developing technology, and we're only at the beginning of the maturity cycle of a quantum computer. There's a lot of vendors working on it today, and they're all promoting their roadmaps to have more and more qubits. There's other aspects that limit, I suppose, the usability of a quantum computer as well. There's what's called quantum gates or gates. They're the logics that allow you to create the I.O. that gets the information in and out of a quantum computer. And the noisier they are, and they're quite noisy at the moment, means more errors you get. So you have two dimensions, really. The amount of quantum gates and how, I suppose, how little noise there is created by them, and the number of qubits is going to help the dimensions of that. And it's going to be some time. And there's an organization called the Risk Institute. They produce this quantum threat timeline report each year, and the most recent publication of that surveyed 40 of the industry leaders that were looking at quantum science and technology and where we are in that kind of maturity cycle. And half of the respondents indicated that there was a high probability of the threat timeline being most likely in the next 15 years, within 15 years, I should say, not within, but within at about 15 years. So that's before 2030. So it's not too far away. But I mean, if we look at what that means, realistically, is there's two challenges. One is that I suppose that when we look back over time, when we move from SHA-1 to SHA-2, it took over 10 years to actually transition between those two algorithms, really. And that's a huge amount of time. So that was just one, I suppose, protocol, one algorithm, if you want to look at it, everything that we're going to be doing needs to change, really. And the other risk that's probably more at play, and I think you intimated on this, is that if you have the ability to harvest information that's encrypted today, and potentially by a nation state, that that information, you know, they could sit on that until they actually have a quantum computer that's actually able to crack that. And, you know, what does that mean, really, I suppose, is that, you know, that nation states have the ability to look at, you know, people's names don't change, you know, their addresses, telephone numbers, maybe, but certainly social security numbers. So what that means is that, you know, you could actually harvest the information now, and it's still be relevant in 15 years time when you could crack it and cause disruption. And that's just with individuals, you know, corporations might have strategic information, certainly governments are going to have strategic and quite sensitive information that might be, you know, of interest to, you know, a nation state. But, you know, if we look at kind of maybe where the investments are going currently in quantum computing worldwide, there's, I think, over the last year was 38 billion invested in development of quantum computing. 15 billion of that alone was invested by China. That's 40% of the total worldwide investment. Compare that with a billion in the EU, and I suppose 3.75 in the US, it's clear to see where the strategic value of this technology lies and how it can be used. And, you know, you could say that, you know, it's equivalent to a technological arms race that we're approaching and that the value of using this technology to potentially get ahead of the game and maybe cause disruption as well. Let me bring Lee in here on that specific point. Lee, I mean, I know that you have to look at the security perspective too when you're looking at the risks for Telco. Are you concerned that we're having here the equivalent of some kind of Cold War gap opening here, where powers like China will be far in advance of the Western powers when it comes to quantum computing and that a lot of the things that we rely upon in order to maintain, sustain these advanced economies, they'll be broken apart as a result of the potential risk that a foreign power can undermine or intercept or gather data from you as and when they choose? Yeah, I mean, it is an arms race at the end of the day. And it's the ones, you know, whoever has that technological advantage over the others, you know, obviously, it's a major advantage for them. I mean, China, I know they're using, or they've been trialing some kind of quantum communications as well. They seem to be leading in that space. But it's a, you know, it is scary. And if you look at the whole of the internet today, is what it what what is based on is that, you know, you could have people who can crack it and pull it apart. And are we underestimating this? Is there insufficient attention being paid to this issue in Western countries? I think those that know, know, right. And I think are obviously concerned by this. But I think the vast majority of people, I mean, if you were to ask your, you know, Joe public, you know, they cared about, you know, do they understand about quantum computing and the impact that's going to have on them and on the internet and, you know, using things like blockchain, NFTs, all this type of stuff? Yeah. Is that still going to work? Yeah. It's credit cards, isn't it? It's the basics of how we currently run our economy. We're moving towards a cashless economy, at the same time as the underlying infrastructure for the cashless economy could be rent asunder as a result of quantum computers, if they're in the wrong hands. Well, we do need time to transition and we do have time to transition. But you know, we need to start working now. And, you know, there's a lot of education of the industry to go on. People, as Lee says, that, you know, those that know, know, you know, risk managers know. But, you know, there's a lot is still done, you know, and that's part of my role in ATIS is really kind of educating the industry about what this is, what the threat is, how it might affect certain communications, certain services, and what needs to be done, you know, how you can approach this, you know, how you actually assess the risk, the threat, quantify it in terms of, you know, its value, you know, and how you actually go about it. But it starts really from, I suppose, standardization to a certain degree, and standardization of what is the new sort of cryptography that's going to replace that current cryptography that will make, you know, everything secure again. And NIST started running a competition actually in 2016. So a long time ago, they started looking at new algorithms that could actually be quantum secure or post-quantum cryptography, as it's called really today. And they started testing, you know, several, you know, tens of different algorithms. And over this rigorous testing over the number of years, some fell by the wayside because they didn't cut the mustard, so to speak. And over a long process, really kind of rigorous testing, you know, they've recently settled in the last round on a number of algorithms for standardization. And they're not standardized, there's draft reports actually issued just this year. And they view that they'll be actually published as standards next year, all being well, you know, that there's no compromises of those. There's, they're called Crystals Kyber, that's the public key encapsulation. And then there's Crystals Dilithium, Falcon, and Sphinx for digital signatures as well. So there's other algorithms still being looked at and being analyzed at the moment, and they might be standardized later. But at the moment, there are some algorithms being produced or standards for algorithms being produced. Big organizations are testing them, you know, the big cloud service providers have already done a lot of work to actually secure their own infrastructure using, you know, their versions of, you know, pre-standardization versions of this, these algorithms to make sure that their own infrastructure is secure and safe from harvest now, decrypt later. But again, let me jump in here. Let me, let me jump in here, Ian, because one thing that you brought up already is the timeframe, the timeframe for change. You're saying that we need to change now and forgive me, perhaps a pessimist listens in and they hear, well, that was, everyone's always saying we need to do things now because there's something in the future. For example, global warming, we've been hearing that we need to do something now about global warming, and then people can even become jaded because they've been hearing how often, how many years they've been hearing now. And it's a similar thing here where it's difficult to evaluate this. And I want to bring in Sarah on this point as well, because we were talking about, we had this vision, authentication, knowing who the person is. It's almost as if it sounds to me, and correct me if you think I'm wrong, because you're both in a better position to understand this than I am. It's almost as if on the one hand, we've got people working away and areas like authentication, and we're going to solve that problem. We're going to be better and better in that sphere. And yet meantime, Ian, you're telling me we need to now be working on the quantum problem. Is there not a threat that this wonderful work that's being done in authentication immediately gets ruined, gets pulled apart because it wasn't quantum proof? Am I misunderstanding something here? Is the work that's being done for authentication quantum proof, or has that been somehow, that's the thing that will be dealt with later? Sarah, Ian, what do we think? Well, I'll just jump in and say, you know, I'm closer to Joe Public on this particular topic, so I'll defer to Ian. But frankly, we have a lot of work to do on getting to a future of identity. It's a marriage of both getting qualified good information and then securely transmitting it. There's a lot that we could be doing today. We're really far off on the just the validating the identity in the first place. So my hope and my partnership with folks like Ian and Pierce Gorman on our team is, you know, let's work on this first part, at least even getting that information while we have others that are working on, you know, how do we, do we need to rethink the fundamentals behind the transmission for, that we're using for STIR-SHAKEN? What else do we need to do to ensure that that can be transmitted securely? Yeah, exactly. So look, I think the two coexist. One, as Sarah says, exactly like, you know, we need to start looking at kind of like, where are the gaps in the whole identity sort of ecosystem to ensure that, you know, when someone that places a call is who they are claiming to be, and the person that you're intending to actually talk to on the end of that phone is actually the person that you're actually speaking to, you know, that's maybe me talking to a bank or a bank talking to me, you know, we need to have this mutual authentication, not, you know, just a half way, sort of something in the middle, which is what we have at the moment, you know, and obviously, to secure that, it's always based on sort of cryptography, and we've got cryptography today, but we are, we'll have to transition that cryptography in the future. So, you know, there are sort of, there is a lot of work going on in how we can transition from, for example, like, you know, PKI, which Shaken is based on is, you know, how do we migrate from current RSA or elliptic curve in the case of Shaken cryptography to the future one, and the realistic sort of situation is that the two will have to coexist, you know, there's not going to be like the Y2K, so to speak, where, you know, someone clicks their fingers, and then everyone's post quantum crypto algorithms overnight, there's going to be kind of a transitional period whereby some people will have it, some people won't, some devices will never be able to be upgraded, because the hardware that they're actually working on could be an IoT device, you know, whatever it is, the encryption technology might be built within the hardware, so it can never be upgraded. So, it's basically, when you do your risk assessment of that, you actually say, well, actually, we have to wait until we end the life that and we need new hardware to sort of replace that. So, all of that is built into your risk assessment, but sticking with kind of the identity side of it is, you know, we need to sort of have this, I suppose, view of how we can secure the identity, obviously, it's going to be secured, ultimately, through encryption, and that's going to be by a crypto algorithm. And at some point, they will need to transition to a quantum resistant version of that, whichever is going to be the best algorithm for that piece of, let's say, our application, so to speak. But is there a risk here, Ian, again, sorry to put it in plain terms, but I'm a simple guy. And when I talk to people who are executives, or used to talk to people who are executives and board members, in some ways, they're even simpler, they need to keep it simple. So, is there, to some extent, a risk here, that the infrastructure being put in place in some countries to authenticate cars could be, if it's not quantum safe, if it can be hacked using quantum computers, this could be turned into the most devilish surveillance engine for foreign powers imaginable. Because it wasn't that long ago that Ed Snowden ran away from the USA, because he was pointing out how the NSA was gathering data, essentially signals intelligence, who is calling who. Except now, you're creating an infrastructure, which if it gets intercepted, cracked, is visible to a foreign power. Now, who is calling who is a foreign power knowing who is calling who within the United States, America, or other countries, gathering an enormous amount of intelligence. Am I hypothesizing some unrealistic threat, or is that a real danger? Well, I think that, first and foremost, is that who is calling who is not encrypted anyway. So, that's not encrypted, but that can be gleaned from the internet maybe today. But if you're saying, if that's inbound within a VPN, to make sure it is kind of, then obviously, using a quantum computer to crack the VPN, that that information is still not within, then yes, of course. But I think that maybe that I would imagine nation states are probably more interested in other information than who's calling who, I would imagine. Sorry. Okay. Fair point. Fair point. I'll read out some questions from the audience now for you. I'm just conscious that we've actually had quite a lot of questions, and we've not read them out. So, I'm not going to have time to read them all out, everybody who's watching. But I'll just read out a bunch, and I'll let you... If qubits and quantum computing existed in a meaningful way today, it would likely be under the control of nation-state actors, who would be very likely to keep that fact as secret as possible, as long as possible, not unlike the UK after they had hacked Germany's Enigma encryption machine during World War II. Which then leads me to sort of a sideline question. Well, does that mean that we could be massively underestimating how much we need to be hurrying towards a solution? Because if they have a quantum computer, we're not necessarily going to know about it. Randy Warshaw asks, are there commercial quantum-proof cryptographic schemes available for use today? If so, can you provide some examples and any reason why they wouldn't start to be used deployed today? And I'm going to throw a third question at you. I know it's too many, but I'll read them out again if you need some help, Ian. Jerry Christensen says, this is an interesting topic. Ian, will quantum computing destroy blockchain, among other things? So where would you like to start with all those questions, Ian? I want to do them in order. Well, I think Pierce is right. I mean, look, I would imagine that anybody that is developing a quantum computer at scale that has the capability to potentially crack cryptography and has intentions of using that for strategic advantage, I would certainly imagine that they're not going to actually publish it in the Daily Mirror, so to speak. They're not going to let other nation states know that they've got the upper hand. As we talked about before, I would imagine it's kind of strategically of high value. So I can't imagine that we'll know about it. The only companies that you probably will know about is the likes of IBM, Google, et cetera, that are obviously trying to sort of get an upper hand on marketing to say, we've got our new chipset and we can do it faster than the other guys. But certainly within a nation state, I doubt that you're going to find out until it's already happened. The second one, Randi, yes, there are publicly available companies developing post-quantum crypto. In fact, actually, artists are actually working on an open source post-quantum crypto stack. And we're using that with a lot of our members so that they can actually test on their platforms with IoT devices, containerized platforms or, you know, COTS. That's standard hardware on the shelf. And the idea is that behind that is that they can test this different cryptography on different platforms. We can publish the results of that so that people can see that how, I suppose, the effects of post-quantum crypto would operate in certain conditions. And I know this is a bit of a longer answer, but so, for example, you know, if we look at 5G and all the promise of what 5G should have been and we look at ultra-low latency communications and certainly moving forward to 6G, which I'm working on at the moment, is that even that latency gets even lower. But if you've got crypto algorithms that require significantly more processing power to make sure that they're secure, then, you know, what effect would that have on a remote operating on someone's brain? You know, you want it to be secure, but obviously you don't want to have latency in it. So, you know, these algorithms are going to have different sort of performance characteristics. And we're trying to sort of understand what that characteristic profile would be in certain operating conditions on a constrained device, you know, maybe on a mobile device, maybe on a server and maybe on a container and, you know, different types of applications so that we can build a picture of, you know, maybe going forward because it's unlikely that post-quantum cryptography is going to be standardized for 5G because the way the 3GPP works in their release cycle is that, you know, it's not going to hit one of those release cycles. So it's more likely that quantum secure algorithms are going to be part of 6G. So getting an understanding of that now. And there are many vendors and, you know, we've worked with a company from Castle Shield as one example. They're a small organization in North America, but they've actually been selling a lot of prepackaged post-quantum crypto for different applications like email, VPNs, et cetera, as well. So maybe that's a little shout out for them. Oh, the last one. Blockchain. Yeah, Armageddon. So, look, it's not an easy one to answer. And I saw Jerry posted that on LinkedIn. But I mean, certainly, look, it's built on asymmetric cryptography. So it will need to transition. And obviously, you know, blockchain in itself is its integrity is built around that you can actually quantify every transaction from the genesis block that was originally sort of there and everything tied back to that cryptographically. So, but blockchains have actually forked and, you know, for different reasons in the past, you know, not talking about anyone in particular, but they will need to transition. The challenge would be on these public blockchains like Bitcoin as an example. And if you ever watch Silicon Valley and your man sort of rummaging around the dumpster sites trying to find his PC with his key on it, his private key so he can find his billions, you know, these dormant accounts where people have probably lost their key that, you know, had a Bitcoin in it, you know, when they were only probably worth, you know, a few cents, you know, you know, like Bitcoin is worth $5,000 or something now at the moment that, you know, for someone to sort of reverse engineer that, there's great value to be gained from that. So, yeah, there's going to be people interested in trying to scoop up all of these dormant accounts. But unless someone's actually transacted on their account on Bitcoin's blockchain, their public key won't be published. So you've got that advantage if you didn't actually transact with your account that you haven't published your public key. So it's more difficult to sort of reverse engineer. But obviously, if you have transacted, then, you know, potentially there's loss there. So, yeah, it's going to be challenging for those guys to transition. I don't know how they're going to go about it. I don't have the answer, but I'm sure there's a lot of clever mathematicians working on that at the moment. Now, we've been talking a lot about very clever mathematics. And we've been talking a lot about things that are in the future. But you did mention, as you were talking, Ian, the risk, the threat that people will steal data today with the intention of decrypting it later, because that data may still be very valuable later on. So they may intercept communications, for example, sensitive communications, or they may gain information about financial transactions. Like, what practically, and so this is not about waiting for somebody else to have an algorithm, what practically do communications providers need to be doing today with that specific threat in mind? I suppose it's in exactly the same way as they do risk assessment today, but certainly doing quantum threat risk assessment. And again, we're working on kind of how to go about it. We're trying to educate the industry and executives specifically on how you go about quantum threat risk assessment. And it's actually the first and foremost is having an inventory of all of your cryptography, you know, having an inventory of all of how your data, where it's stored, how it's transmitted, and what it's secured by. And once you have that, then you can understand what is a risk, what's the potential threat of that being exposed, and then what you need to transition to, and how long it's going to take you to get to that. And that's all part of doing risk management and actually assessing it. So, you know, that's going to take people that understand it, it's going to, it's going to require budgets, because it's going to cost money, for sure. And it's going to take time. So, you know, all of that builds a risk profile. And part of that is called, I suppose, part of it is how flexible you are to that is a term called crypto agility, how agile is my systems to be to changing out a current crypto algorithm. And it might be that one of these algorithms that NIST has proposed does get hacked, that happens, you know, we've seen sort of different algorithms in the past being hacked. So it's, it's not about changing to a crypto algorithm, a new one, it's basically the potential that that could be hacked again, and how, how adaptable are we, how agile are we to then changing into something new again. So I think the new sort of, let's say, the new process that people need to get used to is how we become crypto agile, and how can we go down this path of being crypto agile, and it's going to take a whole new way of thinking, a whole new sort of set of people with different skills. So all those people that you talked about that was out of work, maybe they might find themselves if they're in this space. I want to bring Sarah in, I want to bring Sarah in, because we were chatting earlier, Sarah, and we were talking about how difficult it can be to persuade, when you're in the trenches, to persuade the executives to give the budget to hire the people. I mean, are we a little bit in a situation here where we can all agree emotionally with Ian, and intellectually with Ian, and yet it's quite hard to envisage? How would you make the argument? How would you go out there, actually get the resources, when the company is currently cutting costs, laying people off, how would you approach it, Sarah? A couple of different ways. One is, I say, Ian was talking about this agile approach to discovering new threats and reacting to them. I think that's a skill set that the risk management and fraud mitigation world has had for a long time, and those folks, I think, are primed to be able to have that mindset, the sort of threat detection and agility process. But separately, I'm practical. Frankly, I would imagine that the threat to the actual communications network itself and the sanctity thereof is going to take a lot more precedence for individual communications providers than it is somebody being able to crack surshaken tokens or other pieces. So I would rely on that, sort of the sanctity of the network itself and the opportunity and the capability of it potentially being compromised or accessed and having a data breach. And I would let those folks, InfoSec folks, take the weight and the brunt of making that argument and just try and be in that conversation to be able to reuse some of that focus, energy, and those resources to say, hey, also, while you're at it and looking at vendors, I would like to be in on that conversation to make sure that they can potentially help me with my applications. Absolutely. Right, thanks, Sarah. And Lee, I want to bring you in on this one here, because this is both for you and for Ian, perhaps our concluding question of the day. I love this concept of quantum agility, Ian. But if, say, you're the Chief Risk Officer, let's put Lee into those shoes, the shoes that he could easily fulfill for a telco, the kind of job he's been doing all around the world. How does a Chief Risk Officer measure the progress towards quantum agility? Is this something where ATIS can give some practical advice to a guy like Lee, or is it up to you, Lee, to work it out for yourself how you're measuring how quantum agile you are? That's something I've not even thought about, Eric. But listen, I'll tell you something about if you look at the way 5G and the 5G network is where you have, you know, it's predominantly, it's all cloud-based, you know, a lot of stuff in the cloud. You've got edge processing, data centers, this type of stuff. When you start to think about this and how quantum's going to impact that, right, then it becomes a, it's a massive risk. Ian, is there something you can do, though, to help in terms of practical steps and making progress and getting it on the agenda, in particular with bearing in mind this threat, stealing data now, decrypting it later, as well as the move towards becoming quantum agile, breaking it down? Because if it's too big, if it's too complicated, there'll be no progress made, is my fear. So what could an organization like ATIS do to help break it down, to help make it a more practical agenda for people like Lee? Yeah, so I suppose what we're looking at at the moment and what we're actually in the process of developing a report on is how you can quantify it exactly as you say, is that from an operational point of view, from a product technology point of view, and ultimately on how you interact with other people, you know, executive, sorry, vendors or interconnect providers, service providers, cloud service providers. So you need to, and it's crypto agile that we were talking about, is, you know, how, you know, quantum safe are you and how crypto agile are you so that, you know, I understand how my business is going to be impacted by the services that I'm interacting with Yvonne. And we need to have sort of quantifiable measures of that, you know, and define what those measures are so that like KPIs, you know, simple KPIs that we can actually quantify them so that when I talk to someone else is I can actually say, right, what are your quantifiable measures across A, B, C, D, E, and they're in this score range or a percentage, you know, that I know that as an example, you know, I know that, you know, 50% of my staff are trained in what the quantum threat is, and what to look for, you know, I know that, you know, and that maybe that's a quantifiable measure, as an just as an example, you know, how many of my vendors have told me that they have actually got, you know, a quantum threat program in place and are adopting quantum resistant algorithms. So these are all kind of measures that and they're only relevant if they're like for like, you know, everyone's talking apples and apples. So by being able to define them as a standards organization that, you know, we can actually say, look, these are the measures that need to be reported on that, you know, I can interact with other people. So that when I actually see this, and it's this result, I know how I measure it. And then I can build that into my risk assessment. So I know that, you know, and it could be that, you know, it makes decisions about who you do business with down the road. You know, obviously, you know, it's, you know, how, how advanced are there in their maturity cycle to be crypto agile and quantum resistant. So I think that's really what we're doing as an organization is that we can build these kind of, you know, standards frameworks that people then can actually interact. But obviously, in absence of that technology being built into the standards yet, you know, as I say, the algorithms are not being defined by NIST. And until that's happened, IETF can't build them into their protocols. And obviously, those IETF protocols are being used by 3GPP for the cellular infrastructure. So, you know, there's a long way to go. But there are some practical things that can be done today. And certainly, you know, by understanding, whereas, whereas my data may be the biggest threat of being, you know, exposed, and what can I do today, in absence of the standards, you know, and there are things that can be done. And there are vendors out there that will potentially help you to sort of overcome those challenges as well. Thank you, Ian. It's a lot of work to do. Keep us posted about the progress you're making at ATIS. And I hope we'll have you back in future. I'm sorry, there was lots of questions for you today, Ian, and to the viewers as well. I'm sorry, I didn't get to read out all of them. But clearly, this is a topic we need to have you back and talking about again in future with us, Ian. Thank you very much for joining us on today's show. Welcome. Take care. Well, that's all we have time for today. Tune in next Wednesday, September 27th, when the interview will be with Divya Shridhar, former Senior Assurance Manager at BT, former RA and Data Consultant at Tech Mahindra, now returning as an independent consultant after taking a career break. Divya will tell us about how to succeed in a career dedicated to extracting value from data and her own struggle with adversity. The live broadcast will begin at 11 a.m. at U.S. East, 4 p.m. UK, 8.30 p.m. India. We're full of facts on this show. So you may be surprised to learn that there are actually 40, not 24, 40 time zones worldwide. So instead of waiting for me to read out your particular time zone, save me the trouble by saving next week's live stream to your diary by clicking on the appropriate link on our homepage, tv.commsrisk.com. Or whilst you're there, subscribe to our broadcast schedule and have every live stream added to your diary automatically. Thanks to my co-presenters today, Sarah Delphey and Lee Scargall. It's been a pleasure to have you both on the show and to have such an engrossing conversation with you both. Thanks to our production team, James Greenley and Matthew Carter. The show wouldn't be possible without their hard work. You've been watching episode five of the second season, You've been watching episode five of the second season of the Communications Risk Show, and I've been your host, Eric Priezkalns. Recordings of all our shows can be found on our dedicated show website, tv.commsrisk.com. Be sure to regularly visit our main site at commsrisk.com. Stay informed about risks in the communications industry and take advantage of the free resources of the Risk and Assurance Group, including the fraud and leakage catalogs available for download from riskandassurancegroup.org. Thanks for watching. We'll see you next Wednesday.