Nation states have learned that they can disrupt, spy upon and threaten their rivals by infiltrating and subverting their communications networks. Such cyberattacks may be the prelude to a conventional military operation, as occurred when Russia invaded Ukraine. However, they typically occur as part of a more general strategy of gathering information and obtaining advantages that may be exploited later. There is a great deal of variety in cyberwarfare methods. On one end of the spectrum, North Korean hackers engage in the systematic theft of cryptocurrency which will be used to evade sanctions. This contrasts with the investments made by Russia and China in ships and weapons that could be used to cut submarine cables or disable satellites, and the competing investment being made by NATO to protect privately-owned communications infrastructure. Much of modern cyberwarfare is barely distinguishable from cybercrime, with freelance hackers being hired by nation states and given license to steal so long as they only target foreign governments, businesses and individuals. All of this places a greater burden on comms providers that would prefer to focus on competition within a free market than on a hidden form of warfare where the assailants are difficult to identify and almost never suffer any repercussions. Cybersecurity analyst Patrick Donegan helps us to navigate the threats posed by nation states.

Topical news items are also debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.

Transcript (auto-generated)

Hi, my name is Eric Priezkalns and this is the Communications Risk Show, the live streaming
conversation show produced by comms risk in collaboration with the Risk and Insurance
Group RAG. Every Wednesday we talk to risk experts from around the world of electronic
communications and we broadcast live so you can also join the conversation, submitting
your questions and observations as we go along. To ask a question, just type into the messaging
window immediately beneath the live stream on our dedicated website at
Messages are anonymous, so include your name if you want me to read it out. We also stream
live to LinkedIn. Feel free to leave comments on the LinkedIn page for this streaming event.
A member of our team will also forward them to me. We'll try to read out as many of your questions
and observations as time allows. Now, unless you've been living under a rock for the last
year, you already know Russia invaded Ukraine and professionals working in the comms industry
should also be aware that the invasion was prefaced by cyber attacks that tried to sow
panic and cripple the ability of the Ukrainians to respond. This wasn't the first time that Russian
forces have attacked networks and communication services outside their country and Russia is not
alone in pursuing these new methods of disrupting and destabilizing others. We'll be talking about
the threat to networks posed by nation state actors with Patrick Donegan of Hardin Stance,
one of our industry's leading researchers of the business of security. First though,
here's my co-presenters, Ed Finegold and Lee Skargil. Ed Finegold is 4,000 miles to my west
in Chicago. He's an author, an analyst, and a strategic advisor to tech and telecoms businesses.
Lee Skargil, he's 3,000 miles to the southeast of me in Bahrain. His career has seen him switching
between executive management and freelance consulting for a wide variety of communication
providers around the Middle East, Europe, Caribbean, and Asia. Good day to you both.
Straight into the topical stuff, guys. I'm really keen to have your opinions on this one.
Researchers who spoke at the Black Hat Asia Conference earlier this month warned that
they identified malware pre-installed in devices from 10 different vendors. So to be clear here,
this is before any customer gets their hands on this. This is not customer awareness or anything
like this. This is the phone arriving at the customer with already malware operating on it.
So Fyodor Yurochkin and Zhengzhu Dongwu estimated that millions of similar infected devices are
already in circulation, mostly cheaper Android phones that tend to be popular in Southeast Asian
and Eastern European markets. However, smartwatches and TVs also found contained malware, and some of
the bigger mobile phone brands still need to remain vigilant to make sure their supply chains
are not corrupted. The researchers didn't say where this malware is coming from, but they did
hint. They did hint by making observation as to where most of the world's original equipment
manufacturers are located on the map. And that is, of course, somewhere to the east of me,
several miles and more miles to the east. So Ed, first question for you. Is internationalism
breaking down because supply chains are being compromised in this manner?
That's a tough question, Eric. I mean, to make a statement, like, is it breaking down?
So I'm going to be soft a little bit and say, I think there is that risk, certainly, right? So
I'd like to think that the benefits of globalization, right, from a stability point
of view, like, have been pretty well recognized at a certain level. I'm not a political scientist,
but there's probably a discussion to be had there. Obviously, there's a lot of people that
make economic arguments about globalization, about groups being marginalized and all that.
And I think that's really worth looking at. I mean, the change that's occurred has happened
awfully fast economically. So now we get to this next phase of evolution or maturity and start to
look at it and say, OK, well, we've grown these big supply chains all over the world really fast.
Do you expect that there's a lot of really strong controls on all these things?
I don't. I never did. We've had discussions before about labeling and what have you.
And just having interacted with factories in China and trying to import devices that
you can't necessarily get in the US, even if you take the clandestine service espionage aspect out
of it, right, and just chalk it up to business and people making mistakes or being lazy or not
being thorough or trying to cut corners and passing off a certification of one device as
a certification for a group of devices, you know, those kinds of things that happens all the time.
So point being that like with all of those gaps in there, does it surprise me that someone could
come up with the idea of saying, hey, you know, here's an interesting heist. We can get an awful
lot of devices into a certain country, you know, by intercepting effectively, you know, at the point
of manufacturing. And, you know, the guy who lets you in the back door to go do it. I mean, I just
all that seems very plausible to me. Or I've just watched too many heist movies, you know, or both.
Are you not worried though? I mean, maybe it's a good thing, depending upon your point of view
on jobs and job creation. Is there not a possibility that we're going to see more insourcing,
especially in a country like America, where the anti-China rhetoric has been building up steadily
over time. And this is surely just going to add fuel to the fire. Why? Why is there such
dependence upon these manufacturers? As I say, the researchers didn't say China, but they were
hinting China. And in a country like America, the political tide is very clear. Don't want to be
relying upon Chinese suppliers if you can avoid it. So it's not an argument for good, high quality,
well-paid American jobs producing American equipment. And this being another reason to do
that. And the immediate response will be that it's expensive. So I agree with you that I think it
will probably snap back the other way. And it probably is already starting to. And certainly,
I think the requirements will probably show up from a security point of view. And Patrick can
probably inform us more about that, but how the paper requirements that you have to meet and how
you source things might change over time to catch up with these problems. I could certainly see that
happening. So no, I agree with you that, yeah, it's absolutely a problem. I guess just I'm saying
that none of it surprises me that we've arrived at this, but I definitely think that we need to
address it as, okay, yeah, so this is a problem. And you have to look at how technology is being
sourced down to the level of like, who's the guy in the door? Right?
Well, today we're going to talk about a lot of national strategy type stuff. But Lee,
before we kind of like look at the big national picture, is there anything actually a telco can
do about something like this? Is it something they should be worrying about? Is there any action they
can take in order to protect customers from this kind of problem with malware pre-installed on
handsets? Yeah, there should be concern, Derek, right? So I believe that operators, they actually
have a duty of care and they should be doing everything possible just to make sure that the
handsets are not getting compromised with malware. But here's an interesting thing, right? So in many
of the markets in Southeast Asia, the operators, they don't actually supply handsets, right? It's
not part of their core business. They just sell airtime and SIMs, right? So handsets,
they're generally bought from third-party street sellers. So the operators, they're not actually
involved in the supply chain. And so this is the important bit, right? And I think this only adds
to the problem, right? And malware gets loaded onto the handsets by someone somewhere because
there's nobody responsible for that end-to-end process. Could this be a potential win then for
the telcos? Say to the government, look, encourage people to buy direct from us, the telco, and we'll
take some responsibility for verifying the manufacturer. Could this be a revenue opportunity?
Absolutely, Eric. Now, where operators are involved in this, and there's plenty of things
they can do, they just need to make sure that the operating systems, the apps getting loaded on,
making sure that there's no malware being put onto them, right? And they also need to make
sure that the handsets, they don't get tampered with during storage and distribution, right?
It's not that hard if you put some kind of controls around that. But here's the last point.
Operators, they should be running DPI malware detection, right, to keep the customers safeguarded
from threats, right? Now, if you think about this for a moment, this could be a real differentiator
between themselves and the competitors, right, by adding malware detection as a service for them.
Brilliant point. Brilliant point. Got a great comment here from one of our viewers.
Kasra Farhadpur says, according to Snowden, the NSA was putting backdoors into Cisco network
equipment way back in the day. He agrees, we shouldn't be surprised by devices being compromised
at source. I think that's a great point. But now let's hear a message from our serious sponsors,
BlueGen. When thinking about performing test calls and other test events on networks,
it's worth considering the sheer variety of objectives that can be used to satisfy.
For example, you can run daily heartbeat tests to support network usage tracking,
to support rating assurance, or to cover network service updates.
You can understand how your network services are perceived by customers by conducting tests
that reflect the actions of real consumers, such as streaming music, watching Netflix,
or using Facebook. We can stop the various forms of bypass fraud that rely upon Synbox's refiling
or OTT bypass by originating calls on other networks and covering an expansive range of
global routes to see how they terminate on your network. The proliferation of VoIP services these
days means it's especially important to check if traffic is routed correctly and termination
fees are correctly levied. You can verify your outbound roamers are able to connect services
whilst away from home by performing tests that audit locations your customers travel to.
And you can arrange ad hoc tests of new projects, such as installation of new 5G network equipment
or eSIM services. By investing in the infrastructure and resources to create all sorts of
network events from lots of different locations, the world would not be cheap. That's why the smart
approach is to ask BlueGen to do it using their Test Anywhere crowd. Their automated equipment
includes the latest Android test devices deployed worldwide. BlueGen tests network services on
behalf of telcos, governments, and software companies. Their philosophy is that the best
way to be sure your networking systems are operating as they should is to recreate the full
experience of obtaining a service, whether that involves streaming a video, using a new device
with an eSIM, or simply checking that customers get all the services they should at a particular
location or a particular time of day. And the best part? Automated testing with BlueGen means
your staff are not required to perform laborious manual tests. So, whether you're focused on
launching new network services, assuring roaming costs, or validating interconnect routes, then
you should call upon the experts at BlueGen. The URL? Right, now I'm really keen
for the audience's input, so keep on firing your comments this way. And this one, I think a lot of
people should have an opinion on this one. The topic for both you, Lee, and Ed, job cuts.
Now, Vodafone has said that they are going to reduce their global workforce by 11,000
employees over the next three years. That's more than 10% of the 104,000 worldwide staff
figure they reported last year. Group chief executive Margarita Della Valle said her
priorities are customers, simplicity, and growth. We will simplify our organization,
cutting out complexity to regain our competitiveness. Meanwhile, BT has promised
to cut 55,000 jobs by the end of this decade, most of them in the UK. That's over 40% of the
current 130,000 staff and contractors they use. CEO Philip Janssen said generative AI
gives us confidence we can go even further with the job reductions. Lee, are telcos downsizing
globally? And just to put a bit of context around this, Etesla owns 14.6% of Vodafone
and has a seat on Vodafone's board. Meanwhile, Vodafone has been pursuing a tie-up with
Hutchinson 3G in the UK. And more globally, when we just look at the big picture, there's
lots of telco to plans to consolidate assets, seeking mergers, they're using tower codes to
bring assets together, all sorts of arrangements that are basically all pointing towards economies
of scale and reduction of duplication in the telecoms ecosystem. Or you could argue
reduction of competition, if you're that way inclined. So Lee, what is the global perspective
here? Is downsizing a global factor of life or is it occurring just in some places, not others?
Yeah, I mean, we've definitely seen consolidation in saturated markets. So that's where, you know,
some markets are going down from four operators down to three. The company I'm working for
actually at the moment is guilty of that we're going where we're number two, we're going around
buying up number three, just so we can get the premier position there. But there's lots of
tower sharing agreements going on in the Middle East. We had Helios Towers coming into Oman.
I've heard that a redo, they're looking to sell their towers as well. But globally, there are
reductions in workforce. I think at the start of the year, AT&T, they announced some job losses,
but not on the scale of what we saw at BT and Vodafone last week. But I think this is the
start of something that's going to ripple around the world. There's more and more telcos, they
start to implement AI, various things for things like managing networks, using AI to respond to
customer service requests, and also using AI to kind of simplify processes on the online digital
channel. So I think there's going to be this ripple effect, which is going to go around the world
for the next couple of years.
How worried should people be about AI's chances of impacting on their job? Is it going to mostly
affect customer services stuff? Is it going to affect people who are more in the roles like risk
and security that we tend to talk about?
I think it's going to be across the board. In particular, I mean, some of the main areas will
be around the networks, which I've already discussed, customer services, and also, I think,
on the online digital channels, I think they're going to be the areas which will be the main
focus, but don't rule anything out with AI, right, as we've seen. I mean, the job cuts at BT and
at Vodafone were pretty deep, right? And I'm sure that's just the start as well.
Yeah, I think it is just the start. Ed, let's bring you in on this one. Let's make sure we see
this from a balanced perspective. Should we be worried that downsizing means increased risk for
customers because there's fewer people working? Or given what was said by the Vodafone chief
executive, cutting out complexity, you know, in a way simplifying the organization, is there also
an opportunity here to fix some known issues and perhaps even slow the pace of change so you might
have less risk going forward? Is there any upside to this in terms of risk reduction?
I think there may be a few upsides for risk reduction. So, this is an easy one for people
to push back against, but slowing the pace of change from the breakneck pace it's at right now
is probably not a bad idea, and I think we're learning those lessons. And we've talked about
some of those hard lessons that have been learned on previous episodes. So, I think that's probably
one good thing. Just going back to what Lee was saying on the AI side, yeah, I find the downsizing
thing fascinating. So, there's obviously a tremendous amount of chatter right now because
of economics. And so, if you're watching Wall Street programming on a Bloomberg or something
like that, they're going to talk a lot about expectation of recession, and therefore you'll
have cuts. And so, to me, that's cyclical to some extent. So, right now, why are we hearing about
it? It's somewhat in vogue because of where we are, I think, in the economic cycle. The question
is, do those jobs come back? Or does AI start to replace more and more and more of them?
And if I were to bookend this on the other things I'm hearing out of that same audience,
you know, like the Wall Street side, it's a lot of messaging saying, look, the businesses that
master AI are going to increase their productivity 20, 30, you know, 40% crazy numbers like that,
and companies that don't just won't be able to compete. Now, I think that's a good thing.
Now, we've heard lots of tech hype. Everyone on this program, right? Everyone here has
learned lots of tech hype, so we all take over the grain of salt. That's fine. But if there's
any truth behind it, right, and we've seen some of the early returns on that, it's certainly worth
paying attention to. At the very least, though, it's worth paying attention to the pressure in
the market right now for that, right? There's a tremendous amount of pressure that's like,
you better buy AI or you're not going to be able to be seen to compete or be competitive
going forward by the Wall Street crowd, right? So, I just think there's a lot of these strange,
conflicting pressures happening right now. I think you're absolutely right. I think there's
going to be some dud AI that's being bought in the next few years because of hype, but at the
same time, I think this is a sea change. This is it. This is the big one. And when I reflect upon
this, I think about a statistic that always comes to mind is the United States of America,
in the year 1930, there was one quarter of a million people employed as phone operators.
So, this is a point in time when mostly women who were getting well-paid, high-quality jobs
for women at that time were sat in front of big boards, switchboards, literally plugging cables
into them or passing messages back up and down to make sure that all the calls connected because it
was done by human beings, not by machines. And so, you had an enormous ramping up of the
number of people working in that field. And then it peaked. And now the current number of statistics
in terms of the number of people who are normally employed as phone operators in the United States
of America, it's not even 10,000. By 1940, it had already been decimated. So, you've seen enormous
societal change in terms of a huge number of job opportunities for women who wouldn't otherwise
get them, increasing their economic power, getting them into the workplace. And by 10 years later,
there'd been devastation in the number of jobs available of that type. I think something similar
is happening here, but it's going to be very much the people who are the ones who are the customer
the customer facing roles where do you now need a human being to effectively be reading out script
when you've already so tightly programmed and limited your customer services staff to a script
that you've already given to read out? Why bother? Why not just have a machine reading it out? And,
of course, this could have repercussions, not just in the countries that are making the nominal
cutbacks where the operators are, but all those offshore jobs that have also been put into call
centers around the world. And then that could then have an enormous impact on things such as
stir-shaking and robocalling, because why do you have a problem? Because you've got a lot of calls
coming in from foreign countries and you can't tell the difference between a call center,
the Philippines working on behalf of a bank, and a bunch of shysters who are trying to rip off
people. So, in a way, having the technology might really reoriented our thinking about
international traffic in telecoms too, because will you have so much international traffic
if you're not having call centers with lots of traffic outside the country?
I could go on. Apologies if I have already, guys. Thank you for your patience. I'm now going to do
an advert. Onto our next feature, which is our Symmetry Fact of the Week, an interesting fact
from our friends at Symmetry Solutions. Now, I've mostly told you in previous weeks about the fraud
intelligence gutted by Symmetry's PRISM team, but did you know Symmetry also helped telcos
to tackle revenue leakages and reduce customer churn? For example, Symmetry's system for
personalized recommendation offers, PRO, gives telco customers advice on the best tariff for
them, as determined by automatically analyzing the customer's historic usage. Giving customers
good advice about tariffs is rapidly becoming one of the hottest topics in telecoms, especially
as regulators are placing increased pressure on telcos who keep customers on expensive tariffs
designed to recover the cost of a subsidized handset, only to leave the customer that tariff
after the contract has been completed and the phone has been paid off. Symmetry's PRO can
easily be embedded in the way your telco engages with existing customers. For example, one telco
sends their customers twelve and a half million end of contract notifications each year, with PRO
being used to tell each customer which of over 50 different tariffs might best suit their needs.
The same telco also notifies 28 million customers of the best tariff for them each year. Last year,
they used PRO to automatically switch the tariff of half a million customers when they'd finished
paying for their device. So using PRO to help customers onto the right tariff means fewer
complaints in the long run, so less money spent handling calls from unhappy customers.
It means less churn because customers were awarded for their loyalty and have confidence in you as a
provider, and it makes it far easier to comply with the increasing regulatory burdens being
placed on telcos in various countries. Learn more about PRO and the other products and services of
Symmetry Solutions at their website, As always, guys, there's just
never enough time to fit in all the topical chat, but we had to include this one because I think this
is going to be fascinating for both of you guys. If you've been watching the UK news, this is a big
story. I think Patrick's fascinated by this story too when we bring him on. TJ Fletcher, his picture
is up on the screen for viewers now, was given a 13-year, four-month prison sentence at Southwark
Crown Court in London last week. His crime? Well, it wasn't committing fraud, but he was enabling
others to commit fraud by running a service called iSpoof. iSpoof, much like many other VoIP
softphone-type communication services that charge customers for subscriptions that gives them
bundles of minutes for outbound voice traffic, but the difference was that this traffic was purposely
meant to spoof the phone numbers of banks, tax offices, and the like, and also to intercept
one-time passwords. But rather than listening to me explain it, here is the video advert that
was created by iSpoof to advertise themselves. Online producer James, roll VT.
and see it displayed on your dashboard. Send spoofed SMS messages and much more.
Our state-of-the-art system handles auto-calling with custom hold music and convincing call center
background sound. iSpoof has complete end-to-end encryption and no additional phones are needed.
iSpoof works on Android and iOS. Sign up for free, pay monthly via Bitcoin, and stay totally
anonymous. Start today. iSpoof, for the people who love spoofing.
Remarkable catchphrase, the people who love spoofing.
Well, it was a profitable business before it was shut down by law enforcement. They generated
revenues of about 80,000 pounds, about 100,000 US dollars per week from the 59,000 subscribers
they had at their peak, generating a total of 3 million pounds, or about 3.75 million dollars
in total, of which TJ Fletcher, the boss, he pocketed about 1.8 million pounds, or 2.2
million dollars. Now, contrast those figures with the estimate of the total amount lost to
the victims of fraud as a result of the iSpoof users tricking them. That was estimated to be
100 million pounds, about 125 million US dollars, and the trial judge said that estimate was
conservative. So, very lucrative business indeed, just enabling other people to commit fraud, not
actually committing the frauds themselves. Somebody got sent to prison here, Lee, and
169 users of iSpoof have now been arrested as well. Is this a game changer that will deter
criminals and wannabes who might otherwise watch these snazzy videos, join the Telegram channel,
and they'll be saying to themselves, I fancy committing some nice, easy crime here because
I don't need to leave my bedroom. There's no risk of being caught. Am I being over-optimistic
or might this actually start putting some fear in the minds of the criminals?
Well, I mean, finally, some good news, right? So, 13 years is quite a long time, right? But
he pocketed 2.2 million, and so that works out over 13 years, about 170k per year, right?
So, I hope really- How like you to be thinking about the revenues? You're probably
working out yourself there, thinking, how does that compare to my salary, eh, Lee?
Well, I'm just thinking, I hope the judge, yeah? I hope he makes it pay it all back first,
yeah? And then he's got to do his time, right? But no, look, it's good to see the law coming
down hard on these criminals. I hope it serves as a deterrent for anybody thinking about this,
thinking that they can get away with it. But as we both know, Eric, we've worked in this industry
for a while, right? So, as one bad guy gets jailed, it just leaves a gap for another bad guy to fill.
Oh, you see, that's the cynical point of view. I thought you were going to be upbeat because
you're going to say to yourself, now you can go out and buy that Lamborghini you've been wanting
because there's a dirt cheap one now available from the cops in the UK, this Lamborghini that
this guy's had confiscated. You're beyond that. I know you're going to buy that Lamborghini, Lee,
to add to your collection of cars. Ed, enough with the teasing of Lee there. The British legal
system. I'm going to beat my chest to say I'm proud of Britain this time, right? Okay. I'm
going to put you under pressure, Ed, because I'm going to say we've sent somebody to prison for 13
years for enabling phone scams. Britain, hey, well done. Is anybody in the US legal system going to
take any notice? Just today, big announcements, a big case, a well-known case that's been pursued
for a long period of time and it's going to be sued and there's going to be a big fat financial
penalty for $100 billion or whatever crazy amount which they won't confiscate. Are the Americans
going to fall for it again with yet another big fat phony baloney nominal financial penalty? But
people are doing effectively the same thing, profiting from the crime in the same way.
Or is somebody in the US are going to pay attention that it's time for us to start locking
people up? Yeah. I mean, I hope that the latter is true. And I think what the question makes me
come back with is actually a question, which is how do we educate the law enforcement community,
or even like the prosecutorial community to want to look at this and understand that there's
low hanging fruit here. And so what I mean by that, right, this is a really twisted way of
looking at it, but my understanding, and again, this is not my specific expertise, but my
understanding is we've talked about this twofold. One, there's an element of like prosecutors liking
to make their name on certain types of cases, right? How do you make this type of case,
those types of cases, and you'll get a lot more attention on it. The other is the education side.
We had talked about the MZ sniffers, like not being recognized for being like a weapon in the
cyber war. The cop thinking it was a bomb and the only reason they stumbled over it. So again,
a need for education there. So what can we do, right? And by we, I mean, me, you, Lee,
folks in the community that we're speaking to right here, what can we do to engage
the law enforcement community better, right? To talk about these emerging issues that we talk
about and educate them on, hey, like there's a way to go after these people and put a stop to it.
And here's some examples that we can highlight of how it's done. And we've had conversations again
with folks like Tom Walker about these kinds of things, too, of other examples. Let's get more of
those examples out there. Like that's something I'm excited about. And honestly, I'll say it right
now. There's people in the community that want to reach out and have those relationships with law
enforcement, have things they'd like to communicate. I'm open to having that discussion with folks. I
mean, I think that's something we can actually do and bring some value. And I think that's the only
way you actually move the needle on it. Yeah. I think that's very true. When I think about
conversations, I think for me, this is a game changer for one very important reason. And when
I think about those conversations that I've been sat in between people in law enforcement and
people on the other side working for the telcos for the communications providers, it's very natural
for the people who work for the telcos for communications providers to say to themselves,
I could spend a lot of time here helping the police. Are they actually going to do anything
as a result? Because in the end, they're working for a privately owned company. They've got a boss
who's on their back. They've got to show results. You don't want to spend all day every day dealing
with the police if the police are not acting on the information you give them. So this could be
a game changer, because if it's sending the signal, we will act, we will actually follow
through with a prosecution and take the criminal out of the equation. Because the cynicism comes
from, yes, you find them. But you know that they're going to come back again and again and
again, because you haven't taken them out of circulation. Now, we could get very cynical and
say criminals run enterprises from inside prison, but surely you're making it harder for the criminal
if you actually lock him up, instead of just this ridiculous roundabout process of what we've seen
in the USA, the same people being prosecuted more than once for the same crime, or being sued,
I should say, to be precise, for the same crime, for the same civil infraction. And it makes no
difference. They just come back and do the same thing again. And I think this is the point. If
there's something that the telcos gain by assisting, they've got it, and it's in their
own interest, because probably a very high proportion of the problems that they deal with
is just a relatively small number of very, very intense serial crooks, like this guy,
who was like a conduit for the enormous number of calls that was ripping off a lot of people.
Anyway, you've let me have the last word again. I'm getting cheeky here, because I'm going to
have to like, once again, sorry, guys. Well, I'll let you have more chance to chat when we
bring Patrick on in a moment. Before we bring on Patrick, here's another of our regularly
weekly features. I'm not going to speak for the next two minutes, because this next two minutes
will be Jeffrey Ross of Coal Authentication Fraud Prevention and Geolocation Specialists
OneRoute. He always takes us on a trip around the world via our phone, and this week his destination
is the lovely Isle of Barbados. Producer James, roll VT. Hey everyone from OneRoute, I'm Jeffrey
Ross, and this is the world in your phone. Let's talk about Barbados. If you like beautiful beaches,
amazing food, and sun-drenched days, then the island of Barbados should definitely be on your
travel bucket list. And even more so now that the country of Barbados is trying to attract digital
nomads to move to the country while continuing to work remotely. It's doing this by investing in its
infrastructure, along with adopting a new national ID, which works on mobile phones. Now Barbados
isn't the only country to look into this, as you have Ethiopia, Nigeria, United Arab Emirates,
amongst many other countries that are all looking into digital IDs or national IDs,
all working on your phone. It'll be interesting to see how this impacts the telecom industry
going forward. One thing I found interesting about Barbados, it's the 13th smallest country
in the world. It's the furthest eastern country in the Caribbean, and its original name was
Los Barbados, which means the bearded one. Due to the fig trees and the long vines
hanging from them looking like beards. Barbados, the birthplace of rum. With over 1,500 rum
shops and a multitude of distilleries, Barbados has been churning out rum since the early 1700s.
It's also known as the land of the flying fish and has a long, rich history with pirates.
Be sure to tune in and subscribe to One Route on our YouTube channel, where you can catch up
more countries' spotlights and watch the One Route Roundup, where we spotlight individuals
and companies making a positive difference in the telecom industry. One last fun fact that most
people in the pop culture arena know, megastar Rihanna, originally from Barbados and is known
to frequently travel back to her home country. Now Eric, back to you and more of this awesome
communications risk show. Cheers. Thanks, Jeffrey. We do our best on this show,
though none of us are quite as glamorous as Rihanna. However, today's guest is an international
superstar in his field of expertise. He's one of the most widely respected and widely read analysts
covering the business of security for technology and telecoms firms. It's Patrick Donegan of
Harlandstance. Hi, Patrick. Thanks for coming on the show today. Glad to have you here.
All right. Lovely to be here. Thanks for having me.
It's an old pleasure to have an expert with you. We know that you've got a huge audience
worldwide for all your online events. Another one coming up in a couple of weeks time. Hopefully,
you'll mention that before we finish today's show. But straight into the meat of the main theme for
today. Yeah. Are nation states more willing to engage in offensive operations against foreign
networks than they were before? And if so, why is that? Yeah, I don't think there's any doubt that
the indicators are all going upwards in terms of the volume of incidents, the audacity and scale
of some of the impacts. If you look at things like SolarWinds and the hafnium attacks, the impacts
there are pretty mind boggling. If you look at colonial pipeline, pretty mind boggling impacts.
I think where the telecom sector is concerned, it's a little different, certainly in terms of
the sort of denial of service attacks on the telecom sector. They continue crashing in at
a fairly high velocity. In terms of actual data breaches of the telecom network, and I'm
distinguishing that from the telcos office IT where telcos have suffered a number of high
profile breaches in recent years. In terms of the telecom infrastructure itself, there I think the
telcos are doing a pretty decent job. You know, the breaches that reach the public domain are
fairly rare. Let's be honest. A couple of riders to that, obviously, there are breaches, no doubt,
that telcos are aware of that they haven't publicly disclosed. And there are also no doubt
breaches that telcos have suffered, which they're not even aware of. So I think, you know, that's
sort of at a 50,000 foot level. That's the landscape. But maybe another point would be that
in terms of planning your sub-security posture for the next five to 10 years,
you don't necessarily just want to be driven by what you've seen over the last 24 months.
You want to be looking out further at what the landscape could bring going forward as well.
So I will ask a difficult question here, Patrick, but it has to be asked. It has to be asked.
Cynics will state that every nation attacks every other nation. So let's not debate if anybody's
completely innocent or whatever, because that's pointless. But if I asked you to evaluate which
nations are most actively engaged in using cyber attacks on comms providers to harm others,
which nations would you put top of the list? Well, so you raise a really important question,
because the language that, you know, the four of us are used to using, used to reading,
is the language of nation state cyber threat actors, nation state threats coming from the
China's, the Russia's, the Iran's, the North Korea's. And I have no problem with describing
them as nation state cyber threat actors, no problem at all. However, and I think that,
you know, this is to your point, the idea that the US, the UK, Israel, Holland, Germany, France,
the idea that those countries don't conduct offensive cyber operations, to your point,
it is absolutely for the birds. So I think we have a we do actually have a fundamental problem
in cybersecurity in terms of the language that we use, because the language of nation state cyber
threat is applied to that to those four and one or two others. But it doesn't materially reflect,
you know, the reality of the situation, which to your point is that everybody's doing it. So,
you know, why, why do we have this imbalance of language, I think, in part, it's because people,
you know, don't want to use language that's different, because then they're misaligned
with all their colleagues in the industry. So we have to use the same language in one form or
another, you know, could it be that we don't actually want to acknowledge our own culpability
here in the UK, the US, could it be that we don't want to acknowledge we want to acknowledge
culpability, but we don't want to acknowledge equivalence. And I think there is there is that
fundamental issue there, with the way that we label different countries, the way that we label
behaviors. So with that, given that I have what is a bias, and I would suggest it probably a similar
bias to the ones that you had, in terms of, you know, who I label as the major nation state cyber
threat, as they are absolutely, you know, Russia, China, Iran, North Korea, that they are the big
four, they are the ones causing the biggest problems to the biggest number of individuals
and countries and states around the world. I defend myself a little bit here, because I
thank you for that. Thank you, China, Iran, North Korea, and Russia, I think were the four you said,
yeah, I agree with you. But I would also say here that, look, we're going to bash on this show,
countries that behave like that and do the things that they do. But we also bash the security
services in the UK, the USA, other countries to when they overstepped the mark, and they infringe
on primacy. The difference, of course, is that we can speak freely about those situations when we
learn about them. Whereas the inhabitants of Iran, for example, when they're being spied upon by
the Iranian security services via their phone, they're not in a position to speak out, they're
not going to be doing a web stream, like we're doing a web stream on this topic. So I think I
would say to myself, that's, I think, where the distinction lies is, in the end, when a guy like,
say, Tom Tugginhat, who's been on the news just today talking about how he doesn't like this,
that and the other, with meta encrypting the communications, because it's going to interfere
with police being able to protect people from protect people from protect children from harm.
Well, like I understand the point, but I actually rather not have Tom Tugginhat looking in all my
messages. And I live in a country where I'm free to say that, whereas if I was transposed to some
other country, I wouldn't have the freedom. And I'll be talking my hat to Tom Tugginhat and doing
whatever he tells me to do. Anyway, enough about Tom Tugginhat. Are there any particular kinds
of offensive cyber operations that stand out in your mind, Patrick, because they're especially
representative of the kinds of threats that comms providers will be vulnerable to, unless there's
either a significant ramping up of security or a change in how we conduct business?
Just to answer your previous question, I think we were actually saying a similar thing. I framed it
in terms of culpability and equivalence. And I think your answer was quite similar in terms of
that sort of recognizing that we're on the same scale, but there are differences within that
scale. I think to your next question, I think, regrettably, I think there are far too many to
choose from in terms of those emerging vulnerabilities or those greatest vulnerabilities
for telcos. I think one, perhaps surprisingly, although it wouldn't be surprising if you follow
this space a lot, is actually the telcos office IT. This is where they're being dinged on a very
regular basis. If you look at, I think T-Mobile has, I think they've just chalked up hack number
seven over in the US. I think it is seven in the last five or so years. Every one of those hacks
has been on their office IT and not on their telecom infrastructure. So, there have been
successful nation state. China, for example, was behind what was called operation soft sell three
or so years ago, which successfully exfiltrated call detail records CDRs from a number of telcos
throughout, I think it was in the EMEA somewhere. And that was a result of an
external facing web server, nothing to do with the telecom infrastructure itself.
So, I think that the office IT telcos really have to do a better job there.
The second one I think I would point to is supply chain security. And by that, I don't
mean just the simple, easy, low hanging fruit of not allowing an untrusted vendor in your
network, like the high profile Huawei stuff. What I'm referring to there is the tremendous
excitement we have about supply chain automation, cloud native operations, launching new
applications at the speed of very, very rapidly updating applications very, very rapidly.
We get excited at the opportunity that automation presents to do that faster, the security
opportunity that automation presents to eliminate human error. But at the same time, if the
security isn't done effectively in the development domain, in the DevOps domain, then all you
need is a little bit of rogue software gets into whether that's planted by a nation state or
someone else. You get a little bit of rogue software gets rolled out automatically
throughout the network. So, I think that's another area of supply chain security.
The last one I would point to is one which we only really learned about a few months ago.
And these are called the SNDL attacks, store now decrypt later attacks. And what these
consist of is, for example, if you take a mobile network, it basically consists of basically
recording illegally, unlawfully recording telecom traffic, let's say that from a cell
site in a mobile network, and you record that traffic today. Now, at this point in time,
if you manage to record that traffic today, it's of no use to you, because you can't break
the encryption. The encryption algorithm, there's a 4G, 5G encryption algorithms are
terrific, they're not going to be directly broken. So what use is it? Well, you store
that now, and you decrypt it in however many years time, six, seven years time, when you've
got a quantum computer that is powerful enough to then decrypt that traffic seven years on,
to which you then ask the question, well, does anybody care about, you know, what was
recorded seven years ago? Well, yes, if it's nuclear scientists, if it's one prime
minister to another prime minister's conversations, or whatever it might be. So I think the
the SNBL attacks are very important one and what they what they drive or what they should
drive is increased investment in quantum safe encryption into telecom networks much sooner
than people and people think is required for the reason of those store now decrypt later
attacks. There are other threat vectors as well that I won't go into now. But I think
that's, that's a flavour of some of the areas of emphasis that I think telcos can can usually
be putting on.
It's just never ending, isn't it? I want to bring you in here, Ed, on this point, we've
seen stories, for example, Twitter, Elon Musk talking about employees being planted by
governments. And we've had similar situation with Zoom having an employee that was
basically working for the Chinese state. Is there a point here as well, when we talk
about say, the IT environment for the office, the business that runs the telecoms is the
extent to we should be also be looking at the vulnerability created by insufficient
vetting of who's working for telcos, and the extent to which they could be working as
agents for foreign governments,
or, or agents, as you know, for people online that are willing to pay the money to bribe
them to do SIM swaps, or any of those kinds of things, right, the, the threat actors out
there willing to compensate people or collaborate with people, right, come from all sorts
of walks of life, unfortunately, as we have learned, but yeah, I think, you know, you
know that like the insider fraud is kind of a pet topic of mine.
Vetting, definitely interesting. And you and I have had conversations with, you know, a
friend of mine who I hope to have on the show who formerly ran, you know, personnel
security for the Department of Defense, and has talked a lot about the importance of
continuous vetting, right, so it's not just vetting the person when they come in, but
continuously vetting them, because what happens is that people's life situations change,
and that's when they tend to become vulnerable to things like bribes, or extortion, or
other forms of exploitation, right, so that's not a practice I think that's very common
in the telecom industry, and I think with what we're talking about, and like what
Patrick was talking about in terms of like vetting down your whole supply chain, and
what we spoke about earlier with like who's on the door in your factory that's going
to let the heist in, right, like it actually goes down to that level to a certain degree,
where I think every one of those people, right, let's not just bet on the tech, right,
it's always the people process technology triangle, and the people one here is absolutely
crucial, all the way down to the lowest level.
Absolutely, and we're going to bring your colleague in for season two, which of course
starts August 23rd, so we're looking forward to that, so we just need to arrange the date
for that one.
Lee, let's bring you in here, I just want to reflect upon the fact that over the years
I've had some conversations with people, it's almost a kind of reflexive sense that
when it comes to risk, it's always a risk to outsource things, because we're no longer
in control of the thing, because some of the companies do everything, I always thought
it was a great counter argument, like if you outsource something, you can always sue
somebody else when they screw up, whereas actually, do you have any control of what's
going on inside your own business?
Do you actually control the thing?
Just because somebody works for you, just because someone's a nominal employee, or you
employ the systems, or you purchase the systems, doesn't mean you've got any more control
than you would do if you were relying upon an external supplier.
What's the way we should be thinking here in terms of, say, supply chain threats?
Should we be looking to take more in to the country, take more control of the supply
chain, or is it a case of we want to just audit and be more thorough in determining
who is supplying what to us?
Yeah, interesting question that one, Eric.
I think, I mean, if you want to outsource something, you're effectively transferring
the risk, right, to somebody else, although not necessarily does that mean you're actually,
you know, you'll get offloading that risk to somebody else, you are still kind of responsible
for that risk, because it could come back to you.
I think you have to evaluate the things that you feel comfortable with, and if you feel
comfortable about outsourcing something, and you understand all the risks about something,
then that would be okay, in my opinion.
I would never say or recommend to anybody to outsource something that they don't understand,
right, because if you don't understand something, you don't understand the risks, and therefore
that leaves you open to some kind of potential disaster, potentially, you know, depending
on what it is.
So I think, you know, to answer that question, should we be doing more, should we be doing
less, I think you just have to take a measured approach, work out what you think you understand,
and then evaluate it on a risk basis if you want to outsource it or not.
So no particular trend then in say, maybe shortening of supply chains in the future,
because it will be different strokes for different folks as far as businesses go?
I mean, potentially, yes.
I mean, for me, I'd like to, I can't make a decision one way or the other on this one.
I think the jury's still out on this.
Okay, good answer, fair answer.
Thank you for that.
Now, Patrick, this is an important topic, difficult to summarise, but I'll throw it
at you anyway.
How easy is it to tell the difference between an attack from cyber soldiers, for ones with
a better label, who work directly for the military or some foreign agency, and those
are cyber attacks that come from organised criminals who are not actually working for
a nation state at all?
How can you distinguish between the two?
Is it possible to distinguish between the two?
It's been hard going back years, and it is getting harder and harder, in part because
of the, you know, the deteriorating relationships between adversarial states.
You have situations where you have hackers who are employed by a nation state, but then
they're also moonlighting for the private sector, private criminal gangs in the evenings.
You have, routinely now, you have nation state threat actors who are actively outsourcing
aspects of their campaigns to private threat actors that, you know, the cyber threat ecosystem
is a very mature ecosystem, as a lot of the capabilities offered as a service, software
as a service, attacks as a service, help desks and all the rest of it, it's a very mature
ecosystem, and nation state threat groups are active in those ecosystems.
So, of course, that, you know, that blurs things, you even have a situation in Ukraine
where the government is sort of coordinating a volunteer white hacker army to carry out
cyber attacks on Russia, and vice versa, by the way, you have Russians saying the same
to Ukraine very much.
And obviously, this is self-evidently dangerous, because people, citizens have an expectation
of their governments, that if other governments, other nation states inflict harm on them,
then they expect that their own government will carry out proportionate responses, proportionate
reprisals against those nation states, whatever those reprisals might be, trade or diplomatic
trade or diplomatic or other. So when it becomes harder and harder to identify what's going
on, it becomes increasingly dangerous. I think, I guess my one reflection would be that I've
been, you know, reading about this phenomenon of escalating risk and attribution becoming
increasingly complex. I've been reading about this for many years and witnessing it for
many years. But mercifully, I think it's probably fair to say that there has, even
though some of the attacks have had increasing impact, even though attribution is getting
harder, I don't know that we've seen much in the way of actual escalation between states
driven by that. So I think that's something to be mercifully, to be grateful for, although
how long that will hold, who knows.
And now I want to ask you about, and man, I know that's been on your show in the past,
all your online events in the past, and you've spoken to a number of times over the years,
Ed Amoroso, the use of responsible for security at AT&T. He was very, very damning when Joe Biden,
when he became President of the USA and indicated he'd be willing to be offensive in the cyber
realm as a way of striking back against any attacks on the USA. And I thought Joe Biden
was completely correct to say that because even if you're not going to do it, you have
to have the deterrence effect. You can't just say we're solely going to sit back and defend
ourselves whilst another side is continuously attacking you. Who's right? Am I right? Or
is Ed Amoroso right?
I don't know. It depends what you mean. I mean, it depends what you mean by offensive.
I mean, Stuxnet was an offensive operation, I would argue, and it was carried out by Western
countries of one sort or another against Iran's nuclear system. I guess it also depends what you
mean by offensive cyber operations in a way, because certainly from a, I don't know precisely
how what Ed was criticizing in Biden's response. But for example, what's noticeable, I think you
alluded to it earlier in terms of the sentencing, handing down in the UK, what I've seen in the
cyber context, you were talking about fraud, but in the cyber context, there's a clear trend over
the last 12 months of law enforcement in Western countries collaborating closely and going in very,
very much harder to disrupt not just to, you know, try and arrest and bring to account cyber
criminals, but actually to disrupt their operations. So I think there was a there was a
recent instance in the last couple of weeks of a Russian advanced persistent threat, a Russian APT
called Snake, which has been around for years, stealthy malware that caused a great deal of
damage. And actually, Western countries, cyber teams went in and actually actually disrupted
the malware and the infrastructure around it to the point where they kind of rendered it as I
understand it benign and not terribly usable anymore. So I would think of that as a fairly
offensive cyber operation. Would Ed say that was a bad thing to do? I doubt it. So yeah, in the
absence of a particular, you know, in terms of the detail of what Ed was going after, I don't know.
Okay, good answer, diplomatic answer. Oh, so the correct answer is I'm right and Ed's wrong,
but we'll skip past that. Now, during the original Cold War, let's go back to being serious and about
the and continuing the theme here. Now, during the original Cold War, enemy of the states
would be formally imprisoned. But that practice lent itself to all sorts of resistance, because
you can legally challenge the very fact someone's in prison, you can start campaigning for their
release, you give a propaganda victory to your opponents, as you see in other countries who can
say, look, someone's been in prison, that's proof that they have oppression in that country. So
towards the end of the Cold War, it became increasingly common practice for oppressive
regimes in regions like Latin America to outsource oppression by encouraging paramilitaries,
extrajudicial killings, the practice of disappearing opponents, all acting outside of
the legal framework, making it difficult to hold anybody responsible or to blame the state directly.
Is this increasingly what's going to happen with networks becoming a lawless zone where
no one is going to be able to be held responsible for activities that are ultimately likely
sponsored by nation states? Yeah, I mean, I think we have that to an extent today. I don't think
there's any doubt that we have that going on. Russia and China and Iran are participating in
that way. I mean, it's not obvious to me why one would expect, you know, those behaviors of the
physical world that you refer to going back decades and that are still with us in the
physical world. I don't know why one wouldn't expect them to be present in the cyber world.
And to the contrary, because it's easier to hide and disguise and obfuscate and proxy in the cyber
world. So, yeah, it's a part of our reality today. And, you know, I guess fundamentally, the solution
to that is something warm and fluffy, like a better world. But, you know, yeah, or a more
democratic world, because these issues start from there and filter down. And we tend to think of
state subversion, though, when it happens between countries. A classic example would be the belief,
the widespread belief, with some supporting evidence to support it, that Russia was trying
to interfere in the US presidential election by hacking the Democratic National Committee's
servers and then releasing embarrassing information with the assistance of Julian Assange.
Okay, that's how it gets depicted, with the idea being it's about influencing the mass. But let's
look at what's happening between Ukraine and Russia now. There's a lot of talk, I'm not going
to say I know exactly the details myself, but now there's a lot of speculation that attacks on
individuals in Russia are related to the position that they've taken in respect to the war. So,
people going after somebody physically within Russia, because they're a supporter of the war
in Ukraine. So, somebody maybe with support from the Ukrainian state is able to set off a bomb,
blow up a car, and so on and so forth. Does that mean that we should be thinking about individuals
being subject to that kind of attack, but through our networks, through hijacking their accounts,
through taking over their personality, through denying them the ability to live their life?
No one's ever talked about that. Why is that? Has it just not occurred to us? Has it not happened?
Is this a black hole in our defenses that we've just not thought about?
Well, I think, you know, the individual component parts of what you're talking about
are all there. You know, we've seen with the Pegasus attacks on individuals, attacks on their
privacy, attacks on their location. We've seen that in a very high-profile manner. We've seen
in Ukraine the use of location technology to identify and assassinate Russian generals.
So, you know, the various, you know, the various pieces are there. And to your point, there's
absolutely no reason why they can't be pulled together to arrive at the sort of scenarios
you're referring to. And I wouldn't be all that surprised to see them materialize in some
ghastly scenario or another in the next two or three years.
Yeah, and forgive me, that's why I tend to prefer encryption end-to-end or things like this,
because I'd rather have no government be able to interfere with some forms of communication
rather than trust that only the good governments will do it and the bad governments won't be able
to exploit the same loopholes we're creating. Now, one possible reason for cynicism is that
individuals like FBI Director Christopher Wray, he typically warns the public that countries like
China are ramping up their cyber espionage, but then his credibility can take a hit when he's
accused, you know, when accusations are pointed at the FBI for excessive use of their powers to
conduct surveillance, abuse sometimes, of their powers to conduct surveillance via comms providers.
How seriously should we take the problem of who watches the watchman, i.e. whether the actions
taken and claims made by national security agencies are subject to sufficient scrutiny?
So I hear you and I think that it speaks back to some of the conversation around
the equivalence that we were speaking to earlier. In terms of democratic accountability, as I think
we can probably all acknowledge over the last few years, you know, a few years ago we believed that
democracies were imperfect and we have more and more evidence of them becoming even more imperfect
by the passing month. So, you know, I would like to think that we've reached peak imperfect in terms
of our ability as democracies to hold individuals to account, hold national security agencies to
account. It's not a good time to be doing that effectively at this point in time. I don't have
big answers there, Eric, I'm afraid. It's a difficult one, that's why I'm going to throw it
over to Lee because he's always got the big answers. Lee, what can we do? Is there any way
to do it? And this is not then at harbour more and more cynicism because then you'll have
polarisation in society because maybe Christopher Ray's right when he talks about Chinese espionage
through comms networks. But then if you think the FBI is spying on you too, you're not going to
really listen to him when he's worried about China. You're going to be cynical about every
government. Yeah, I mean, we spoke about this last week, actually, or was it the week before,
when I was talking about the 77th Brigade in the UK, and we also had the FBI doing these,
the unwarranted searches. I think we need to have, there needs to be more kind of rules and
regulation about who watches the Watchmen, right? Because I think if you have that, if you have that
third eyes, then a lot of these kind of what was, you know, I think if you look at what happened at
the 77th Brigade and also at the FBI, I think you might remove some of that. So yeah, I think there
needs to be more rules and regulation around that. And Ed, FISA, that's the one in the USA,
the supervision, but there's a lot of dissatisfaction with the supervision.
Can it be tightened up? Will it be tightened up? Is the mood turning against, you know,
people like Christopher Wray because of increasing cynicism? I see that the polls,
the surveys, especially Republican voters in the USA, they're increasingly suspicious of
organizations like the FBI, and it feeds into a narrative of them overusing their powers,
abusing their powers. Is this now the point where things might change and we might see
more scrutiny of this kind of activity, partly because politicians are worried that they'll
lose the public in the fight against China and the real threats?
Yeah, look, I think I just come at this from a completely different point of view,
because I feel like the discussion right now is coming at it from the point of view where a FISA
judge or Christopher Wray or the person who's in the wrong or the enemy. And I actually don't
feel that way at all. If anything, I think if there's a problem with oversight right now or
who's watching the watchers, it's yeah, it's the oversight. It's congressional oversight is the
problem. It's the people that are sitting in those seats and what's their agendas and are they
actually conducting proper ethical oversight of the intelligence communities or are they pushing
their increasingly polarized and extreme agendas? And it clearly it's the latter.
And so you end up in this quagmire that you're in right now, where I agree with Lee that if you
could improve the way the system works and you could have better privacy for people and not
gut the intelligence agency's ability to protect people, yes, ideally that would be great. But I
don't think that that's the problem that's even trying to be solved by the people that are
overseeing it. They're trying to push political agendas. And so you said something about this,
Eric, which was about the public getting upset. If the public gets wound up enough about something,
yeah, the talking heads and Congress will make noise about doing something about it.
You know, but what's the actual result going to be? I don't I don't see improvement happening.
I don't even think that's the goal. You said exactly what I wanted to say. And
you said it a great deal more eloquently. So thank you for that. You put it far, far better than I
did. You're too kind, Patrick. I'm just trying to keep up with you, brother.
One great analyst, another great analyst. Well, we're running out of time, Patrick. So
final question, a two parter, if you like. You've got something coming up pretty soon,
your own live streaming event in a few weeks time. So please remind me and the audience about that.
And also, obviously, Hardin Stance is a great source of information in terms of the reports
on issues like this and the state of security in the industry. What other impartial sources
of information would you recommend about topics such as cyber attacks conducted by nation states?
Well, thanks for the opportunity for the plug. It's very kind of you. I have the
Hardin Stance Telecom Threat Intelligence Summit is coming up on June 6th and 7th.
If you go to, you can find the registration and the agenda and all that good
stuff. So thanks for that opportunity. In terms of other sources, in terms of nation state threats,
I would say Recorded Future is very good. Mandiant, Google, Mandiant Google is very good.
I would say CrowdStrike. I would say Netscout and I would say Microsoft. In terms of nation state
threats, I think those are some of the sources that I most commonly refer to and trust, albeit
with the rider that I put on earlier, that the framing of who a threat actor is still has
its biases, whatever side of the geopolitical divide you sit on. And we've explored a little
bit of that today, but not that much because we could go on and on. We could go on and on. It's
been an absolute pleasure to have you on the show, Patrick. I'm afraid I'm going to have to call time,
but thank you very much for joining us today. Thank you very much. Thanks a lot, Patrick.
Well, that's it. We're out of time. I do heartily recommend you tune into Patrick's event there
on June 6th and June 7th, except for when our show is on on June 7th. You have to switch the
channel to us on that point in time, but the rest of the time you can watch Patrick's show.
That's all for episode 11 of the Communications Risk Show today. Once again, the clock defeats us.
There's just two more episodes too in the current season, but the good news is we will be back
with a new season later this year, following the same format with the same team of presenters,
and with live streams scheduled for 4 p.m. every Wednesday for 15 weeks in a row from 23rd of
August until 29th of November. If you're interested in sponsoring that season or any of the individual
episodes, then please get in touch. Now, meanwhile, Ed, Lee and I will be back next Wednesday,
31st May, with a show dedicated to one of the biggest talking points in the communications
sector. I will pack it into an hour. I do not know. Nuisance robo calls and what to do about
them. And yes, we do need to talk about that because all the past talk has not delivered
the solution so far. So we do need to talk about it again for such a challenging topic. We need
not one, not two, but three guests to give us a broader range of opinions than you'll get from
most of the sources. I nearly said Eddie, but I'll just imagine there's maybe one or two out there
more generous. Our guests will be Sathvik Prasad, prize-winning robo call researcher from North
Carolina State University. Professor Feng Hao of Warwick University is going to talk about an
innovative solution his team has developed. And we'll also be joined by distinguished network
engineer, Pierce Gorman, currently of Numerical, formerly of Sprint and T-Mobile US, who will give
the unbalanced truth about using SIP to identify the origin of calls. So watch live Wednesday,
31st May at 11am US Eastern, 4pm UK, 8.30pm India to ask questions and join the conversation. Visit
the dedicated website for the Communications Risk Show to click on the feature that will save that
particular episode to your diary in the right time zone, so at least every time zone in the world.
But better still, you really should now subscribe to the Communications Risk Show broadcast
schedule. So not only will you get next week's show added to your diary, but you'll get the next
season's show. All those shows added to your diary, so you won't need to worry about missing
any. You'll come back and you'll go, oh, when's the show back? And you miss the first episode.
And lobby out your diary, all the dates, all the guests, all the topics. So subscribe now.
Go to the website. Do it now. Don't delay. Just go do it now. Thanks again to today's guest,
Patrick Donegan of HardenStance. And thanks also to my co-presenters, Ed Finegold and Lee
Scargall for their insights and for putting up with my nonsense. And to our hard-working
production team behind this show, James Greenlee and Matthew Carter. You've been watching the
Communications Risk Show, and I've been your host, Eric Priezkalns. Remember to visit the
Communications Risk Show website,, for recordings of all our previous episodes.
Visit our main site at for a regular background and news and opinion about risks in the
communications sector. And check out the Risk and Assurance Group,, to
benefit from RAG's free services and content, including the RAG fraud blockchain, our RAG's
cloud-sourced catalogs of frauds and leakages. Thanks for watching. We'll see you next Wednesday.