Nation states have learned that they can disrupt, spy upon and threaten their rivals by infiltrating and subverting their communications networks. Such cyberattacks may be the prelude to a conventional military operation, as occurred when Russia invaded Ukraine. However, they typically occur as part of a more general strategy of gathering information and obtaining advantages that may be exploited later. There is a great deal of variety in cyberwarfare methods. On one end of the spectrum, North Korean hackers engage in the systematic theft of cryptocurrency which will be used to evade sanctions. This contrasts with the investments made by Russia and China in ships and weapons that could be used to cut submarine cables or disable satellites, and the competing investment being made by NATO to protect privately-owned communications infrastructure. Much of modern cyberwarfare is barely distinguishable from cybercrime, with freelance hackers being hired by nation states and given license to steal so long as they only target foreign governments, businesses and individuals. All of this places a greater burden on comms providers that would prefer to focus on competition within a free market than on a hidden form of warfare where the assailants are difficult to identify and almost never suffer any repercussions. Cybersecurity analyst Patrick Donegan helps us to navigate the threats posed by nation states.
Topical news items are also debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.
Transcript (auto-generated)
Hi, my name is Eric Priezkalns and this is the Communications Risk Show, the live streaming conversation show produced by comms risk in collaboration with the Risk and Insurance Group RAG. Every Wednesday we talk to risk experts from around the world of electronic communications and we broadcast live so you can also join the conversation, submitting your questions and observations as we go along. To ask a question, just type into the messaging window immediately beneath the live stream on our dedicated website at tv.commsrisk.com. Messages are anonymous, so include your name if you want me to read it out. We also stream live to LinkedIn. Feel free to leave comments on the LinkedIn page for this streaming event. A member of our team will also forward them to me. We'll try to read out as many of your questions and observations as time allows. Now, unless you've been living under a rock for the last year, you already know Russia invaded Ukraine and professionals working in the comms industry should also be aware that the invasion was prefaced by cyber attacks that tried to sow panic and cripple the ability of the Ukrainians to respond. This wasn't the first time that Russian forces have attacked networks and communication services outside their country and Russia is not alone in pursuing these new methods of disrupting and destabilizing others. We'll be talking about the threat to networks posed by nation state actors with Patrick Donegan of Hardin Stance, one of our industry's leading researchers of the business of security. First though, here's my co-presenters, Ed Finegold and Lee Skargil. Ed Finegold is 4,000 miles to my west in Chicago. He's an author, an analyst, and a strategic advisor to tech and telecoms businesses. Lee Skargil, he's 3,000 miles to the southeast of me in Bahrain. His career has seen him switching between executive management and freelance consulting for a wide variety of communication providers around the Middle East, Europe, Caribbean, and Asia. Good day to you both. Straight into the topical stuff, guys. I'm really keen to have your opinions on this one. Researchers who spoke at the Black Hat Asia Conference earlier this month warned that they identified malware pre-installed in devices from 10 different vendors. So to be clear here, this is before any customer gets their hands on this. This is not customer awareness or anything like this. This is the phone arriving at the customer with already malware operating on it. So Fyodor Yurochkin and Zhengzhu Dongwu estimated that millions of similar infected devices are already in circulation, mostly cheaper Android phones that tend to be popular in Southeast Asian and Eastern European markets. However, smartwatches and TVs also found contained malware, and some of the bigger mobile phone brands still need to remain vigilant to make sure their supply chains are not corrupted. The researchers didn't say where this malware is coming from, but they did hint. They did hint by making observation as to where most of the world's original equipment manufacturers are located on the map. And that is, of course, somewhere to the east of me, several miles and more miles to the east. So Ed, first question for you. Is internationalism breaking down because supply chains are being compromised in this manner? That's a tough question, Eric. I mean, to make a statement, like, is it breaking down? So I'm going to be soft a little bit and say, I think there is that risk, certainly, right? So I'd like to think that the benefits of globalization, right, from a stability point of view, like, have been pretty well recognized at a certain level. I'm not a political scientist, but there's probably a discussion to be had there. Obviously, there's a lot of people that make economic arguments about globalization, about groups being marginalized and all that. And I think that's really worth looking at. I mean, the change that's occurred has happened awfully fast economically. So now we get to this next phase of evolution or maturity and start to look at it and say, OK, well, we've grown these big supply chains all over the world really fast. Do you expect that there's a lot of really strong controls on all these things? I don't. I never did. We've had discussions before about labeling and what have you. And just having interacted with factories in China and trying to import devices that you can't necessarily get in the US, even if you take the clandestine service espionage aspect out of it, right, and just chalk it up to business and people making mistakes or being lazy or not being thorough or trying to cut corners and passing off a certification of one device as a certification for a group of devices, you know, those kinds of things that happens all the time. So point being that like with all of those gaps in there, does it surprise me that someone could come up with the idea of saying, hey, you know, here's an interesting heist. We can get an awful lot of devices into a certain country, you know, by intercepting effectively, you know, at the point of manufacturing. And, you know, the guy who lets you in the back door to go do it. I mean, I just all that seems very plausible to me. Or I've just watched too many heist movies, you know, or both. Are you not worried though? I mean, maybe it's a good thing, depending upon your point of view on jobs and job creation. Is there not a possibility that we're going to see more insourcing, especially in a country like America, where the anti-China rhetoric has been building up steadily over time. And this is surely just going to add fuel to the fire. Why? Why is there such dependence upon these manufacturers? As I say, the researchers didn't say China, but they were hinting China. And in a country like America, the political tide is very clear. Don't want to be relying upon Chinese suppliers if you can avoid it. So it's not an argument for good, high quality, well-paid American jobs producing American equipment. And this being another reason to do that. And the immediate response will be that it's expensive. So I agree with you that I think it will probably snap back the other way. And it probably is already starting to. And certainly, I think the requirements will probably show up from a security point of view. And Patrick can probably inform us more about that, but how the paper requirements that you have to meet and how you source things might change over time to catch up with these problems. I could certainly see that happening. So no, I agree with you that, yeah, it's absolutely a problem. I guess just I'm saying that none of it surprises me that we've arrived at this, but I definitely think that we need to address it as, okay, yeah, so this is a problem. And you have to look at how technology is being sourced down to the level of like, who's the guy in the door? Right? Well, today we're going to talk about a lot of national strategy type stuff. But Lee, before we kind of like look at the big national picture, is there anything actually a telco can do about something like this? Is it something they should be worrying about? Is there any action they can take in order to protect customers from this kind of problem with malware pre-installed on handsets? Yeah, there should be concern, Derek, right? So I believe that operators, they actually have a duty of care and they should be doing everything possible just to make sure that the handsets are not getting compromised with malware. But here's an interesting thing, right? So in many of the markets in Southeast Asia, the operators, they don't actually supply handsets, right? It's not part of their core business. They just sell airtime and SIMs, right? So handsets, they're generally bought from third-party street sellers. So the operators, they're not actually involved in the supply chain. And so this is the important bit, right? And I think this only adds to the problem, right? And malware gets loaded onto the handsets by someone somewhere because there's nobody responsible for that end-to-end process. Could this be a potential win then for the telcos? Say to the government, look, encourage people to buy direct from us, the telco, and we'll take some responsibility for verifying the manufacturer. Could this be a revenue opportunity? Absolutely, Eric. Now, where operators are involved in this, and there's plenty of things they can do, they just need to make sure that the operating systems, the apps getting loaded on, making sure that there's no malware being put onto them, right? And they also need to make sure that the handsets, they don't get tampered with during storage and distribution, right? It's not that hard if you put some kind of controls around that. But here's the last point. Operators, they should be running DPI malware detection, right, to keep the customers safeguarded from threats, right? Now, if you think about this for a moment, this could be a real differentiator between themselves and the competitors, right, by adding malware detection as a service for them. Brilliant point. Brilliant point. Got a great comment here from one of our viewers. Kasra Farhadpur says, according to Snowden, the NSA was putting backdoors into Cisco network equipment way back in the day. He agrees, we shouldn't be surprised by devices being compromised at source. I think that's a great point. But now let's hear a message from our serious sponsors, BlueGen. When thinking about performing test calls and other test events on networks, it's worth considering the sheer variety of objectives that can be used to satisfy. For example, you can run daily heartbeat tests to support network usage tracking, to support rating assurance, or to cover network service updates. You can understand how your network services are perceived by customers by conducting tests that reflect the actions of real consumers, such as streaming music, watching Netflix, or using Facebook. We can stop the various forms of bypass fraud that rely upon Synbox's refiling or OTT bypass by originating calls on other networks and covering an expansive range of global routes to see how they terminate on your network. The proliferation of VoIP services these days means it's especially important to check if traffic is routed correctly and termination fees are correctly levied. You can verify your outbound roamers are able to connect services whilst away from home by performing tests that audit locations your customers travel to. And you can arrange ad hoc tests of new projects, such as installation of new 5G network equipment or eSIM services. By investing in the infrastructure and resources to create all sorts of network events from lots of different locations, the world would not be cheap. That's why the smart approach is to ask BlueGen to do it using their Test Anywhere crowd. Their automated equipment includes the latest Android test devices deployed worldwide. BlueGen tests network services on behalf of telcos, governments, and software companies. Their philosophy is that the best way to be sure your networking systems are operating as they should is to recreate the full experience of obtaining a service, whether that involves streaming a video, using a new device with an eSIM, or simply checking that customers get all the services they should at a particular location or a particular time of day. And the best part? Automated testing with BlueGen means your staff are not required to perform laborious manual tests. So, whether you're focused on launching new network services, assuring roaming costs, or validating interconnect routes, then you should call upon the experts at BlueGen. The URL? BlueGen.com. Right, now I'm really keen for the audience's input, so keep on firing your comments this way. And this one, I think a lot of people should have an opinion on this one. The topic for both you, Lee, and Ed, job cuts. Now, Vodafone has said that they are going to reduce their global workforce by 11,000 employees over the next three years. That's more than 10% of the 104,000 worldwide staff figure they reported last year. Group chief executive Margarita Della Valle said her priorities are customers, simplicity, and growth. We will simplify our organization, cutting out complexity to regain our competitiveness. Meanwhile, BT has promised to cut 55,000 jobs by the end of this decade, most of them in the UK. That's over 40% of the current 130,000 staff and contractors they use. CEO Philip Janssen said generative AI gives us confidence we can go even further with the job reductions. Lee, are telcos downsizing globally? And just to put a bit of context around this, Etesla owns 14.6% of Vodafone and has a seat on Vodafone's board. Meanwhile, Vodafone has been pursuing a tie-up with Hutchinson 3G in the UK. And more globally, when we just look at the big picture, there's lots of telco to plans to consolidate assets, seeking mergers, they're using tower codes to bring assets together, all sorts of arrangements that are basically all pointing towards economies of scale and reduction of duplication in the telecoms ecosystem. Or you could argue reduction of competition, if you're that way inclined. So Lee, what is the global perspective here? Is downsizing a global factor of life or is it occurring just in some places, not others? Yeah, I mean, we've definitely seen consolidation in saturated markets. So that's where, you know, some markets are going down from four operators down to three. The company I'm working for actually at the moment is guilty of that we're going where we're number two, we're going around buying up number three, just so we can get the premier position there. But there's lots of tower sharing agreements going on in the Middle East. We had Helios Towers coming into Oman. I've heard that a redo, they're looking to sell their towers as well. But globally, there are reductions in workforce. I think at the start of the year, AT&T, they announced some job losses, but not on the scale of what we saw at BT and Vodafone last week. But I think this is the start of something that's going to ripple around the world. There's more and more telcos, they start to implement AI, various things for things like managing networks, using AI to respond to customer service requests, and also using AI to kind of simplify processes on the online digital channel. So I think there's going to be this ripple effect, which is going to go around the world for the next couple of years. How worried should people be about AI's chances of impacting on their job? Is it going to mostly affect customer services stuff? Is it going to affect people who are more in the roles like risk and security that we tend to talk about? I think it's going to be across the board. In particular, I mean, some of the main areas will be around the networks, which I've already discussed, customer services, and also, I think, on the online digital channels, I think they're going to be the areas which will be the main focus, but don't rule anything out with AI, right, as we've seen. I mean, the job cuts at BT and at Vodafone were pretty deep, right? And I'm sure that's just the start as well. Yeah, I think it is just the start. Ed, let's bring you in on this one. Let's make sure we see this from a balanced perspective. Should we be worried that downsizing means increased risk for customers because there's fewer people working? Or given what was said by the Vodafone chief executive, cutting out complexity, you know, in a way simplifying the organization, is there also an opportunity here to fix some known issues and perhaps even slow the pace of change so you might have less risk going forward? Is there any upside to this in terms of risk reduction? I think there may be a few upsides for risk reduction. So, this is an easy one for people to push back against, but slowing the pace of change from the breakneck pace it's at right now is probably not a bad idea, and I think we're learning those lessons. And we've talked about some of those hard lessons that have been learned on previous episodes. So, I think that's probably one good thing. Just going back to what Lee was saying on the AI side, yeah, I find the downsizing thing fascinating. So, there's obviously a tremendous amount of chatter right now because of economics. And so, if you're watching Wall Street programming on a Bloomberg or something like that, they're going to talk a lot about expectation of recession, and therefore you'll have cuts. And so, to me, that's cyclical to some extent. So, right now, why are we hearing about it? It's somewhat in vogue because of where we are, I think, in the economic cycle. The question is, do those jobs come back? Or does AI start to replace more and more and more of them? And if I were to bookend this on the other things I'm hearing out of that same audience, you know, like the Wall Street side, it's a lot of messaging saying, look, the businesses that master AI are going to increase their productivity 20, 30, you know, 40% crazy numbers like that, and companies that don't just won't be able to compete. Now, I think that's a good thing. Now, we've heard lots of tech hype. Everyone on this program, right? Everyone here has learned lots of tech hype, so we all take over the grain of salt. That's fine. But if there's any truth behind it, right, and we've seen some of the early returns on that, it's certainly worth paying attention to. At the very least, though, it's worth paying attention to the pressure in the market right now for that, right? There's a tremendous amount of pressure that's like, you better buy AI or you're not going to be able to be seen to compete or be competitive going forward by the Wall Street crowd, right? So, I just think there's a lot of these strange, conflicting pressures happening right now. I think you're absolutely right. I think there's going to be some dud AI that's being bought in the next few years because of hype, but at the same time, I think this is a sea change. This is it. This is the big one. And when I reflect upon this, I think about a statistic that always comes to mind is the United States of America, in the year 1930, there was one quarter of a million people employed as phone operators. So, this is a point in time when mostly women who were getting well-paid, high-quality jobs for women at that time were sat in front of big boards, switchboards, literally plugging cables into them or passing messages back up and down to make sure that all the calls connected because it was done by human beings, not by machines. And so, you had an enormous ramping up of the number of people working in that field. And then it peaked. And now the current number of statistics in terms of the number of people who are normally employed as phone operators in the United States of America, it's not even 10,000. By 1940, it had already been decimated. So, you've seen enormous societal change in terms of a huge number of job opportunities for women who wouldn't otherwise get them, increasing their economic power, getting them into the workplace. And by 10 years later, there'd been devastation in the number of jobs available of that type. I think something similar is happening here, but it's going to be very much the people who are the ones who are the customer the customer facing roles where do you now need a human being to effectively be reading out script when you've already so tightly programmed and limited your customer services staff to a script that you've already given to read out? Why bother? Why not just have a machine reading it out? And, of course, this could have repercussions, not just in the countries that are making the nominal cutbacks where the operators are, but all those offshore jobs that have also been put into call centers around the world. And then that could then have an enormous impact on things such as stir-shaking and robocalling, because why do you have a problem? Because you've got a lot of calls coming in from foreign countries and you can't tell the difference between a call center, the Philippines working on behalf of a bank, and a bunch of shysters who are trying to rip off people. So, in a way, having the technology might really reoriented our thinking about international traffic in telecoms too, because will you have so much international traffic if you're not having call centers with lots of traffic outside the country? I could go on. Apologies if I have already, guys. Thank you for your patience. I'm now going to do an advert. Onto our next feature, which is our Symmetry Fact of the Week, an interesting fact from our friends at Symmetry Solutions. Now, I've mostly told you in previous weeks about the fraud intelligence gutted by Symmetry's PRISM team, but did you know Symmetry also helped telcos to tackle revenue leakages and reduce customer churn? For example, Symmetry's system for personalized recommendation offers, PRO, gives telco customers advice on the best tariff for them, as determined by automatically analyzing the customer's historic usage. Giving customers good advice about tariffs is rapidly becoming one of the hottest topics in telecoms, especially as regulators are placing increased pressure on telcos who keep customers on expensive tariffs designed to recover the cost of a subsidized handset, only to leave the customer that tariff after the contract has been completed and the phone has been paid off. Symmetry's PRO can easily be embedded in the way your telco engages with existing customers. For example, one telco sends their customers twelve and a half million end of contract notifications each year, with PRO being used to tell each customer which of over 50 different tariffs might best suit their needs. The same telco also notifies 28 million customers of the best tariff for them each year. Last year, they used PRO to automatically switch the tariff of half a million customers when they'd finished paying for their device. So using PRO to help customers onto the right tariff means fewer complaints in the long run, so less money spent handling calls from unhappy customers. It means less churn because customers were awarded for their loyalty and have confidence in you as a provider, and it makes it far easier to comply with the increasing regulatory burdens being placed on telcos in various countries. Learn more about PRO and the other products and services of Symmetry Solutions at their website, symmetrysolutions.co.uk. As always, guys, there's just never enough time to fit in all the topical chat, but we had to include this one because I think this is going to be fascinating for both of you guys. If you've been watching the UK news, this is a big story. I think Patrick's fascinated by this story too when we bring him on. TJ Fletcher, his picture is up on the screen for viewers now, was given a 13-year, four-month prison sentence at Southwark Crown Court in London last week. His crime? Well, it wasn't committing fraud, but he was enabling others to commit fraud by running a service called iSpoof. iSpoof, much like many other VoIP softphone-type communication services that charge customers for subscriptions that gives them bundles of minutes for outbound voice traffic, but the difference was that this traffic was purposely meant to spoof the phone numbers of banks, tax offices, and the like, and also to intercept one-time passwords. But rather than listening to me explain it, here is the video advert that was created by iSpoof to advertise themselves. Online producer James, roll VT. and see it displayed on your dashboard. Send spoofed SMS messages and much more. Our state-of-the-art system handles auto-calling with custom hold music and convincing call center background sound. iSpoof has complete end-to-end encryption and no additional phones are needed. iSpoof works on Android and iOS. Sign up for free, pay monthly via Bitcoin, and stay totally anonymous. Start today. iSpoof, for the people who love spoofing. Remarkable catchphrase, the people who love spoofing. Well, it was a profitable business before it was shut down by law enforcement. They generated revenues of about 80,000 pounds, about 100,000 US dollars per week from the 59,000 subscribers they had at their peak, generating a total of 3 million pounds, or about 3.75 million dollars in total, of which TJ Fletcher, the boss, he pocketed about 1.8 million pounds, or 2.2 million dollars. Now, contrast those figures with the estimate of the total amount lost to the victims of fraud as a result of the iSpoof users tricking them. That was estimated to be 100 million pounds, about 125 million US dollars, and the trial judge said that estimate was conservative. So, very lucrative business indeed, just enabling other people to commit fraud, not actually committing the frauds themselves. Somebody got sent to prison here, Lee, and 169 users of iSpoof have now been arrested as well. Is this a game changer that will deter criminals and wannabes who might otherwise watch these snazzy videos, join the Telegram channel, and they'll be saying to themselves, I fancy committing some nice, easy crime here because I don't need to leave my bedroom. There's no risk of being caught. Am I being over-optimistic or might this actually start putting some fear in the minds of the criminals? Well, I mean, finally, some good news, right? So, 13 years is quite a long time, right? But he pocketed 2.2 million, and so that works out over 13 years, about 170k per year, right? So, I hope really- How like you to be thinking about the revenues? You're probably working out yourself there, thinking, how does that compare to my salary, eh, Lee? Well, I'm just thinking, I hope the judge, yeah? I hope he makes it pay it all back first, yeah? And then he's got to do his time, right? But no, look, it's good to see the law coming down hard on these criminals. I hope it serves as a deterrent for anybody thinking about this, thinking that they can get away with it. But as we both know, Eric, we've worked in this industry for a while, right? So, as one bad guy gets jailed, it just leaves a gap for another bad guy to fill. Oh, you see, that's the cynical point of view. I thought you were going to be upbeat because you're going to say to yourself, now you can go out and buy that Lamborghini you've been wanting because there's a dirt cheap one now available from the cops in the UK, this Lamborghini that this guy's had confiscated. You're beyond that. I know you're going to buy that Lamborghini, Lee, to add to your collection of cars. Ed, enough with the teasing of Lee there. The British legal system. I'm going to beat my chest to say I'm proud of Britain this time, right? Okay. I'm going to put you under pressure, Ed, because I'm going to say we've sent somebody to prison for 13 years for enabling phone scams. Britain, hey, well done. Is anybody in the US legal system going to take any notice? Just today, big announcements, a big case, a well-known case that's been pursued for a long period of time and it's going to be sued and there's going to be a big fat financial penalty for $100 billion or whatever crazy amount which they won't confiscate. Are the Americans going to fall for it again with yet another big fat phony baloney nominal financial penalty? But people are doing effectively the same thing, profiting from the crime in the same way. Or is somebody in the US are going to pay attention that it's time for us to start locking people up? Yeah. I mean, I hope that the latter is true. And I think what the question makes me come back with is actually a question, which is how do we educate the law enforcement community, or even like the prosecutorial community to want to look at this and understand that there's low hanging fruit here. And so what I mean by that, right, this is a really twisted way of looking at it, but my understanding, and again, this is not my specific expertise, but my understanding is we've talked about this twofold. One, there's an element of like prosecutors liking to make their name on certain types of cases, right? How do you make this type of case, those types of cases, and you'll get a lot more attention on it. The other is the education side. We had talked about the MZ sniffers, like not being recognized for being like a weapon in the cyber war. The cop thinking it was a bomb and the only reason they stumbled over it. So again, a need for education there. So what can we do, right? And by we, I mean, me, you, Lee, folks in the community that we're speaking to right here, what can we do to engage the law enforcement community better, right? To talk about these emerging issues that we talk about and educate them on, hey, like there's a way to go after these people and put a stop to it. And here's some examples that we can highlight of how it's done. And we've had conversations again with folks like Tom Walker about these kinds of things, too, of other examples. Let's get more of those examples out there. Like that's something I'm excited about. And honestly, I'll say it right now. There's people in the community that want to reach out and have those relationships with law enforcement, have things they'd like to communicate. I'm open to having that discussion with folks. I mean, I think that's something we can actually do and bring some value. And I think that's the only way you actually move the needle on it. Yeah. I think that's very true. When I think about conversations, I think for me, this is a game changer for one very important reason. And when I think about those conversations that I've been sat in between people in law enforcement and people on the other side working for the telcos for the communications providers, it's very natural for the people who work for the telcos for communications providers to say to themselves, I could spend a lot of time here helping the police. Are they actually going to do anything as a result? Because in the end, they're working for a privately owned company. They've got a boss who's on their back. They've got to show results. You don't want to spend all day every day dealing with the police if the police are not acting on the information you give them. So this could be a game changer, because if it's sending the signal, we will act, we will actually follow through with a prosecution and take the criminal out of the equation. Because the cynicism comes from, yes, you find them. But you know that they're going to come back again and again and again, because you haven't taken them out of circulation. Now, we could get very cynical and say criminals run enterprises from inside prison, but surely you're making it harder for the criminal if you actually lock him up, instead of just this ridiculous roundabout process of what we've seen in the USA, the same people being prosecuted more than once for the same crime, or being sued, I should say, to be precise, for the same crime, for the same civil infraction. And it makes no difference. They just come back and do the same thing again. And I think this is the point. If there's something that the telcos gain by assisting, they've got it, and it's in their own interest, because probably a very high proportion of the problems that they deal with is just a relatively small number of very, very intense serial crooks, like this guy, who was like a conduit for the enormous number of calls that was ripping off a lot of people. Anyway, you've let me have the last word again. I'm getting cheeky here, because I'm going to have to like, once again, sorry, guys. Well, I'll let you have more chance to chat when we bring Patrick on in a moment. Before we bring on Patrick, here's another of our regularly weekly features. I'm not going to speak for the next two minutes, because this next two minutes will be Jeffrey Ross of Coal Authentication Fraud Prevention and Geolocation Specialists OneRoute. He always takes us on a trip around the world via our phone, and this week his destination is the lovely Isle of Barbados. Producer James, roll VT. Hey everyone from OneRoute, I'm Jeffrey Ross, and this is the world in your phone. Let's talk about Barbados. If you like beautiful beaches, amazing food, and sun-drenched days, then the island of Barbados should definitely be on your travel bucket list. And even more so now that the country of Barbados is trying to attract digital nomads to move to the country while continuing to work remotely. It's doing this by investing in its infrastructure, along with adopting a new national ID, which works on mobile phones. Now Barbados isn't the only country to look into this, as you have Ethiopia, Nigeria, United Arab Emirates, amongst many other countries that are all looking into digital IDs or national IDs, all working on your phone. It'll be interesting to see how this impacts the telecom industry going forward. One thing I found interesting about Barbados, it's the 13th smallest country in the world. It's the furthest eastern country in the Caribbean, and its original name was Los Barbados, which means the bearded one. Due to the fig trees and the long vines hanging from them looking like beards. Barbados, the birthplace of rum. With over 1,500 rum shops and a multitude of distilleries, Barbados has been churning out rum since the early 1700s. It's also known as the land of the flying fish and has a long, rich history with pirates. Be sure to tune in and subscribe to One Route on our YouTube channel, where you can catch up more countries' spotlights and watch the One Route Roundup, where we spotlight individuals and companies making a positive difference in the telecom industry. One last fun fact that most people in the pop culture arena know, megastar Rihanna, originally from Barbados and is known to frequently travel back to her home country. Now Eric, back to you and more of this awesome communications risk show. Cheers. Thanks, Jeffrey. We do our best on this show, though none of us are quite as glamorous as Rihanna. However, today's guest is an international superstar in his field of expertise. He's one of the most widely respected and widely read analysts covering the business of security for technology and telecoms firms. It's Patrick Donegan of Harlandstance. Hi, Patrick. Thanks for coming on the show today. Glad to have you here. All right. Lovely to be here. Thanks for having me. It's an old pleasure to have an expert with you. We know that you've got a huge audience worldwide for all your online events. Another one coming up in a couple of weeks time. Hopefully, you'll mention that before we finish today's show. But straight into the meat of the main theme for today. Yeah. Are nation states more willing to engage in offensive operations against foreign networks than they were before? And if so, why is that? Yeah, I don't think there's any doubt that the indicators are all going upwards in terms of the volume of incidents, the audacity and scale of some of the impacts. If you look at things like SolarWinds and the hafnium attacks, the impacts there are pretty mind boggling. If you look at colonial pipeline, pretty mind boggling impacts. I think where the telecom sector is concerned, it's a little different, certainly in terms of the sort of denial of service attacks on the telecom sector. They continue crashing in at a fairly high velocity. In terms of actual data breaches of the telecom network, and I'm distinguishing that from the telcos office IT where telcos have suffered a number of high profile breaches in recent years. In terms of the telecom infrastructure itself, there I think the telcos are doing a pretty decent job. You know, the breaches that reach the public domain are fairly rare. Let's be honest. A couple of riders to that, obviously, there are breaches, no doubt, that telcos are aware of that they haven't publicly disclosed. And there are also no doubt breaches that telcos have suffered, which they're not even aware of. So I think, you know, that's sort of at a 50,000 foot level. That's the landscape. But maybe another point would be that in terms of planning your sub-security posture for the next five to 10 years, you don't necessarily just want to be driven by what you've seen over the last 24 months. You want to be looking out further at what the landscape could bring going forward as well. So I will ask a difficult question here, Patrick, but it has to be asked. It has to be asked. Cynics will state that every nation attacks every other nation. So let's not debate if anybody's completely innocent or whatever, because that's pointless. But if I asked you to evaluate which nations are most actively engaged in using cyber attacks on comms providers to harm others, which nations would you put top of the list? Well, so you raise a really important question, because the language that, you know, the four of us are used to using, used to reading, is the language of nation state cyber threat actors, nation state threats coming from the China's, the Russia's, the Iran's, the North Korea's. And I have no problem with describing them as nation state cyber threat actors, no problem at all. However, and I think that, you know, this is to your point, the idea that the US, the UK, Israel, Holland, Germany, France, the idea that those countries don't conduct offensive cyber operations, to your point, it is absolutely for the birds. So I think we have a we do actually have a fundamental problem in cybersecurity in terms of the language that we use, because the language of nation state cyber threat is applied to that to those four and one or two others. But it doesn't materially reflect, you know, the reality of the situation, which to your point is that everybody's doing it. So, you know, why, why do we have this imbalance of language, I think, in part, it's because people, you know, don't want to use language that's different, because then they're misaligned with all their colleagues in the industry. So we have to use the same language in one form or another, you know, could it be that we don't actually want to acknowledge our own culpability here in the UK, the US, could it be that we don't want to acknowledge we want to acknowledge culpability, but we don't want to acknowledge equivalence. And I think there is there is that fundamental issue there, with the way that we label different countries, the way that we label behaviors. So with that, given that I have what is a bias, and I would suggest it probably a similar bias to the ones that you had, in terms of, you know, who I label as the major nation state cyber threat, as they are absolutely, you know, Russia, China, Iran, North Korea, that they are the big four, they are the ones causing the biggest problems to the biggest number of individuals and countries and states around the world. I defend myself a little bit here, because I thank you for that. Thank you, China, Iran, North Korea, and Russia, I think were the four you said, yeah, I agree with you. But I would also say here that, look, we're going to bash on this show, countries that behave like that and do the things that they do. But we also bash the security services in the UK, the USA, other countries to when they overstepped the mark, and they infringe on primacy. The difference, of course, is that we can speak freely about those situations when we learn about them. Whereas the inhabitants of Iran, for example, when they're being spied upon by the Iranian security services via their phone, they're not in a position to speak out, they're not going to be doing a web stream, like we're doing a web stream on this topic. So I think I would say to myself, that's, I think, where the distinction lies is, in the end, when a guy like, say, Tom Tugginhat, who's been on the news just today talking about how he doesn't like this, that and the other, with meta encrypting the communications, because it's going to interfere with police being able to protect people from protect people from protect children from harm. Well, like I understand the point, but I actually rather not have Tom Tugginhat looking in all my messages. And I live in a country where I'm free to say that, whereas if I was transposed to some other country, I wouldn't have the freedom. And I'll be talking my hat to Tom Tugginhat and doing whatever he tells me to do. Anyway, enough about Tom Tugginhat. Are there any particular kinds of offensive cyber operations that stand out in your mind, Patrick, because they're especially representative of the kinds of threats that comms providers will be vulnerable to, unless there's either a significant ramping up of security or a change in how we conduct business? Just to answer your previous question, I think we were actually saying a similar thing. I framed it in terms of culpability and equivalence. And I think your answer was quite similar in terms of that sort of recognizing that we're on the same scale, but there are differences within that scale. I think to your next question, I think, regrettably, I think there are far too many to choose from in terms of those emerging vulnerabilities or those greatest vulnerabilities for telcos. I think one, perhaps surprisingly, although it wouldn't be surprising if you follow this space a lot, is actually the telcos office IT. This is where they're being dinged on a very regular basis. If you look at, I think T-Mobile has, I think they've just chalked up hack number seven over in the US. I think it is seven in the last five or so years. Every one of those hacks has been on their office IT and not on their telecom infrastructure. So, there have been successful nation state. China, for example, was behind what was called operation soft sell three or so years ago, which successfully exfiltrated call detail records CDRs from a number of telcos throughout, I think it was in the EMEA somewhere. And that was a result of an external facing web server, nothing to do with the telecom infrastructure itself. So, I think that the office IT telcos really have to do a better job there. The second one I think I would point to is supply chain security. And by that, I don't mean just the simple, easy, low hanging fruit of not allowing an untrusted vendor in your network, like the high profile Huawei stuff. What I'm referring to there is the tremendous excitement we have about supply chain automation, cloud native operations, launching new applications at the speed of very, very rapidly updating applications very, very rapidly. We get excited at the opportunity that automation presents to do that faster, the security opportunity that automation presents to eliminate human error. But at the same time, if the security isn't done effectively in the development domain, in the DevOps domain, then all you need is a little bit of rogue software gets into whether that's planted by a nation state or someone else. You get a little bit of rogue software gets rolled out automatically throughout the network. So, I think that's another area of supply chain security. The last one I would point to is one which we only really learned about a few months ago. And these are called the SNDL attacks, store now decrypt later attacks. And what these consist of is, for example, if you take a mobile network, it basically consists of basically recording illegally, unlawfully recording telecom traffic, let's say that from a cell site in a mobile network, and you record that traffic today. Now, at this point in time, if you manage to record that traffic today, it's of no use to you, because you can't break the encryption. The encryption algorithm, there's a 4G, 5G encryption algorithms are terrific, they're not going to be directly broken. So what use is it? Well, you store that now, and you decrypt it in however many years time, six, seven years time, when you've got a quantum computer that is powerful enough to then decrypt that traffic seven years on, to which you then ask the question, well, does anybody care about, you know, what was recorded seven years ago? Well, yes, if it's nuclear scientists, if it's one prime minister to another prime minister's conversations, or whatever it might be. So I think the the SNBL attacks are very important one and what they what they drive or what they should drive is increased investment in quantum safe encryption into telecom networks much sooner than people and people think is required for the reason of those store now decrypt later attacks. There are other threat vectors as well that I won't go into now. But I think that's, that's a flavour of some of the areas of emphasis that I think telcos can can usually be putting on. It's just never ending, isn't it? I want to bring you in here, Ed, on this point, we've seen stories, for example, Twitter, Elon Musk talking about employees being planted by governments. And we've had similar situation with Zoom having an employee that was basically working for the Chinese state. Is there a point here as well, when we talk about say, the IT environment for the office, the business that runs the telecoms is the extent to we should be also be looking at the vulnerability created by insufficient vetting of who's working for telcos, and the extent to which they could be working as agents for foreign governments, or, or agents, as you know, for people online that are willing to pay the money to bribe them to do SIM swaps, or any of those kinds of things, right, the, the threat actors out there willing to compensate people or collaborate with people, right, come from all sorts of walks of life, unfortunately, as we have learned, but yeah, I think, you know, you know that like the insider fraud is kind of a pet topic of mine. Vetting, definitely interesting. And you and I have had conversations with, you know, a friend of mine who I hope to have on the show who formerly ran, you know, personnel security for the Department of Defense, and has talked a lot about the importance of continuous vetting, right, so it's not just vetting the person when they come in, but continuously vetting them, because what happens is that people's life situations change, and that's when they tend to become vulnerable to things like bribes, or extortion, or other forms of exploitation, right, so that's not a practice I think that's very common in the telecom industry, and I think with what we're talking about, and like what Patrick was talking about in terms of like vetting down your whole supply chain, and what we spoke about earlier with like who's on the door in your factory that's going to let the heist in, right, like it actually goes down to that level to a certain degree, where I think every one of those people, right, let's not just bet on the tech, right, it's always the people process technology triangle, and the people one here is absolutely crucial, all the way down to the lowest level. Absolutely, and we're going to bring your colleague in for season two, which of course starts August 23rd, so we're looking forward to that, so we just need to arrange the date for that one. Lee, let's bring you in here, I just want to reflect upon the fact that over the years I've had some conversations with people, it's almost a kind of reflexive sense that when it comes to risk, it's always a risk to outsource things, because we're no longer in control of the thing, because some of the companies do everything, I always thought it was a great counter argument, like if you outsource something, you can always sue somebody else when they screw up, whereas actually, do you have any control of what's going on inside your own business? Do you actually control the thing? Just because somebody works for you, just because someone's a nominal employee, or you employ the systems, or you purchase the systems, doesn't mean you've got any more control than you would do if you were relying upon an external supplier. What's the way we should be thinking here in terms of, say, supply chain threats? Should we be looking to take more in to the country, take more control of the supply chain, or is it a case of we want to just audit and be more thorough in determining who is supplying what to us? Yeah, interesting question that one, Eric. I think, I mean, if you want to outsource something, you're effectively transferring the risk, right, to somebody else, although not necessarily does that mean you're actually, you know, you'll get offloading that risk to somebody else, you are still kind of responsible for that risk, because it could come back to you. I think you have to evaluate the things that you feel comfortable with, and if you feel comfortable about outsourcing something, and you understand all the risks about something, then that would be okay, in my opinion. I would never say or recommend to anybody to outsource something that they don't understand, right, because if you don't understand something, you don't understand the risks, and therefore that leaves you open to some kind of potential disaster, potentially, you know, depending on what it is. So I think, you know, to answer that question, should we be doing more, should we be doing less, I think you just have to take a measured approach, work out what you think you understand, and then evaluate it on a risk basis if you want to outsource it or not. So no particular trend then in say, maybe shortening of supply chains in the future, because it will be different strokes for different folks as far as businesses go? I mean, potentially, yes. I mean, for me, I'd like to, I can't make a decision one way or the other on this one. I think the jury's still out on this. Okay, good answer, fair answer. Thank you for that. Now, Patrick, this is an important topic, difficult to summarise, but I'll throw it at you anyway. How easy is it to tell the difference between an attack from cyber soldiers, for ones with a better label, who work directly for the military or some foreign agency, and those are cyber attacks that come from organised criminals who are not actually working for a nation state at all? How can you distinguish between the two? Is it possible to distinguish between the two? It's been hard going back years, and it is getting harder and harder, in part because of the, you know, the deteriorating relationships between adversarial states. You have situations where you have hackers who are employed by a nation state, but then they're also moonlighting for the private sector, private criminal gangs in the evenings. You have, routinely now, you have nation state threat actors who are actively outsourcing aspects of their campaigns to private threat actors that, you know, the cyber threat ecosystem is a very mature ecosystem, as a lot of the capabilities offered as a service, software as a service, attacks as a service, help desks and all the rest of it, it's a very mature ecosystem, and nation state threat groups are active in those ecosystems. So, of course, that, you know, that blurs things, you even have a situation in Ukraine where the government is sort of coordinating a volunteer white hacker army to carry out cyber attacks on Russia, and vice versa, by the way, you have Russians saying the same to Ukraine very much. And obviously, this is self-evidently dangerous, because people, citizens have an expectation of their governments, that if other governments, other nation states inflict harm on them, then they expect that their own government will carry out proportionate responses, proportionate reprisals against those nation states, whatever those reprisals might be, trade or diplomatic trade or diplomatic or other. So when it becomes harder and harder to identify what's going on, it becomes increasingly dangerous. I think, I guess my one reflection would be that I've been, you know, reading about this phenomenon of escalating risk and attribution becoming increasingly complex. I've been reading about this for many years and witnessing it for many years. But mercifully, I think it's probably fair to say that there has, even though some of the attacks have had increasing impact, even though attribution is getting harder, I don't know that we've seen much in the way of actual escalation between states driven by that. So I think that's something to be mercifully, to be grateful for, although how long that will hold, who knows. And now I want to ask you about, and man, I know that's been on your show in the past, all your online events in the past, and you've spoken to a number of times over the years, Ed Amoroso, the use of responsible for security at AT&T. He was very, very damning when Joe Biden, when he became President of the USA and indicated he'd be willing to be offensive in the cyber realm as a way of striking back against any attacks on the USA. And I thought Joe Biden was completely correct to say that because even if you're not going to do it, you have to have the deterrence effect. You can't just say we're solely going to sit back and defend ourselves whilst another side is continuously attacking you. Who's right? Am I right? Or is Ed Amoroso right? I don't know. It depends what you mean. I mean, it depends what you mean by offensive. I mean, Stuxnet was an offensive operation, I would argue, and it was carried out by Western countries of one sort or another against Iran's nuclear system. I guess it also depends what you mean by offensive cyber operations in a way, because certainly from a, I don't know precisely how what Ed was criticizing in Biden's response. But for example, what's noticeable, I think you alluded to it earlier in terms of the sentencing, handing down in the UK, what I've seen in the cyber context, you were talking about fraud, but in the cyber context, there's a clear trend over the last 12 months of law enforcement in Western countries collaborating closely and going in very, very much harder to disrupt not just to, you know, try and arrest and bring to account cyber criminals, but actually to disrupt their operations. So I think there was a there was a recent instance in the last couple of weeks of a Russian advanced persistent threat, a Russian APT called Snake, which has been around for years, stealthy malware that caused a great deal of damage. And actually, Western countries, cyber teams went in and actually actually disrupted the malware and the infrastructure around it to the point where they kind of rendered it as I understand it benign and not terribly usable anymore. So I would think of that as a fairly offensive cyber operation. Would Ed say that was a bad thing to do? I doubt it. So yeah, in the absence of a particular, you know, in terms of the detail of what Ed was going after, I don't know. Okay, good answer, diplomatic answer. Oh, so the correct answer is I'm right and Ed's wrong, but we'll skip past that. Now, during the original Cold War, let's go back to being serious and about the and continuing the theme here. Now, during the original Cold War, enemy of the states would be formally imprisoned. But that practice lent itself to all sorts of resistance, because you can legally challenge the very fact someone's in prison, you can start campaigning for their release, you give a propaganda victory to your opponents, as you see in other countries who can say, look, someone's been in prison, that's proof that they have oppression in that country. So towards the end of the Cold War, it became increasingly common practice for oppressive regimes in regions like Latin America to outsource oppression by encouraging paramilitaries, extrajudicial killings, the practice of disappearing opponents, all acting outside of the legal framework, making it difficult to hold anybody responsible or to blame the state directly. Is this increasingly what's going to happen with networks becoming a lawless zone where no one is going to be able to be held responsible for activities that are ultimately likely sponsored by nation states? Yeah, I mean, I think we have that to an extent today. I don't think there's any doubt that we have that going on. Russia and China and Iran are participating in that way. I mean, it's not obvious to me why one would expect, you know, those behaviors of the physical world that you refer to going back decades and that are still with us in the physical world. I don't know why one wouldn't expect them to be present in the cyber world. And to the contrary, because it's easier to hide and disguise and obfuscate and proxy in the cyber world. So, yeah, it's a part of our reality today. And, you know, I guess fundamentally, the solution to that is something warm and fluffy, like a better world. But, you know, yeah, or a more democratic world, because these issues start from there and filter down. And we tend to think of state subversion, though, when it happens between countries. A classic example would be the belief, the widespread belief, with some supporting evidence to support it, that Russia was trying to interfere in the US presidential election by hacking the Democratic National Committee's servers and then releasing embarrassing information with the assistance of Julian Assange. Okay, that's how it gets depicted, with the idea being it's about influencing the mass. But let's look at what's happening between Ukraine and Russia now. There's a lot of talk, I'm not going to say I know exactly the details myself, but now there's a lot of speculation that attacks on individuals in Russia are related to the position that they've taken in respect to the war. So, people going after somebody physically within Russia, because they're a supporter of the war in Ukraine. So, somebody maybe with support from the Ukrainian state is able to set off a bomb, blow up a car, and so on and so forth. Does that mean that we should be thinking about individuals being subject to that kind of attack, but through our networks, through hijacking their accounts, through taking over their personality, through denying them the ability to live their life? No one's ever talked about that. Why is that? Has it just not occurred to us? Has it not happened? Is this a black hole in our defenses that we've just not thought about? Well, I think, you know, the individual component parts of what you're talking about are all there. You know, we've seen with the Pegasus attacks on individuals, attacks on their privacy, attacks on their location. We've seen that in a very high-profile manner. We've seen in Ukraine the use of location technology to identify and assassinate Russian generals. So, you know, the various, you know, the various pieces are there. And to your point, there's absolutely no reason why they can't be pulled together to arrive at the sort of scenarios you're referring to. And I wouldn't be all that surprised to see them materialize in some ghastly scenario or another in the next two or three years. Yeah, and forgive me, that's why I tend to prefer encryption end-to-end or things like this, because I'd rather have no government be able to interfere with some forms of communication rather than trust that only the good governments will do it and the bad governments won't be able to exploit the same loopholes we're creating. Now, one possible reason for cynicism is that individuals like FBI Director Christopher Wray, he typically warns the public that countries like China are ramping up their cyber espionage, but then his credibility can take a hit when he's accused, you know, when accusations are pointed at the FBI for excessive use of their powers to conduct surveillance, abuse sometimes, of their powers to conduct surveillance via comms providers. How seriously should we take the problem of who watches the watchman, i.e. whether the actions taken and claims made by national security agencies are subject to sufficient scrutiny? So I hear you and I think that it speaks back to some of the conversation around the equivalence that we were speaking to earlier. In terms of democratic accountability, as I think we can probably all acknowledge over the last few years, you know, a few years ago we believed that democracies were imperfect and we have more and more evidence of them becoming even more imperfect by the passing month. So, you know, I would like to think that we've reached peak imperfect in terms of our ability as democracies to hold individuals to account, hold national security agencies to account. It's not a good time to be doing that effectively at this point in time. I don't have big answers there, Eric, I'm afraid. It's a difficult one, that's why I'm going to throw it over to Lee because he's always got the big answers. Lee, what can we do? Is there any way to do it? And this is not then at harbour more and more cynicism because then you'll have polarisation in society because maybe Christopher Ray's right when he talks about Chinese espionage through comms networks. But then if you think the FBI is spying on you too, you're not going to really listen to him when he's worried about China. You're going to be cynical about every government. Yeah, I mean, we spoke about this last week, actually, or was it the week before, when I was talking about the 77th Brigade in the UK, and we also had the FBI doing these, the unwarranted searches. I think we need to have, there needs to be more kind of rules and regulation about who watches the Watchmen, right? Because I think if you have that, if you have that third eyes, then a lot of these kind of what was, you know, I think if you look at what happened at the 77th Brigade and also at the FBI, I think you might remove some of that. So yeah, I think there needs to be more rules and regulation around that. And Ed, FISA, that's the one in the USA, the supervision, but there's a lot of dissatisfaction with the supervision. Can it be tightened up? Will it be tightened up? Is the mood turning against, you know, people like Christopher Wray because of increasing cynicism? I see that the polls, the surveys, especially Republican voters in the USA, they're increasingly suspicious of organizations like the FBI, and it feeds into a narrative of them overusing their powers, abusing their powers. Is this now the point where things might change and we might see more scrutiny of this kind of activity, partly because politicians are worried that they'll lose the public in the fight against China and the real threats? Yeah, look, I think I just come at this from a completely different point of view, because I feel like the discussion right now is coming at it from the point of view where a FISA judge or Christopher Wray or the person who's in the wrong or the enemy. And I actually don't feel that way at all. If anything, I think if there's a problem with oversight right now or who's watching the watchers, it's yeah, it's the oversight. It's congressional oversight is the problem. It's the people that are sitting in those seats and what's their agendas and are they actually conducting proper ethical oversight of the intelligence communities or are they pushing their increasingly polarized and extreme agendas? And it clearly it's the latter. And so you end up in this quagmire that you're in right now, where I agree with Lee that if you could improve the way the system works and you could have better privacy for people and not gut the intelligence agency's ability to protect people, yes, ideally that would be great. But I don't think that that's the problem that's even trying to be solved by the people that are overseeing it. They're trying to push political agendas. And so you said something about this, Eric, which was about the public getting upset. If the public gets wound up enough about something, yeah, the talking heads and Congress will make noise about doing something about it. You know, but what's the actual result going to be? I don't I don't see improvement happening. I don't even think that's the goal. You said exactly what I wanted to say. And you said it a great deal more eloquently. So thank you for that. You put it far, far better than I did. You're too kind, Patrick. I'm just trying to keep up with you, brother. One great analyst, another great analyst. Well, we're running out of time, Patrick. So final question, a two parter, if you like. You've got something coming up pretty soon, your own live streaming event in a few weeks time. So please remind me and the audience about that. And also, obviously, Hardin Stance is a great source of information in terms of the reports on issues like this and the state of security in the industry. What other impartial sources of information would you recommend about topics such as cyber attacks conducted by nation states? Well, thanks for the opportunity for the plug. It's very kind of you. I have the Hardin Stance Telecom Threat Intelligence Summit is coming up on June 6th and 7th. If you go to hardinstance.com, you can find the registration and the agenda and all that good stuff. So thanks for that opportunity. In terms of other sources, in terms of nation state threats, I would say Recorded Future is very good. Mandiant, Google, Mandiant Google is very good. I would say CrowdStrike. I would say Netscout and I would say Microsoft. In terms of nation state threats, I think those are some of the sources that I most commonly refer to and trust, albeit with the rider that I put on earlier, that the framing of who a threat actor is still has its biases, whatever side of the geopolitical divide you sit on. And we've explored a little bit of that today, but not that much because we could go on and on. We could go on and on. It's been an absolute pleasure to have you on the show, Patrick. I'm afraid I'm going to have to call time, but thank you very much for joining us today. Thank you very much. Thanks a lot, Patrick. Well, that's it. We're out of time. I do heartily recommend you tune into Patrick's event there on June 6th and June 7th, except for when our show is on on June 7th. You have to switch the channel to us on that point in time, but the rest of the time you can watch Patrick's show. That's all for episode 11 of the Communications Risk Show today. Once again, the clock defeats us. There's just two more episodes too in the current season, but the good news is we will be back with a new season later this year, following the same format with the same team of presenters, and with live streams scheduled for 4 p.m. every Wednesday for 15 weeks in a row from 23rd of August until 29th of November. If you're interested in sponsoring that season or any of the individual episodes, then please get in touch. Now, meanwhile, Ed, Lee and I will be back next Wednesday, 31st May, with a show dedicated to one of the biggest talking points in the communications sector. I will pack it into an hour. I do not know. Nuisance robo calls and what to do about them. And yes, we do need to talk about that because all the past talk has not delivered the solution so far. So we do need to talk about it again for such a challenging topic. We need not one, not two, but three guests to give us a broader range of opinions than you'll get from most of the sources. I nearly said Eddie, but I'll just imagine there's maybe one or two out there more generous. Our guests will be Sathvik Prasad, prize-winning robo call researcher from North Carolina State University. Professor Feng Hao of Warwick University is going to talk about an innovative solution his team has developed. And we'll also be joined by distinguished network engineer, Pierce Gorman, currently of Numerical, formerly of Sprint and T-Mobile US, who will give the unbalanced truth about using SIP to identify the origin of calls. So watch live Wednesday, 31st May at 11am US Eastern, 4pm UK, 8.30pm India to ask questions and join the conversation. Visit the dedicated website for the Communications Risk Show to click on the feature that will save that particular episode to your diary in the right time zone, so at least every time zone in the world. But better still, you really should now subscribe to the Communications Risk Show broadcast schedule. So not only will you get next week's show added to your diary, but you'll get the next season's show. All those shows added to your diary, so you won't need to worry about missing any. You'll come back and you'll go, oh, when's the show back? And you miss the first episode. And lobby out your diary, all the dates, all the guests, all the topics. So subscribe now. Go to the website. Do it now. Don't delay. Just go do it now. Thanks again to today's guest, Patrick Donegan of HardenStance. And thanks also to my co-presenters, Ed Finegold and Lee Scargall for their insights and for putting up with my nonsense. And to our hard-working production team behind this show, James Greenlee and Matthew Carter. You've been watching the Communications Risk Show, and I've been your host, Eric Priezkalns. Remember to visit the Communications Risk Show website, tv.comicers.com, for recordings of all our previous episodes. Visit our main site at commicers.com for a regular background and news and opinion about risks in the communications sector. And check out the Risk and Assurance Group, riskandassurancegroup.org, to benefit from RAG's free services and content, including the RAG fraud blockchain, our RAG's cloud-sourced catalogs of frauds and leakages. Thanks for watching. We'll see you next Wednesday.