Security Expert Silke Holtmanns discusses the transition to 5G networks and the risks these pose to network operators and customers. The specifications for 5G are meant to enhance security, but will all the benefits be realized in practice? Silke shares insights derived from her work as an advisor to clients in various countries and her experience as a contributor to the European Union Agency for Cybersecurity, ENISA.
Topical news items are also debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.
Transcript (auto-generated)
Hello, this is the Communications Risk Show and I'm your host, Eric Priezkalns. Each Wednesday, we stream live, sharing conversations about hot topics in the world of communications risk with experts from around the world. We broadcast live so you can also join the conversation, so feel free to submit your questions and observations as we go along. To ask a question during the show, just type it into the messaging box immediately beneath the streaming window at our website, tv.commsrisk.com. Messages are anonymous, so include your name if you want me to read it out. We also stream the show live to viewers at LinkedIn. You can leave comments over there, too. We'll try to read out as many as we can in the time available. Now, the theme of today's show is 5G security risks, and helping us to navigate that particular minefield will be Silke Holtmanns, cybersecurity expert at PwC, and an advisor to the European Union Agency for Cybersecurity, ENISA. But first, allow me to introduce my regular co-presenters who are going to help me review some recent industry news. Ed Finegold joins us from Chicago, and Lee Scargall joins us from Manama, capital of Bahrain. So, Ed, author, analyst, strategic advisor to telecoms businesses, Lee. Lee does so many things, it's hard to pin it down. Sometimes executive management, freelance consulting. He's worked for commerce providers all around the Middle East, Europe, Caribbean, and Asia. Hello, Ed. Hello, Lee. I hope you're both well today. Let's get cracking straight into today's topic, which we've already been talking about even before the stream began today. The bad news for Americans, so I might ask you about this first, Ed. The bad news is that the e-mail robocall index, probably the most reliable measure of these things, said there were five billion robocalls in the USA during the month of March. That's the highest figure they have reported since November 2019. And it continues an upward trend in robocall numbers since stir-shaking became mandatory for major U.S. telcos at the end of June 2021. So, my question to you to get the conversation going today, is the continued rise in a number of unwanted robocalls in the USA consistent with your experience and consistent with what you hear from other people working in the industry? Yes, I know you won't be answering. And now turning to you, Lee. Is there any feeling as though change is there in terms of getting better, getting worse? I mean, are people getting bored of talking about robocalls in the USA because it's been going on for so long? What's the mood when you talk to people? Everyone finds it a nuisance. It's annoying. And the normal person's not going to try to parse between legal, illegal, or otherwise. At this point, it's any number that pops up that you don't recognize, you don't want to answer it. And I've even had people say to me that I don't have the data behind this right now, but people that study this have said to me that there has been a decline in people answering the phone at all. If it's not a scheduled call or someone they absolutely recognize, their mom or something like that, they just won't pick up the phone. So, there's that reaction to it. But it's like, that's people becoming inured to it. And we spoke offline about the idea that, like, if we want to put it in terms of cyber war, you know, the weapons of the cyber war, the robocalls are like the bullets whizzing by your head. And eventually you kind of keep your head down and, you know, start to become inured to that. And I think that's some of what's happening. I certainly don't, going back to where you started, I certainly don't see a reduction as a result of any measure that's been put in place. Measures which you were just explaining to me are not connected to stir-shaken, like getting caller ID that says scam likely or something. That's useful, but it doesn't stop the interruptions of the nuisance from happening, right? There's that aspect. And then, yeah, and then I think finally, the thing that you see is not just with the robocalls, but also with smishing, is when you see an announcement that some brand that you're a customer of has been, you know, rated for their customer data, inevitably you're seeing, you know, the scams pop up after that. They're like, oh, your account's out of date, or there's a problem with your account or any number of things like that, trying to get you to click a link and, you know, you know where the rest of that story goes, whether it's malware or to somebody that's trying to con you, right? So definitely constant flow. Yeah. But here's the thing I don't understand, Ed. It's the number one source of complaints for the US regulator, the Federal Communications Commission. They issue press release after press release, press release. I see it gets quite a bit of news coverage, but is there any sense, again, you work in the telecoms. This isn't your area of expertise. You work in telecoms and industry though. It doesn't seem to me though American consumers are really aware of anything being done to improve things. Or if they are, they're not really getting any sense that this is achieving anything. Am I wrong in that impression? No, you're not wrong at all. I just think like as a general public issue, it's not the top of the noise stack. So it doesn't get that much attention. And, you know, I think if people, for some reason, you know, we're focused enough on an issue that's a little bit complicated probably for most people to understand, the message to me that would make the most sense is what we heard at the risk and assurance group show when Tom Walker got up to speak, which is there's a direct connection to be able to identify the people that are responsible for this and coordinate law enforcement to go get them and stop them. And that was the most direct and effective discussion on that topic I've ever heard. And it doesn't get you derailed into what we talked about before about stir shaken, where you start talking about whether the Band-Aid is engineered the right way while the patient's bleeding out, right? Like it just doesn't make any sense. I think so. I think Tom would be glad about the name drop, Tom Walker of AT&T there. And I have to say, I completely agree with everything he says. He talks a lot of sense on this topic. I'd go a little bit further. I'd be a little bit more overt in the way I describe it. So why spend half a billion dollars on technology? Just look at a couple of guys in prison. Just look at a couple of guys in prison and you'll solve the problem a lot more quickly than with spending half a billion dollars on technology. Because there's no risk for the criminal at the moment. Whereas if you actually had some punishments for the criminal, that would then be actually the deterrent. And I think Tom is completely right about the deterrent factor. And he's completely right that by the looks of the data that he's got, there probably aren't that many people doing this. So if you could target a few of the big ones and put them in prison, you'd seem to scare off the others. But anyway, anyway, we'll wait for Tom Walker comes on the show before we talk too much about Tom Walker's view of these things. Lee, let's bring you on to this now because this topic, robo calls, nuisance calls, automated calls, the scam calls, spam calls, and all the like, tends to get seen very much through an American prism. In fact, I've just done it there. I've quoted American stats. And the assumption seems to be that the problem is going to get bigger everywhere around the world and everyone's got to follow the same approach that they're following in the USA. You've done a lot of work Lee, Middle East, different countries. And we've been talking about how you take a radically different approach to solving some of these problems in some of the countries where you've worked Bahrain, Amman, United Arab Emirates. How do we contrast what's being done elsewhere with the USA? Tell us a little bit about the core of the current strategy you see for scam call prevention in Bahrain and other Arab countries in contrast to what we've heard about happening in the USA. So a lot of the scam calls that we receive are coming in from international locations, but they actually have our country code. So, and it's being spoofed. So they appear as a plus 973 number. We had a big issue with this some time back, but we've recently brought it under control. And all we've done is we've just implemented a voice firewall. And what we've done is we've actually configured that firewall to block any local fixed line numbers coming in through the international gateway, because that's not even possible. So clearly these numbers are being spoofed. Although you need to be careful because you don't want to block the genuine traffic coming in from these call centers. Now, when we receive one of our mobile subscribers CLI coming in through the international gateway via an international route, we then check the HLR or the VLR just to see if that customer is roaming or not. If they're roaming, we allow that call to pass through, but if the mobile is still located in the home network, then we know it's being spoofed. So we block that. Now, what we've noticed is some of the scammers, they're now spoofing our competitors' numbers, right? So we're working with them to get access to their HLR information. And then when the calls come onto our network, we can check to see if they're roaming or not, right? I know Omentel in the Middle East, in Oman, they've actually implemented this approach and have actually had some really good success at blocking spam calls. But as you know, fraudsters are pretty innovative these guys, right? So as you close one door, they go looking for another door which is open. And what we've seen now, there's been a big uptick in scam calls actually coming in via WhatsApp, right? So we have very limited kind of control over that. Okay. But I mean, come on, give yourself some credit here. By the sounds of it, you've had some impact, at least for traditional voice calls. How would you estimate the impact of the approach you've taken so far? Has it led to a reduce? Has it led to a measurable reduce? We're talking here about the USA, it gets worse month after month. How does it compare to other places? Yeah, it's definitely come down. We used to get a lot of customer complaints about this, but now they're coming down. But like I said, we still have an issue. We still have to work with our competitors to get access to their HLR. Once we've done that, I think we can solve the problem. But doesn't that sound like a strategy everyone should be adopting then? For me, I don't understand the part about stir-shaken, where the theory is you're going to attach a signature to things and every call is going to be signed and the signature gets passed along. Well, it's a nice idea in theory, but actually, how are you going to make this work across international borders? Makes more sense to just look at your own nation's borders and say, phone call clearly originated outside the country, says it originated inside the country. There you go. Straight to it. This is the first thing you should be doing, surely. Why wouldn't you implement this approach, really? Is there a reason why you wouldn't implement this approach? I can't see why you wouldn't. It's a very smart and very cost-effective way of dealing with it. Doesn't cost half a billion dollars, right? That's the reason I like it. You know me, I love cheap, okay? Being a Yorkshireman, I love cheap. Forgive me, I know you probably can't talk about the amount of cost to implement what you've done in the Middle East there, but I don't get the impression that this is much of a problem for budgets, especially when you've got lots of people, lots of the population complaining upset about these calls and you're talking about the cost of the fraud and how much loss. This sounds like a real drop in the ocean. Cheap and relatively quickly implement. Yes, you might need more coordination if the spoofing of the numbers is on somebody else's network, but not technologically advanced or difficult, I would say. Give me a feel for this. How long does it take to implement? How long did it take for you just to stop this kind of spoofing of numbers on your own network being used from outside the country? It wasn't implemented by the fraud team. It was implemented by the network engineers, but it took about three to six months to get it all nailed down properly working. It's not a big, you know, not a bit of exercise to do. I contrast that with stir-shaking because, as I say, the numbers have been going up and up and we're only a very small proportion of the US. Anyway, we could go on. We'll take an ad break, which is before I get too wound up, we'll take an ad break here, guys. So let's have a message from our serious sponsors, Blue Gem. Now, Blue Gem is a global provider of testing services for telecoms, government and software businesses. They use real phone devices, which means they can help you to ensure the latest network services and products such as 5G, eSIM, VolkT, and satellite. They create real usage events such as video and music streaming and even eSIM profiles to ensure the switching of profiles when at home or abroad. Communication providers are always improving networks by launching new products and services, and Blue Gem provides short and long-term test audits with full test plans to ensure your services are ready to go live. These new capabilities include 5G. Now, Blue Gem utilizes the latest 5G devices to measure both the quality of the 5G network signal and also the customer's experience when using high-speed 5G apps. Blue Gem also works with service price support, law enforcement requests via Blue Gem's IP address resolution service to validate telecom IPAR systems for tracking both internal and external IP addresses of devices. This helps pinpoint suspicious activity and malicious users on mobile networks in real time. So, if you want assurance when launching any new products or services or need support for law enforcement requests to track IP addresses, you should call upon the experienced team of specialists at Blue Gem. Their URL is blugem.com. So guys, back to stir, shake, and the statistics. So, one thing that caught my eye, another statistic here that's shaken my world apart, Juniper Research is claiming fraud losses caused by U.S. robocalls will keep climbing, so they're saying that the fraud losses are going up at the moment, but they will start to fall in 2025. They also say that they estimate that stir-shaking has reduced the year-on-year growth of fraudulent losses to robocalling in the region of 85% between 2022 and 2023. So, essentially the first year after stir-shaking became mandatory for the big telcos. Sounds like a great statistic. I can't make any sense of this number at all. Stir-shaking, only 27% of U.S. calls reached their destination with a stir-shaking signature. So, how can there be an 85% impact on frauds that didn't occur? The frauds does not know to use how to make calls that don't involve stir-shaking. It doesn't make any sense to me. Never mind the fact that we're talking about estimating the value of frauds that didn't occur. I mean, I find it very hard to work out the cost of crimes that didn't happen because they didn't happen. So, it's a really tricky thing to do. So, Ed, I've got to come to you here. I know you're not an expert on stir-shaking and robocalls, but as an industry analyst, and as I'm quoting these statistics from Juniper Research to you, what can be done to make sure that the industry analysis is really reliable? Because I have to say, I've got a dodgy feeling about this analysis. Maybe you feel better about this, but what can be done that we can trust the stats that get thrown around and then get used to justify decisions about purchasing expensive technologies like this? I think if you're a consumer of that data and you're out looking at a lot of different data sources all the time, especially as a primary or secondary researcher, and that's a lot of the work that I do. I mean, you do get familiar after a while with who's publishing what, and you do have to discern what sources you're most excited about. We talked about this before, or what sources you trust the most, which is why you would be excited about them. The problem is a lot of times those sources make marketers excited, and then that's a lot of what the data is used for. There's certainly a lot of research brands that have done a great job carving out SEO real estate for themselves, and they get a lot of virality and a lot of extra pub out of their data for that. I think it's hard to overlook that effect on the whole ecosystem and why, again, as a consumer, you have to really discern what you're looking at. In the specific case that you're talking about, especially anything around robocalling and numbers that don't pass the smell test effectively is what you're saying is, how is it being categorized? How is it being parsed? That number feels to me like a category change. They redefined how they counted something and voila, the result was magically so much better, but it wasn't that there was a real difference. It was that someone decided to categorize nuisance call as legal call as opposed to nuisance call as illegal call or some gray area thing like that. That's where I think you have to, if you're going to lean heavily on that data or invest in it, you need to do a little bit of due diligence about where the number came from. I think it's the only way you get to the bottom of it. I don't see there being some regime that's going to hold every data producer accountable for every stat that they produce, if that's what you're asking for. I'm not asking you to do it, Ed. It would be an impossible task. Again, as a man who ends up sitting in front of the TV, the story will come on CNN. They'll start quoting statistics maybe from reports like this. What's your feeling sometimes when you're watching the news and the quality of the information the public gets? Is the public getting good enough quality information? How much do you trust statistics like this that are being put out? Where do you turn for reliable information? That's the thing. As a primary researcher, you go to reliable information as you go to primary sources. You're either getting survey data collected and scrutinizing it yourself. You're going out and talking to experts around the field, seeing things with their own eyes. That's what you should be doing as a primary researcher. Let's start there. The other side of this, though, you're talking about the news cycle. I laugh because I do see that. Exactly what you're saying happened where, obviously, some reporter picked up a one-source story that's hung on some stat that's probably questionable. It probably, when they fed the description of it into the keyword machine, the SEO robot came back and said, 93%, this looks good. Then they take it to the next step in the production process. It got through that day's production meeting, and then it's on your TV. That's why with mainstream news in general, I'm always reminded, and I think anyone that works in media probably recognizes this, what you're watching isn't necessarily the news. You're watching the output of that day's production meeting. But as soon as you start looking at it that way, it's really, really hard to watch your news program because all you're thinking about is how did they let this story come on? How are they running that meeting? The whole thing falls apart, but that's what's happened in a nutshell. This is, again, why I'm perplexed. I almost wish I was in the United States of America to experience it firsthand because it feels as though all the news media is on the side of telling the public that the problem is under control, the problem is getting better, the problem is coming down. This is an example of feeding that news machine. Yet, whenever you talk to an ordinary American, there's no belief in that at all. Why wouldn't the news media sometimes reinforce the experience of the ordinary American rather than try to persuade you the problem's getting better? It's not, I find it perplexing. I don't get it. I really don't get it. When I sit down and have conversations with people, regular people, right after dinner or that kind of thing, and lots of different subjects come up, there's always like a technology thread that pops up, not because I'm there, it just pops up in people's conversations because they're using their phones all the time. Lately, people have been much more wound up about AIs and chat GPT, and that's been coming up than they are about robocalling. Now, if I mentioned robocalling, people are, and then someone will tell some crazy story about it, but that's it, right? And then it moves on. It's not like that obsessive thing like, oh, COVID, we need to do away with it. It's like robocalling, right? It's just not getting that level of obsession from the public. Okay. Well, so we can look forward to half a billion dollars being spent on solving some AI problem that doesn't work, and in a couple of years' time, we'll be talking about something else. Job done. Now, Lee, these projections, the US, how did they compare to what you would think reasonable in other countries? Does the regulator in some of these other countries that you've dealt with, do they actually set targets and expectations? Is there pressure on telcos to get robocalls down? We're seeing a big problem in the USA, and people talk about it being a growing problem, but what are the expectations in terms of the number of nuisance calls and what's acceptable in different parts of the world? So I mean, just to echo what Ed was saying there, I think the problem here is how do you measure a scam call, right? So some of the reports that I've seen, they just simply contradict each other, and it's all around the methods of calculation. Now, we did a show several weeks ago, and their method of calculation was based on the duration of that call, and by definition, I think we had some kind of research that showed that by definition, all men would be classed as a robocall. Now, I've seen some other reports that the way they calculate it is based on if the call coming into a mobile, if it's not in their contact list, then that's classed as a spam call. Now, me personally, I get about 10% of my incoming calls, they're not on my contact list, right? So it's very hard to discern what is kind of reliable data and how do you cut that data, but just to go back to your question is, are the USA doing a good job? I don't think they are doing very well, Eric, if I look at it. If you look at the numbers, they're increasing in the USA, but they're decreasing in other parts of the world, right? And there's definitely more cost-effective solutions out there. I know the UK is doing a good job, we're doing a good job in here in the Middle East, and Oman, if you look at what's going on in Oman over there, they're just all over it. Well, that's great to hear. I mean, and some feedback for you, Lee, here, we get some comments coming in, various people very interested in what you've been doing in the Middle East as part of this solution where you're checking HLRs and looking to see the difference between a genuine local number and a spoofed local number. So, I won't bore you by reading out the questions now, a little bit too technical to cover, but check out those comments, Lee, after the show, and I think you can be giving people some free consulting, maybe, or maybe you'll charge for them, you know, got to keep the income rolling in to keep all those servants of yours paid for. So, with that little unkind jab, sorry, Lee, I always like to make fun of how wealthy he is. I will now skip into a genuine fact of the week, the Symmetry Prism Fact of the Week. So, Symmetry, they are one of our sponsors of the show, and each week they provide us with an interesting fact collected by their Prism Fraud Intelligence Service and their team of intelligence gatherers. Now, they visit the darker, dingier parts of the internet, so you and your business doesn't have to, and that's why they've been seeing recently lots of adverts for professional SIM swap fraud services. So, this is basically fraudsters for hire. If you visit one of these online crime markets, you will see criminals promising to swap the SIM of any phone, or was it given the details of the number you want swapped, and pay them the fixed fee for their service. Advertised fees include $1200 for a SIM swap of an AT&T customers, and a snippet, a bargain, $850 to hijack the service of a T-Mobile customer. I don't know why T-Mobile is so much cheaper than AT&T. I think that might be a bit rude if you were a T-Mobile customer getting a discount there. Now, these criminals, they promise the swap will be executed within 15 minutes of payment, and to give you extra confidence when you purchase their services, the payment is held in escrow until the swap has occurred. So, there you go, quite a bit of professionalism there from the criminal market. So, if you want to get the best intelligence about fraud, come to the professionals who are fighting fraud, and that includes people who are gathering data about the numbers that criminals are lining up to attack with scams like international revenue share fraud and Wengu before those attacks have even begun. Reach out to Symmetry Solutions and subscribe to one of their PRISM information services. Stopping just one fraud attack using PRISM will more than recover the cost of the annual subscription. You'll find out more from symmetry solutions.co.uk. Okay, another ad break over. Let's get back to the topical chat, Lee, Ed, and this is a tricky one for me to bring up, so I'll be glad if any comments from the audience too in feedback to this, because maybe I'm wrong and the rest of the world is right. I don't know, but I'm going to float it out there anyway. So, if you're watching and you want to leave a comment, don't forget we've got the messaging window immediately below the streaming window at tv.com. I'm keen for feedback on a difficult subject for me because some people have been saying to me the last week privately, not publicly, privately saying that I've gone too far in criticizing the revenue assurance community for saying that they have not been promoting any new ideas for years now. Basically, I wrote an article on Comms Risk that questioned why we're not seeing any new ideas, why we're not seeing any new articles, why we're not seeing any new projects, the complete loss of any new sources of information or advice about revenue assurance. Let's be frank, we've had some people pushing back, as I say, privately, not publicly. So, my question to you, the audience, and to my co-presenters is when I say that revenue assurance is now considered the ugly duckling sibling of fraud management, am I being unfair to the revenue assurance community? Lee, you currently oversee revenue assurance work inside telcos. Is there anything new to say about revenue assurance that we haven't heard in the past many times before? And if there is anything new to say, why is it so hard for me to find people who say it? Yeah, so I'm going to give you one of them, yeah, but no answers, right? So, look, I've been working in this sector now for about 20 years. I don't really see much change apart from automation. So, at the start, we didn't have any systems. We do all this, everything manually. These days, we've got systems, we've got analysts, yeah, but overall, the mechanics are still pretty much the same. Now, when we moved from 3G to 4G, we actually saw this change from reconciling voice CDRs to more around data subscription packages. So, I'm now waiting for the next evolution from 4G to 5G. So, how do we assure things like network slicing, quality of service, latency, and bandwidth? But so far, Eric, I haven't really seen much to rave on about, right? But if I compare revenue assurance to, say, cybersecurity and how that's evolved in the last 10 years in telecoms, then it's pretty clear to me where all the innovation is coming from. There's a lot of people making a lot of great points, doing a lot of great work in the security space. There's a lot of people doing a lot of great points, doing a lot of great work in the fraud space. That's my point. I mean, it's not good enough to just say, well, we're waiting for some new service and new product to come along, and then we'll assure it. Where's the new techniques? Where's the new methods? Where's the innovation? I don't get a sense of any innovation in the revenue assurance field at all. I'll tell this one round to you, Ed. So, one of the groups that does innovation, they have a revenue assurance group in the TM Forum, and you do quite a bit of work with the TM Forum, though not in this space. So, I'm just again asking you about your general impression here. Fans of revenue assurance would imply the TM Forum is buzzing and vibrant and creating all this energy around revenue assurance. I don't see a lot of evidence of it. Am I looking in the wrong place? Am I missing? Is the TMF doing more in revenue assurance than I'm giving them credit for? Yeah. So, I want to go back to where you started. You were asking, Lee, about revenue assurance and fraud management revenue assurance being jammed together. And so, from a TM Forum perspective, that has happened, and that lives under business assurance now. So, there's a little bit of rebranding that goes on there, but some of the work, and actually, so sorry, I'm going to be a homie for a minute here, but I encourage people to go check it out because the business assurance group is actually one of the more active groups in terms of communicating what they're doing and publishing useful stuff and putting tools out that are useful and doing catalyst projects that have some meat behind them. And a lot of the stuff that they do, it's not, in my understanding, and I could be wrong here because there's a lot of different collaboration teams at work at different levels that no one person can really wrap their mind around all of it, not me. So, I don't know that they're necessarily doing the nitty gritty type work in revenue assurance at a deep level. Probably, they're doing some of that around open APIs, but I would say at a higher level, going to what Lee was saying, they are looking, I think, from a business assurance perspective, which then includes those other pieces, looking at those questions when you're talking about an ecosystem, when you're talking about a lot of solutions that are put together by API, when you're talking about partners needing to be settled out, when you need to secure those things, you need to make sure fulfillment's happening because that feeds into customer experience. It's kind of all those things put together, which I think from that perspective makes sense of why revenue assurance and fraud management get folded under that umbrella. And I would just encourage, again, if you're interested in seeing that kind of work done or knowing what they're doing, check out the business assurance group at Diem Forum. They're actually doing some interesting stuff there. I should have charged them for that sponsored advert too, Ed. That one slipped right in and I stand corrected. Okay. I think the debate will continue in future episodes because I'm not entirely convinced, but maybe we'll find some stuff coming out from the Diem Forum that we'll talk about in future episodes. I look forward to seeing it. But before we introduce today's special... Well, hey, I'm not putting a burden on your shoulders, Ed, although you are a researcher, so you should be good at finding things like that. But before we introduce today's special guest, here's another of our regular weekly features. Jeffrey Ross of Coal Authentication, Fraud Prevention and Geolocation Specialists. One route takes us each week to a different country on a tour of the world in our phones. This week, however, Jeffrey is going to take everyone everywhere all at once as his destination is the whole world. Let's see what he has to say. Roll VT. Hey, everyone. From one route, I'm Jeffrey Ross, and this is The World in Your Phone. Let's talk about the world. The world in your phone. Now, by now, you've seen a few of these episodes on the Communications Risk Show and probably wondering why in the world is this guy even coming on each time for two minutes talking about different countries and different facts? Well, here's the fact. With over 7.8 billion people in this world, we have a whole lot of people, a whole lot of languages, a whole lot of different cultures, a whole lot of different countries, a whole lot of differences that we all tend to focus on. And that includes telecoms. We have different types of fraud in each country. And unfortunately, that means when a country focuses on their fraud, they typically don't look into how this will affect the other countries around the world. So maybe by the world in your phone, we start to learn what we have more in common rather than what we have different from each other. And by learning what we have in common, our hope is that we see that we can collaborate, that we can work together, and that we actually, as a world, have a common goal of eliminating fraud, protecting the people, protecting the end users from falling victim to fraud. So I hope that you learn something new each time you see one of these World in Your Phone episodes. In case you haven't seen them, be sure to subscribe to OneRoute's YouTube page where you can catch up on all the other World in Your Phone episodes, along with our OneRoute Roundup, where we spotlight individuals and companies making a positive difference in the telecom industry. Until then, we hope that you continue to learn, continue to collaborate. And now back to you, Eric, for more of the great communications risk show. Cheers. Thanks, Jeffrey. I always look forward to what Jeffrey has to say and where he is going to take us each week. But now let's get down to the most serious part of the show, the part where we interview a top expert. And today we are speaking to Silke Holtmans. Silke works for PwC as a telecommunication cybersecurity expert with a particular focus on their 5G security assurance services. Formerly, she was head of 5G security research at a near adaptive mobile security. She's also worked in security and research roles at Bell Labs and Ericsson. She's an expert security contributor. She's been an expert security contributor to the GSMA, and she volunteers her knowledge as an expert contributor to the advisory group of the European Union Agency for Cybersecurity. And so, in short, Silke, we couldn't really get better in terms of your CV. You're the right person to speak to about 5G security. That is a fact, a solid fact. Thank you so much, Silke, for joining us on the show. I'm looking forward to grilling you, and yet at the same time, half an hour to cover 5G security. Completely impossible. So, you're in a completely impossible situation, Silke. Apologies for that. Where do we begin, Silke, in discussing this? One thing that we chatted about before was private networks and the issues in terms of that are brought on by relying upon private networks. Is that the right place to start in terms of unpacking what we need to do in the security space? Yeah, I think it's a good place to start because, first, thanks for the introduction, so… It's your CV. Yeah, well, that's what I did, so guilty as charged. I'm not sure about the seriousness of the talk, but let's see. So, yeah, but on 5G private network, I think that's a good point to start because that's what large part of 5G is about. It's not for you, it's not for me, it's not for Lee or Ed, so it's made for business purposes. That's the idea of 5G. And, therefore, one has to take into account the requirements coming from the new partners and the needs coming from these partners. While the specifications have been drawn by engineers like me, so they think about nice, top, marvelous features that the world could use, but then, of course, the world has also its own ideas about what they want to do, and they have also their own ideas about security. I mean, if you plug in electricity grid, pretty sure they have some ideas about what they want for security, or we even see military applications today using 5G. So, there are a lot of external requirements now coming to the telecommunication space, which have not been there before. So, this question of 5G security is critical. Also, basically, we hook up our whole society, we hook up water, electricity, logistics, and we saw last year what happens if one thing goes wrong with logistics, it can sort of cause a hiccup over the whole world. So, okay, rail comes a bit later on connecting to 5G, that's a bit of a couple of years ahead, but anyway. So, from a society point, the security of the 5G network is really becoming a critical question, and governments have realized that, and ESA has realized that, and also US has realized that even if they take different approaches, they all recognize the importance of communication networks for the society. So, we see now regulations and guidelines and directives appearing, like this NIST2 directive, which is for critical infrastructure from the EU. So, it basically says, yeah, well, you have to get your basically cyber stuff in shape, and then this NIST2 directive, oh, well, sorry. And that's the bit that worries me. That's the bit that worries me, is that you have a directive like NIST2. Look, I'm cynical about government. I don't hide it, okay? No, no, that's fair enough. Okay. So, governments will tend to say to businesses, like you've been mentioning energy, water, transport, whatever, you must be secure. But if I'm running an energy business, a water business, what do I know about telecoms? I know I need to use it. I'm not a 5G security expert like you are, Silke. Do they know how to translate what the governments want into what they should be asking from who? Do they ask for it? Do they configure it? Is this a big part of your work, just closing that gap now? Yeah, it is. It is. Because basically, if you are, let's say, in harbor, you're not particularly interested in 5G security protocols, because you don't care. I mean, that's fair enough. Their business is shipping containers around where I have no clue of. But they want to have a good and solid system, and they don't want to have trouble with it, trouble including security. And they want, of course, not to have trouble with the government, meaning they don't want to lose any licenses or permits or whatever they have that should also run smoothly. So they have the obligation to the government, and therefore they hand down any obligation to the suppliers. Suppliers, in this case, can be network vendors, it can be smaller companies, it can be a cloud provider, or it can be an operator. And then comes the question, okay, what should they ask for? So that's pretty tricky, because 5G is extremely complex. And I mean, even when you just discussed, he is still shaking, and it shows the complexity and this kind of gap that there is, so that things are not always so straightforward that you can say, make it secure. Just to give a high-level example, you have a harbor that uses an operator. The operator relies on services from a cloud provider and a vendor, network vendor. So this is a pretty typical setup. Now, something goes wrong. So how should the incident reporting chain to the government run? So there are a lot of things sort of that need to be sorted out, sort of responsibility splits, who is control of what, who is responsible for what. I mean, let's start with that one. And this is pretty deep, actually, because very often depends on if you have a hybrid cloud, if you use infrastructure as a service, if you have managed services, what kind of parties and services you have integrated. So you really need to go into the dirty little details to sort that properly out. And that's a big part of my job. And I'm getting more and more stressed for you, because, okay, it's the European Union, but there's a whole bunch of different countries in the European Union. Surely the danger is that this country, that country, and you're trying to do things like, say, logistics across borders. So you want to have a common approach, and yet you're going to find it maybe isn't going to be common for one country to do the expectations. Yeah, that's actually one point on extremely important point that, for example, let's say cloud security and telecommunication security, just because they are both important part of 5G, they are slightly in different laws in different countries, because each country has their own structure. So we have, for example, the 5G toolbox, which the member states that you are supposed to implement into local law, and everybody's doing that slightly in their own way, because their law structure is different. But even if their intention in the beginning was the same, the outcome in terms of compliance is different. So which means it's very hard for vendors, if they are, let's say, complied in, let's say, I don't know, Germany, to carry it over, let's say, to Finland. So if they are compliant in Germany, it doesn't mean that they can use the same compliance letter sort of then to another countries. For some notes, this is actually possible for some routers, for example, France and Germany, they have some cooperation, but for many other things, this is not possible. And I think this is really, really bad, because also for the big markets, it's not an issue. It's an issue for the smaller markets in particular. Let's say the fourth operator in Estonia with three and a half million people in Estonia. I don't think that the vendor will do a certification just to get this order from this operator. They will just say it's not a big, it's not going to be a big deal. So it's not worth doing the certification just to maybe get that deal. So they might just stay out of the market, which then results in a reduced vendor choice. So which I think is contrary to actually what the European Union tries to achieve, to have more vendor choice. So it backfires a bit. So but I think they realize that this needs much more harmonization. But let's see how they try to harmonize these things. But they realized, at least knew, that this is an issue and that this is a very serious problem and they need to tackle it. So that making it secure means the same in different countries. If you have it in one country, you can use it in the other country. I'm sure that's super difficult. You're obviously one of the people to talk to as the harmonization process takes place, because even if it's not harmonized now, you're one of the people to talk to in terms of advice and understanding how it will progress. You want to give any advice in terms, so that you're not solely inundated with all the queries after this show. Who else might we talk to in terms of who else is out there leading this harmonization conversation? Well, they are sort of, of course, my org competitors, for sure, that also work in that space. But it's a telecommunication security world. It's pretty small, as we also see. So there are not that many people actually doing this. And the technology experts, most of them tend to stay in the little cozy room, so being geeks. So it's actually very small. So, yeah, but I think it's very important still. But on the other hand, there are white papers available. I publish also quite a lot. I give, for example, this year. So this kind of information can be used. So, for example, I gave Road Auto a block overview over different legislation, how they match or do not match. So this kind of information is freely available and can also support. Is this an area where Europe is in the lead because of the nature of the political environment with the explicit need to harmonize? Or are other countries, I mean, where does the US compare in terms of Europe in terms of their approach? Because they've got different states and they'll have the same harmonization, probably not careful. US takes a slightly different approach how to tackle, let's say, security in mobile networks. And they basically go via the, if you want to get in US a very nice, this kind of public government contracts, you need to be fat ramp or otherwise compliant. So what they are doing, they don't regulate directly the operators. They regulate what the governments when they issue orders, what they are allowed to buy. So if you are now an operator and want to get the juicy contracts of governments, then you basically have to ramp up your security. So but not every operator in US will go for these governmental contracts. So there will be a lot of operators which just say, OK, I don't care. So and then they might have lower security. So because they are not targeting these kind of high value contracts. So there will be gaps for normal consumers. So if as a consumer, I would recommend to go with operators which also go for government contracts. So because they probably have the same back end system for both of you. So while Europe targets more sort of everything the same for all public operators. So and they try to regulate this. So there are sort of pros and cons to both approaches, but that's how it's done. So there are some executive orders if that's going to change or not, but I believe it when I see it. It seems incredibly complicated thing in terms of expecting these things to converge, because if I'm, say, using a phone, I'm interested in security. Well, I'm also interested in the security of the far end of the phone, not just my end, because you can hear my voice on the far end, or you can see my data, you can see my message on the far end. So that affects me too. Yeah. Although if I'm, say, driving around a connected car, we're very interested in connected cars driving across borders. Again, it's no good to have good security one place I'm driving, I'm not good security somewhere else I'm driving. It feels as though it's hard to work out how this will come together. Yes, we've got the European Union, we talked about the US example, but there's other countries too. And it still needs to work security across all of them. It feels as though there's a bit of a, we don't know where this is entirely headed. Am I being unfair to you and your fellow experts? Yeah, I mean, to have a global security standard, that's a dream, but I'm afraid we have to live with the diversity of regulations. And I think we are just happy if we get, let's say, secure bubbles on the map. So that's probably as far as we can get. So it also has to do with sort of who is in charge. It's like a root certificate authority. We won't see a world root certificate authority, because everybody wants to be in charge, which is also quite interesting in the sense of these kind of local pride, let's call it that way, that many regulators tend to add their own local country requirements, sort of like 10%, I would say, sort of usually. So they take the global standard and then they sort of add their own 10% on top of it. I mean, we are all happy that they already take the 90% and they are the same. That's already sort of a big step forward, so. But you're basically saying that you and the few people that you work with, we should just copy what you're doing. Yeah. So is it in the ANISA documents that we should be looking in terms of an ideal world would be copying what the ANISA documents tell us to do? I mean, they have extremely good documents. They have threat analysis, they have market overviews, they have also sort of for virtualization, they have an extremely good document sort of how virtualization security should look like for telecommunications, which really goes in the nitty-gritty details down to secure hardware and everything. So these are excellent resources. And also a private network, I can recommend sort of take these documents and then pick the ones that might be sort of most applicable to you. So that would be my recommendation how to approach this. That's what I actually also do when the customer comes. I want to ask them first of all, what do you actually want to do with that thing, with 5G? So are you sure you want to do that? And from that I start. So because I'm independent, I'm not with an operator or a vendor, so I can say sort of the conclusion might even be in the end, use Wi-Fi. For some use cases, it doesn't make sense. I mean, I'm a 5G person, but I still might say afterwards, nah, for what you do, Wi-Fi is enough, go with it. So that's the advantage of being independent. It's great advice. There's a lot of questions coming from the audience. I read out a couple. One of these questions is impossibly hard, so I don't expect you to answer it, but I think you've partly answered it already. The question goes, I think that we are all in agreement on the fact that securing 5G is harder to achieve compared to earlier generations. As you can see today, even before 5G is widely deployed, the telecom security posture is quite bad. And so the question is, do you think we can achieve securing 5G and how? I think I'm going to answer for you because you've already said look at the ANISA documents and I don't think it's fair to ask you if you can achieve it. You're working to achieve it. I do my best, yeah. And the question that might be a bit easier to answer, what are the main differences between securing a private 5G network and a regular 5G network? I mean, the main difference for securing private, because that's an easy question, is that you usually know the devices that are in your network. With a mobile network, a public network, you have rumors, you have all kinds of things. So I think that makes it easier. You have a better control if you have a private network because the interfaces are also limited. You probably don't have roaming. So in that sense, you might not have external interfaces to service providers and things like that. So you know better your network. I think that's a security advantage of the private network compared to public network, if you just know it better. On how to secure generally 5G better. I mean, it uses IT technology and there's a lot of IT security also out there, but it needs to be used. So it's not that they start completely from scratch in 5G because they use no IT technologies. They can sort of recycle some of the IT technology also for 5G. Yeah, and this was a point that Carsten Knoll was making in the presentation he made. He talked about 5G was as much about the cloud and it was about the cloud in general, not just 5G. So obviously there's a cloud element to 5G and these things are now merging together. I wanted to bring Lee into the conversation because Lee's done some work in some countries along the lines of anticipating future risks and future requirements. Is 5G something that you perceive to be very heavily on the radar of governments when we step away from North America and Europe that other governments are worried about 5G and security? Or is it still too early for them to know what to ask for, Lee? I think that's probably more of a question for Silke than myself. She's the expert on this. But if I look at the risk aspect, there was a lot of stuff over in the UK about the telecom security requirements and the diversification around there. So I think it is a big risk, on the vendor side of things. But we've kind of discussed this all before really, Eric. I have customers that are not in Europe and not in the US and they are very security where they sit in Middle East and they sit in Asia. So they exist. Indeed. This is why I'm wondering if maybe some of the pull for requirements may actually come from some businesses, quasi-governmental organizations where there wouldn't be necessarily always an expectation that the government would dictate. They want to be more secure because they're conscious of the risk of, say, a bad act, a foreign state act or whatever. Is that something that comes up in conversation at all, Silke? Yes, it does. It does. So they are worried and then they ask very often, okay, we are worried about our infrastructure or the digital infrastructure. What would be the right questions to ask to make sure that our infrastructure is as resilient as possible? These things come up and then they ask for help because in the past, the regulators have been mostly busy with spectrum and now they are responsible also for the whole core and interconnection and overrun and whatever. So it's suddenly the same person has such a scope and that's sometimes very challenging, especially if they cannot hire new people and so on. Yeah. And of course, we talk about businesses that may be very conscious of the risk that they play a vital role in society or a vital role in the economy. So I'm thinking of, say, energy producers. If you're running a big natural gas terminal or you're running a big oil pipeline, it's not just the physical threat. There's also now increasingly the cybersecurity threat in terms of disrupting your operation. So there's probably going to be, I almost, I'm curious to know who your clients are. I know you can't tell me, but I imagine it's a real mix of clients from around the world. Yeah, it is actually, it makes, at least from a personal view, this job very interesting. So, but we see all kinds of risks, different risks and threat scenarios from clients and they are worried. And that's also actually a showstopper for some of them to use 5G because they are not sure what kind of resilience it will offer. And that's also why I think this kind of compliance and certification is one way to ensure customers that the things are in good order. So if people do, if operators do their homework and vendor, they can also monetize it. So in that sense, so it's not just something nice to have to pin on the wall, but something really where you can then say to customers, yeah, you really don't need to worry. We have done our drills. So here's a question for you Silke. We've got some big telecoms groups headquartered in Europe. And so they'll have one for looking at the situation in Europe and complying with the situation in Europe. They'll have markets elsewhere. They'll have telcos, operators elsewhere and customers elsewhere. Is it possible that the European approach will spread as a result of those big groups, you know, groups like Deutsche Telekom, for example, or Telefonica, do you expect that Europe will kind of set the precedent as a result of those groups wanting to be consistent from country to country, even if it's a different legal environment? Yes, we see this already spreading. So we see stuff from 3GPP and GSMA is already spreading in all corners of the world. And we also see sort of pick up, for example, the UK has these vendor requirements. We see these kind of very similar ones popping up in other countries. And also they need things we also see referenced or used in other countries. So sometimes it's a bit more obvious, sometimes less so, but yeah. I hear something I don't understand at all. So help me out. I know that there's a big cloud element to 5G. I know that, but I don't understand the detail. Having a big cloud element to 5G means that there's now some obligation on the cloud providers, the hyperscalers to increase the security. So help me to understand in a simple way so that I can understand. So basically cloud providers, or at least large ones, are in pretty good shape because they have been offering to governments in the past. But they haven't been offering to telecommunications. So for telecommunications, they need to have some additional requirements. Like I mentioned, for example, this incident reporting, let's say a cloud center, I don't know, catches fire and burns down. And then suddenly an operator has no network any longer. So the operator needs to tell the regulator what has happened. So there need to be a communication chain from the cloud provider to the operator and then to the regulator. And this would be, for example, something which I don't think every cloud provider has yet. Because this is regulated, it needs to be happening in 24 hours in some countries. So it's not that you can sort of, yeah, let's do it manana. So this is one example. And there are some other requirements, which are sort of similar style. So I think they are in pretty good shape, but there might be this little extra for telecommunication missing because they are part of the supply chain then. So there is a little bit of tension there because we talked about the European telco groups, but hyperscalers is based mostly in the USA. So there is, I mean, will they just come together naturally in terms of wanting a common solution? Well, I mean, already today you see that big vendors are working together with the hyperscalers, the famous hyperscalers. So this is already happening today. But it's interesting that also hyperscalers partially go for the private network market, which is sort of interesting that in the same time they are working with the vendors, but they also go in a sort of slightly competing position as going for the private network market. So let's see how that works out. Not slightly competing. Yeah, exactly. So that's quite interesting. I'm not sure how that's going to work out, but that's how it is. I mean, there's some real tension here. There's some real tension here and it's difficult sometimes to unpack how much of this is technological, how much of this is to do with who's an engineering lead and how much this is political and commercial because these standards might be approached. And I think here's the one that I think is really hardest for me to understand, the enforcement. So we're talking about, say, rules across the European Union, we're talking about harmonizing rules across the European Union, but then we've got hyperscalers who, okay, big hyperscaler isn't going to want to fight the European Union. There'll be subjects to it. But there's always degrees to which you want or don't want to comply to the requirements of another country. And within the end in the telecoms world, we have to connect with everybody. So there's a point where it gets harder and harder to understand at what point do you impose rules and enforce rules as you start to get involved with the state-owned operator in a country that is not your ally. It's, you know, historically a country that you've been hostile to. And we've had all this fuss about networks being used for interfering with other countries or disrupting their commerce. It's easy to say in an optimistic way, I'll be getting solved. I get the feeling that this may be impossible to solve. Am I being too pessimistic? Well, in some degrees it will be solved because people, they just need each other. So they will find some sort of agreement. So but there will be also some left out. I mean, we already see that that some vendors are having quite difficulties making sales in certain countries. So due to political situations. So, yeah, that's so I don't think that everything will work, but there will be some solution. So okay, okay. I won't keep on proving because I can imagine if I start pulling one thread, it gets more and more complicated. But one thing I will ask therefore, because I'm not, you know, again, I hate governments, okay. I just admit it. And the worst, the worst thing in the world, therefore, for me is the United Nations, because it's like all the governments in one place trying to be a super government. If you're going to make an argument for the United Nations, surely it should be something like the International Telecommunication Union should be right at the heart of delivering security for 5G, because it's global, because it's got to work worldwide, because they're worldwide, because they're all the governments in one place. I don't understand their role. It seems as though all this security work is being done by other people. And the ITU has a little influence a little bit here a little bit there. Am I misunderstanding who needs to be leading this? I mean, the moment this is mostly driven by technical bodies like 3GPP or GSMA on operational aspects or ITF on technical things like certificate management or things like that. And I think that might not be a bad idea to let the technology drive this, because usually the political influence there is much lower. So of course, there is also political games there. It would be naive not to assume that this was political free, but at least it's on a lower level. And hopefully there the best technical solution wins. While when you have a very political driven agenda, then the technology maybe is no longer that important. And I think that's what we exactly see. That's at least my opinion with the ETU. It's also I think why the ETU from really what you have in your hand with your phone and so on, the importance, it has decreased. So you have very little ITU and a lot of 3GPP in your phone. And for the network, it's the same. So you have a lot of 3GPP in the network. You have the GSMA in the network. In the future, you have also open run stuff in your network and a little bit of ETU for probably more from the legal side. Okay. Well, you're starting to sound like a libertarian like me. We should just let the businesses sort it out and keep the governments to one side. Okay. I can go with that. I can go along with that philosophy here. But here's the problem though. We're seeing this happen more and more. I don't know if you've been seeing the recent stories about people driving around SMS blasters in the back of cars, sending out SMS messages. So you've got an empty catcher, you're connecting to the phone locally, and you're also downgrading the user right back down to 2G from 5G. All we're seeing in certain countries, Iran, let's just say Iran as a great example, where the philosophy of control involves arbitrary, being able to choose and specify that a specific phone user will get downgraded to 2G because then they are less secure. Is there a problem here that we can put a lot of effort into getting 5G security right, but if people are just going to get downgraded, the network will all become irrelevant anyway? Yeah. Well, I mean, empty catchers and downgrading is a problem. It has always been, and the easiest way is basically for end user to not allow downgrading. But that of course means that you might miss a call or something. That's what you have then to accept because you might be just out of coverage for years. But on the network side, it's very hard because there are also sort of my father, I think he has a phone still from 2002. He buys the old version still on eBay when his old one dies, so he buys a new old one again. And for operators, it's very often they don't want to cut off users, even if it's low value user or something. So that's why they support still all the legacy, and it's also return of investment from the network side. So getting rid of legacy and telecommunication is extremely hard. I remember out facing an old algorithm in 3GPP and it took ages to get that out of the door. And that's something which is a real challenge because it allows these kind of attack angles of bidding down and so on. And we will have fun with that one whenever quantum cryptography comes, because then we will have fun with that topic about retail algorithms. We won't cover that in today's show. It's been good going to pack so much into this. There's been so many questions from you. I'm just going to pick one because it's a big one and it's a good one to finish the show with. So this comment here comes from El Mehdi Eru Safi. I hope I got his name right there. Sometimes regulation and enforcement are not the only driver or ultimate goal to have standards. Maybe sometimes common sense, which is global and human. Well, you would hope. I'm not so sure it is, but good for you, El Mehdi, that you believe it's global and human. And fighting against the same threats that are targeting every person on earth can help harmonize and set up a more realistic, less subjective baseline. Security was and still is really one of the research fields that are the most open and knowledge sharing in order to craft responses. Maybe we need to empower researchers in order to get consensus on the best standards. Do you agree, Silke? Yeah, I do, actually. I know an example of such a case. So, for example, we don't have security on emergency warnings, public emergency warnings. You call it a tsunami warning. And you know what the reason for that is? The reason for that is that it wouldn't be it wouldn't be possible. It wasn't possible to ensure that also roamers or people with low and no data phones would get the warnings. So we didn't do security. So because else because having a security on, let's say, a tsunami warning would mean you wouldn't see the message. So we decided, common sense decided for everybody on the world, we are not doing security on that. So we didn't specify it. That's why there's no signature on tsunami warnings. That makes perfect sense. Well, thank you for sharing that, Silke. Yeah, that's a piece of history. So these things do sometimes happen, but maybe it would be good if they would happen more, so. Well, full power to you, Silke. We've overrun in terms of the time for the show, but oh, don't you be sorry. It's probably me just gassing on that's made us overrun. But I have so enjoyed our conversation, Silke. And I think what we've established is, if ever you want to come back and keep on talking about these things, there's a lot more that can be said. So I hope you'll be coming back in future and joining us again. Yeah. Thanks for the invitation. Okay. Thank you so much, Silke. It's great to have you on today's show. Well, that's it for today's show, I'm afraid. My gosh, we tried to pack it in. Lee won't be able to join us next week. He denies claims of being fabulously rich, but he's got to deal. So it's a man about a jet plane. So and I know I'm so harsh on Lee, but I just enjoy it because he is doing so well in life. I'm so poor in comparison to Lee. I don't know where I went wrong. But Ed and I will return next week when our guest will be Tim Biddle of Cinch. Now, Tim has deep knowledge of SMS fraud from his work at Cinch and from British telcos before that. He'll be telling us about the reasons why there's artificial inflation of SMS traffic, also known as SMS dumping. And what can be done to tackle this problem? And I expect a fair few people will be watching the show, Ed. So Lee won't be helping us out, but we'll have to be manning the decks here because this is a problem that we know has caused a lot of upset because Elon Musk got upset about it. Well, Elon Musk gets upset about it. The whole world shapes and it becomes a big story because switched off two-factor authentication for nonpaying customers by SMS for nonpaying users of Twitter. So now SMS providers around the world are a little bit nervous that more big businesses will follow Elon Musk's lead and that they may also switch off two-factor authentication for SMS unless SMS pumping can be brought under control. So join us next Wednesday, 26th April, 4 p.m. UK, 6 p.m. Saudi Arabia, 10 a.m. U.S. Central, and a whole bunch of other time zones, which I'm not going to read out every single time zone. So why don't you just subscribe to our broadcast schedule on the Communications Risk Show webpage and have every weekly show uploaded to your diary automatically in the right time zone for you. Thanks again to today's guest, Silke Holtmann's 5G security expert at PDBC. I love to talk to her, learn so much from her every time we have a conversation. Thanks also to my co-presenters, Ed Finegold, Lee Scargall, fantastic experience they've been showing with us today, and to the hardworking producers of this show, let's not forget them, producer James Greenley, assisted by Matthew Carter. You've been watching episode six of the Communications Risk Show. I'm Eric Priezkalns. Remember to visit the Communications Risk Show website, tv.commsrisk.com, for recordings of previous episodes. Always keep reading commsrisk.com on a daily basis for the latest news and opinion about risks in the comms industry and visit riskingassurancegroup.org for RAG's free content and services, including the RAG fraud blockchain and the most comprehensive catalog to telco frauds and revenue leakages. Thanks for watching. We'll see you next Wednesday.