Security Expert Silke Holtmanns discusses the transition to 5G networks and the risks these pose to network operators and customers. The specifications for 5G are meant to enhance security, but will all the benefits be realized in practice? Silke shares insights derived from her work as an advisor to clients in various countries and her experience as a contributor to the European Union Agency for Cybersecurity, ENISA.

Topical news items are also debated by the show’s three regular presenters, industry analyst Ed Finegold, senior risk executive Lee Scargall, and the Editor of Commsrisk, Eric Priezkalns.

Transcript (auto-generated)

Hello, this is the Communications Risk Show and I'm your host, Eric Priezkalns. Each Wednesday,
we stream live, sharing conversations about hot topics in the world of communications
risk with experts from around the world. We broadcast live so you can also join the conversation,
so feel free to submit your questions and observations as we go along. To ask a question
during the show, just type it into the messaging box immediately beneath the streaming window
at our website, Messages are anonymous, so include your name if you
want me to read it out. We also stream the show live to viewers at LinkedIn. You can
leave comments over there, too. We'll try to read out as many as we can in the time
available. Now, the theme of today's show is 5G security risks, and helping us to navigate
that particular minefield will be Silke Holtmanns, cybersecurity expert at PwC, and an advisor
to the European Union Agency for Cybersecurity, ENISA. But first, allow me to introduce my
regular co-presenters who are going to help me review some recent industry news. Ed Finegold
joins us from Chicago, and Lee Scargall joins us from Manama, capital of Bahrain. So, Ed,
author, analyst, strategic advisor to telecoms businesses, Lee. Lee does so many things,
it's hard to pin it down. Sometimes executive management, freelance consulting. He's worked
for commerce providers all around the Middle East, Europe, Caribbean, and Asia. Hello,
Ed. Hello, Lee. I hope you're both well today. Let's get cracking straight into today's topic,
which we've already been talking about even before the stream began today. The bad news
for Americans, so I might ask you about this first, Ed. The bad news is that the e-mail
robocall index, probably the most reliable measure of these things, said there were five
billion robocalls in the USA during the month of March. That's the highest figure they have
reported since November 2019. And it continues an upward trend in robocall numbers since
stir-shaking became mandatory for major U.S. telcos at the end of June 2021. So, my question
to you to get the conversation going today, is the continued rise in a number of unwanted
robocalls in the USA consistent with your experience and consistent with what you hear
from other people working in the industry? Yes, I know you won't be answering. And now
turning to you, Lee. Is there any feeling as though change is there in terms of getting
better, getting worse? I mean, are people getting bored of talking about robocalls in
the USA because it's been going on for so long? What's the mood when you talk to people?
Everyone finds it a nuisance. It's annoying. And the normal person's not going to try to
parse between legal, illegal, or otherwise. At this point, it's any number that pops up
that you don't recognize, you don't want to answer it. And I've even had people say to
me that I don't have the data behind this right now, but people that study this have
said to me that there has been a decline in people answering the phone at all. If it's
not a scheduled call or someone they absolutely recognize, their mom or something like that,
they just won't pick up the phone. So, there's that reaction to it. But it's like, that's
people becoming inured to it. And we spoke offline about the idea that, like, if we want
to put it in terms of cyber war, you know, the weapons of the cyber war, the robocalls
are like the bullets whizzing by your head. And eventually you kind of keep your head
down and, you know, start to become inured to that. And I think that's some of what's
happening. I certainly don't, going back to where you started, I certainly don't see a
reduction as a result of any measure that's been put in place. Measures which you were
just explaining to me are not connected to stir-shaken, like getting caller ID that says
scam likely or something. That's useful, but it doesn't stop the interruptions of the nuisance
from happening, right? There's that aspect. And then, yeah, and then I think finally,
the thing that you see is not just with the robocalls, but also with smishing, is when
you see an announcement that some brand that you're a customer of has been, you know, rated
for their customer data, inevitably you're seeing, you know, the scams pop up after that.
They're like, oh, your account's out of date, or there's a problem with your account or
any number of things like that, trying to get you to click a link and, you know, you
know where the rest of that story goes, whether it's malware or to somebody that's trying
to con you, right? So definitely constant flow. Yeah.
But here's the thing I don't understand, Ed. It's the number one source of complaints for
the US regulator, the Federal Communications Commission. They issue press release after
press release, press release. I see it gets quite a bit of news coverage, but is there
any sense, again, you work in the telecoms. This isn't your area of expertise. You work
in telecoms and industry though. It doesn't seem to me though American consumers are really
aware of anything being done to improve things. Or if they are, they're not really getting
any sense that this is achieving anything. Am I wrong in that impression?
No, you're not wrong at all. I just think like as a general public issue, it's not the
top of the noise stack. So it doesn't get that much attention. And, you know, I think
if people, for some reason, you know, we're focused enough on an issue that's a little
bit complicated probably for most people to understand, the message to me that would make
the most sense is what we heard at the risk and assurance group show when Tom Walker got
up to speak, which is there's a direct connection to be able to identify the people that are
responsible for this and coordinate law enforcement to go get them and stop them. And that was
the most direct and effective discussion on that topic I've ever heard. And it doesn't
get you derailed into what we talked about before about stir shaken, where you start
talking about whether the Band-Aid is engineered the right way while the patient's bleeding
out, right? Like it just doesn't make any sense.
I think so. I think Tom would be glad about the name drop, Tom Walker of AT&T there. And
I have to say, I completely agree with everything he says. He talks a lot of sense on this topic.
I'd go a little bit further. I'd be a little bit more overt in the way I describe it. So
why spend half a billion dollars on technology? Just look at a couple of guys in prison. Just
look at a couple of guys in prison and you'll solve the problem a lot more quickly than
with spending half a billion dollars on technology. Because there's no risk for the criminal at
the moment. Whereas if you actually had some punishments for the criminal, that would then
be actually the deterrent. And I think Tom is completely right about the deterrent factor.
And he's completely right that by the looks of the data that he's got, there probably
aren't that many people doing this. So if you could target a few of the big ones and
put them in prison, you'd seem to scare off the others. But anyway, anyway, we'll wait
for Tom Walker comes on the show before we talk too much about Tom Walker's view of these
things. Lee, let's bring you on to this now because this topic, robo calls, nuisance calls,
automated calls, the scam calls, spam calls, and all the like, tends to get seen very much
through an American prism. In fact, I've just done it there. I've quoted American stats.
And the assumption seems to be that the problem is going to get bigger everywhere around the
world and everyone's got to follow the same approach that they're following in the USA.
You've done a lot of work Lee, Middle East, different countries. And we've been talking
about how you take a radically different approach to solving some of these problems in some
of the countries where you've worked Bahrain, Amman, United Arab Emirates. How do we contrast
what's being done elsewhere with the USA? Tell us a little bit about the core of the
current strategy you see for scam call prevention in Bahrain and other Arab countries in contrast
to what we've heard about happening in the USA.
So a lot of the scam calls that we receive are coming in from international locations,
but they actually have our country code. So, and it's being spoofed. So they appear as
a plus 973 number. We had a big issue with this some time back, but we've recently brought
it under control. And all we've done is we've just implemented a voice firewall. And what
we've done is we've actually configured that firewall to block any local fixed line numbers
coming in through the international gateway, because that's not even possible. So clearly
these numbers are being spoofed. Although you need to be careful because you don't want
to block the genuine traffic coming in from these call centers. Now, when we receive one
of our mobile subscribers CLI coming in through the international gateway via an international
route, we then check the HLR or the VLR just to see if that customer is roaming or not.
If they're roaming, we allow that call to pass through, but if the mobile is still located
in the home network, then we know it's being spoofed. So we block that. Now, what we've
noticed is some of the scammers, they're now spoofing our competitors' numbers, right?
So we're working with them to get access to their HLR information. And then when the calls
come onto our network, we can check to see if they're roaming or not, right? I know Omentel
in the Middle East, in Oman, they've actually implemented this approach and have actually
had some really good success at blocking spam calls. But as you know, fraudsters are pretty
innovative these guys, right? So as you close one door, they go looking for another door
which is open. And what we've seen now, there's been a big uptick in scam calls actually coming
in via WhatsApp, right? So we have very limited kind of control over that.
Okay. But I mean, come on, give yourself some credit here. By the sounds of it, you've had
some impact, at least for traditional voice calls. How would you estimate the impact of
the approach you've taken so far? Has it led to a reduce? Has it led to a measurable reduce?
We're talking here about the USA, it gets worse month after month. How does it compare
to other places?
Yeah, it's definitely come down. We used to get a lot of customer complaints about this,
but now they're coming down. But like I said, we still have an issue. We still have to
work with our competitors to get access to their HLR. Once we've done that, I think we
can solve the problem.
But doesn't that sound like a strategy everyone should be adopting then? For me, I don't understand
the part about stir-shaken, where the theory is you're going to attach a signature to things
and every call is going to be signed and the signature gets passed along. Well, it's a
nice idea in theory, but actually, how are you going to make this work across international
borders? Makes more sense to just look at your own nation's borders and say, phone call
clearly originated outside the country, says it originated inside the country. There you
go. Straight to it. This is the first thing you should be doing, surely. Why wouldn't
you implement this approach, really? Is there a reason why you wouldn't implement this approach?
I can't see why you wouldn't. It's a very smart and very cost-effective way of dealing
with it. Doesn't cost half a billion dollars, right?
That's the reason I like it. You know me, I love cheap, okay? Being a Yorkshireman,
I love cheap. Forgive me, I know you probably can't talk about the amount of cost to implement
what you've done in the Middle East there, but I don't get the impression that this is
much of a problem for budgets, especially when you've got lots of people, lots of the
population complaining upset about these calls and you're talking about the cost of the fraud
and how much loss. This sounds like a real drop in the ocean. Cheap and relatively quickly
implement. Yes, you might need more coordination if the spoofing of the numbers is on somebody
else's network, but not technologically advanced or difficult, I would say. Give me a feel
for this. How long does it take to implement? How long did it take for you just to stop
this kind of spoofing of numbers on your own network being used from outside the country?
It wasn't implemented by the fraud team. It was implemented by the network engineers,
but it took about three to six months to get it all nailed down properly working. It's
not a big, you know, not a bit of exercise to do.
I contrast that with stir-shaking because, as I say, the numbers have been going up and
up and we're only a very small proportion of the US. Anyway, we could go on. We'll take
an ad break, which is before I get too wound up, we'll take an ad break here, guys. So
let's have a message from our serious sponsors, Blue Gem. Now, Blue Gem is a global provider
of testing services for telecoms, government and software businesses. They use real phone
devices, which means they can help you to ensure the latest network services and products
such as 5G, eSIM, VolkT, and satellite. They create real usage events such as video and
music streaming and even eSIM profiles to ensure the switching of profiles when at home
or abroad. Communication providers are always improving networks by launching new products
and services, and Blue Gem provides short and long-term test audits with full test plans
to ensure your services are ready to go live. These new capabilities include 5G. Now, Blue
Gem utilizes the latest 5G devices to measure both the quality of the 5G network signal
and also the customer's experience when using high-speed 5G apps. Blue Gem also works with
service price support, law enforcement requests via Blue Gem's IP address resolution service
to validate telecom IPAR systems for tracking both internal and external IP addresses of
devices. This helps pinpoint suspicious activity and malicious users on mobile networks in
real time. So, if you want assurance when launching any new products or services or
need support for law enforcement requests to track IP addresses, you should call upon
the experienced team of specialists at Blue Gem. Their URL is
So guys, back to stir, shake, and the statistics. So, one thing that caught my eye, another
statistic here that's shaken my world apart, Juniper Research is claiming fraud losses
caused by U.S. robocalls will keep climbing, so they're saying that the fraud losses are
going up at the moment, but they will start to fall in 2025. They also say that they estimate
that stir-shaking has reduced the year-on-year growth of fraudulent losses to robocalling
in the region of 85% between 2022 and 2023. So, essentially the first year after stir-shaking
became mandatory for the big telcos. Sounds like a great statistic. I can't make any sense
of this number at all. Stir-shaking, only 27% of U.S. calls reached their destination
with a stir-shaking signature. So, how can there be an 85% impact on frauds that didn't
occur? The frauds does not know to use how to make calls that don't involve stir-shaking.
It doesn't make any sense to me. Never mind the fact that we're talking about estimating
the value of frauds that didn't occur. I mean, I find it very hard to work out the cost of
crimes that didn't happen because they didn't happen. So, it's a really tricky thing to
do. So, Ed, I've got to come to you here. I know you're not an expert on stir-shaking
and robocalls, but as an industry analyst, and as I'm quoting these statistics from Juniper
Research to you, what can be done to make sure that the industry analysis is really
reliable? Because I have to say, I've got a dodgy feeling about this analysis. Maybe
you feel better about this, but what can be done that we can trust the stats that get
thrown around and then get used to justify decisions about purchasing expensive technologies
like this? I think if you're a consumer of that data and you're out looking at a lot
of different data sources all the time, especially as a primary or secondary researcher, and
that's a lot of the work that I do. I mean, you do get familiar after a while with who's
publishing what, and you do have to discern what sources you're most excited about. We
talked about this before, or what sources you trust the most, which is why you would
be excited about them. The problem is a lot of times those sources make marketers excited,
and then that's a lot of what the data is used for. There's certainly a lot of research
brands that have done a great job carving out SEO real estate for themselves, and they
get a lot of virality and a lot of extra pub out of their data for that. I think it's hard
to overlook that effect on the whole ecosystem and why, again, as a consumer, you have to
really discern what you're looking at. In the specific case that you're talking about,
especially anything around robocalling and numbers that don't pass the smell test effectively
is what you're saying is, how is it being categorized? How is it being parsed? That
number feels to me like a category change. They redefined how they counted something
and voila, the result was magically so much better, but it wasn't that there was a real
difference. It was that someone decided to categorize nuisance call as legal call as
opposed to nuisance call as illegal call or some gray area thing like that. That's where
I think you have to, if you're going to lean heavily on that data or invest in it, you
need to do a little bit of due diligence about where the number came from. I think it's the
only way you get to the bottom of it. I don't see there being some regime that's going to
hold every data producer accountable for every stat that they produce, if that's what you're
asking for.
I'm not asking you to do it, Ed. It would be an impossible task. Again, as a man who
ends up sitting in front of the TV, the story will come on CNN. They'll start quoting statistics
maybe from reports like this. What's your feeling sometimes when you're watching the
news and the quality of the information the public gets? Is the public getting good enough
quality information? How much do you trust statistics like this that are being put out?
Where do you turn for reliable information?
That's the thing. As a primary researcher, you go to reliable information as you go to
primary sources. You're either getting survey data collected and scrutinizing it yourself.
You're going out and talking to experts around the field, seeing things with their own eyes.
That's what you should be doing as a primary researcher. Let's start there.
The other side of this, though, you're talking about the news cycle. I laugh because I do
see that. Exactly what you're saying happened where, obviously, some reporter picked up
a one-source story that's hung on some stat that's probably questionable. It probably,
when they fed the description of it into the keyword machine, the SEO robot came back and
said, 93%, this looks good. Then they take it to the next step in the production process.
It got through that day's production meeting, and then it's on your TV. That's why with
mainstream news in general, I'm always reminded, and I think anyone that works in media probably
recognizes this, what you're watching isn't necessarily the news. You're watching the
output of that day's production meeting. But as soon as you start looking at it that way,
it's really, really hard to watch your news program because all you're thinking about
is how did they let this story come on? How are they running that meeting? The whole thing
falls apart, but that's what's happened in a nutshell.
This is, again, why I'm perplexed. I almost wish I was in the United States of America
to experience it firsthand because it feels as though all the news media is on the side
of telling the public that the problem is under control, the problem is getting better,
the problem is coming down. This is an example of feeding that news machine. Yet, whenever
you talk to an ordinary American, there's no belief in that at all. Why wouldn't the
news media sometimes reinforce the experience of the ordinary American rather than try to
persuade you the problem's getting better? It's not, I find it perplexing. I don't get
it. I really don't get it.
When I sit down and have conversations with people, regular people, right after dinner
or that kind of thing, and lots of different subjects come up, there's always like a technology
thread that pops up, not because I'm there, it just pops up in people's conversations
because they're using their phones all the time. Lately, people have been much more wound
up about AIs and chat GPT, and that's been coming up than they are about robocalling.
Now, if I mentioned robocalling, people are, and then someone will tell some crazy story
about it, but that's it, right? And then it moves on. It's not like that obsessive thing
like, oh, COVID, we need to do away with it. It's like robocalling, right? It's just not
getting that level of obsession from the public.
Okay. Well, so we can look forward to half a billion dollars being spent on solving some
AI problem that doesn't work, and in a couple of years' time, we'll be talking about something
Job done. Now, Lee, these projections, the US, how did they compare to what you would
think reasonable in other countries? Does the regulator in some of these other countries
that you've dealt with, do they actually set targets and expectations? Is there pressure
on telcos to get robocalls down? We're seeing a big problem in the USA, and people talk
about it being a growing problem, but what are the expectations in terms of the number
of nuisance calls and what's acceptable in different parts of the world?
So I mean, just to echo what Ed was saying there, I think the problem here is how do
you measure a scam call, right? So some of the reports that I've seen, they just simply
contradict each other, and it's all around the methods of calculation. Now, we did a
show several weeks ago, and their method of calculation was based on the duration of that
call, and by definition, I think we had some kind of research that showed that by definition,
all men would be classed as a robocall. Now, I've seen some other reports that the way
they calculate it is based on if the call coming into a mobile, if it's not in their
contact list, then that's classed as a spam call. Now, me personally, I get about 10%
of my incoming calls, they're not on my contact list, right? So it's very hard to discern
what is kind of reliable data and how do you cut that data, but just to go back to your
question is, are the USA doing a good job? I don't think they are doing very well, Eric,
if I look at it. If you look at the numbers, they're increasing in the USA, but they're
decreasing in other parts of the world, right? And there's definitely more cost-effective
solutions out there. I know the UK is doing a good job, we're doing a good job in here
in the Middle East, and Oman, if you look at what's going on in Oman over there, they're
just all over it.
Well, that's great to hear. I mean, and some feedback for you, Lee, here, we get some comments
coming in, various people very interested in what you've been doing in the Middle East
as part of this solution where you're checking HLRs and looking to see the difference between
a genuine local number and a spoofed local number. So, I won't bore you by reading out
the questions now, a little bit too technical to cover, but check out those comments, Lee,
after the show, and I think you can be giving people some free consulting, maybe, or maybe
you'll charge for them, you know, got to keep the income rolling in to keep all those servants
of yours paid for. So, with that little unkind jab, sorry, Lee, I always like to make fun
of how wealthy he is. I will now skip into a genuine fact of the week, the Symmetry Prism
Fact of the Week. So, Symmetry, they are one of our sponsors of the show, and each week
they provide us with an interesting fact collected by their Prism Fraud Intelligence Service
and their team of intelligence gatherers. Now, they visit the darker, dingier parts
of the internet, so you and your business doesn't have to, and that's why they've been
seeing recently lots of adverts for professional SIM swap fraud services. So, this is basically
fraudsters for hire. If you visit one of these online crime markets, you will see criminals
promising to swap the SIM of any phone, or was it given the details of the number you
want swapped, and pay them the fixed fee for their service. Advertised fees include $1200
for a SIM swap of an AT&T customers, and a snippet, a bargain, $850 to hijack the service
of a T-Mobile customer. I don't know why T-Mobile is so much cheaper than AT&T. I think that
might be a bit rude if you were a T-Mobile customer getting a discount there. Now, these
criminals, they promise the swap will be executed within 15 minutes of payment, and to give
you extra confidence when you purchase their services, the payment is held in escrow until
the swap has occurred. So, there you go, quite a bit of professionalism there from the criminal
market. So, if you want to get the best intelligence about fraud, come to the professionals who
are fighting fraud, and that includes people who are gathering data about the numbers that
criminals are lining up to attack with scams like international revenue share fraud and
Wengu before those attacks have even begun. Reach out to Symmetry Solutions and subscribe
to one of their PRISM information services. Stopping just one fraud attack using PRISM
will more than recover the cost of the annual subscription. You'll find out more from symmetry Okay, another ad break over. Let's get back to the topical chat, Lee, Ed,
and this is a tricky one for me to bring up, so I'll be glad if any comments from the audience
too in feedback to this, because maybe I'm wrong and the rest of the world is right.
I don't know, but I'm going to float it out there anyway. So, if you're watching and you
want to leave a comment, don't forget we've got the messaging window immediately below
the streaming window at I'm keen for feedback on a difficult subject for me because
some people have been saying to me the last week privately, not publicly, privately saying
that I've gone too far in criticizing the revenue assurance community for saying that
they have not been promoting any new ideas for years now. Basically, I wrote an article
on Comms Risk that questioned why we're not seeing any new ideas, why we're not seeing
any new articles, why we're not seeing any new projects, the complete loss of any new
sources of information or advice about revenue assurance. Let's be frank, we've had some
people pushing back, as I say, privately, not publicly. So, my question to you, the
audience, and to my co-presenters is when I say that revenue assurance is now considered
the ugly duckling sibling of fraud management, am I being unfair to the revenue assurance
community? Lee, you currently oversee revenue assurance work inside telcos. Is there anything
new to say about revenue assurance that we haven't heard in the past many times before?
And if there is anything new to say, why is it so hard for me to find people who say it?
Yeah, so I'm going to give you one of them, yeah, but no answers, right? So, look, I've
been working in this sector now for about 20 years. I don't really see much change apart
from automation. So, at the start, we didn't have any systems. We do all this, everything
manually. These days, we've got systems, we've got analysts, yeah, but overall, the mechanics
are still pretty much the same. Now, when we moved from 3G to 4G, we actually saw this
change from reconciling voice CDRs to more around data subscription packages. So, I'm
now waiting for the next evolution from 4G to 5G. So, how do we assure things like network
slicing, quality of service, latency, and bandwidth? But so far, Eric, I haven't really
seen much to rave on about, right? But if I compare revenue assurance to, say, cybersecurity
and how that's evolved in the last 10 years in telecoms, then it's pretty clear to me
where all the innovation is coming from.
There's a lot of people making a lot of great points, doing a lot of great work in the security
space. There's a lot of people doing a lot of great points, doing a lot of great work
in the fraud space. That's my point. I mean, it's not good enough to just say, well, we're
waiting for some new service and new product to come along, and then we'll assure it. Where's
the new techniques? Where's the new methods? Where's the innovation? I don't get a sense
of any innovation in the revenue assurance field at all. I'll tell this one round to
you, Ed. So, one of the groups that does innovation, they have a revenue assurance group in the
TM Forum, and you do quite a bit of work with the TM Forum, though not in this space. So,
I'm just again asking you about your general impression here. Fans of revenue assurance
would imply the TM Forum is buzzing and vibrant and creating all this energy around revenue
assurance. I don't see a lot of evidence of it. Am I looking in the wrong place? Am I
missing? Is the TMF doing more in revenue assurance than I'm giving them credit for?
Yeah. So, I want to go back to where you started. You were asking, Lee, about revenue assurance
and fraud management revenue assurance being jammed together. And so, from a TM Forum perspective,
that has happened, and that lives under business assurance now. So, there's a little bit of
rebranding that goes on there, but some of the work, and actually, so sorry, I'm going
to be a homie for a minute here, but I encourage people to go check it out because the business
assurance group is actually one of the more active groups in terms of communicating what
they're doing and publishing useful stuff and putting tools out that are useful and
doing catalyst projects that have some meat behind them. And a lot of the stuff that they
do, it's not, in my understanding, and I could be wrong here because there's a lot of different
collaboration teams at work at different levels that no one person can really wrap their mind
around all of it, not me. So, I don't know that they're necessarily doing the nitty gritty
type work in revenue assurance at a deep level. Probably, they're doing some of that around
open APIs, but I would say at a higher level, going to what Lee was saying, they are looking,
I think, from a business assurance perspective, which then includes those other pieces, looking
at those questions when you're talking about an ecosystem, when you're talking about a
lot of solutions that are put together by API, when you're talking about partners needing
to be settled out, when you need to secure those things, you need to make sure fulfillment's
happening because that feeds into customer experience. It's kind of all those things
put together, which I think from that perspective makes sense of why revenue assurance and fraud
management get folded under that umbrella. And I would just encourage, again, if you're
interested in seeing that kind of work done or knowing what they're doing, check out the
business assurance group at Diem Forum. They're actually doing some interesting stuff there.
I should have charged them for that sponsored advert too, Ed. That one slipped right in
and I stand corrected. Okay. I think the debate will continue in future episodes because I'm
not entirely convinced, but maybe we'll find some stuff coming out from the Diem Forum
that we'll talk about in future episodes. I look forward to seeing it. But before we
introduce today's special...
Well, hey, I'm not putting a burden on your shoulders, Ed, although you are a researcher,
so you should be good at finding things like that. But before we introduce today's special
guest, here's another of our regular weekly features. Jeffrey Ross of Coal Authentication,
Fraud Prevention and Geolocation Specialists. One route takes us each week to a different
country on a tour of the world in our phones. This week, however, Jeffrey is going to take
everyone everywhere all at once as his destination is the whole world. Let's see what he has
to say. Roll VT.
Hey, everyone. From one route, I'm Jeffrey Ross, and this is The World in Your Phone.
Let's talk about the world. The world in your phone. Now, by now, you've seen a few of these
episodes on the Communications Risk Show and probably wondering why in the world is this
guy even coming on each time for two minutes talking about different countries and different
facts? Well, here's the fact. With over 7.8 billion people in this world, we have a whole
lot of people, a whole lot of languages, a whole lot of different cultures, a whole lot
of different countries, a whole lot of differences that we all tend to focus on. And that includes
telecoms. We have different types of fraud in each country. And unfortunately, that means
when a country focuses on their fraud, they typically don't look into how this will affect
the other countries around the world. So maybe by the world in your phone, we start to learn
what we have more in common rather than what we have different from each other. And by
learning what we have in common, our hope is that we see that we can collaborate, that
we can work together, and that we actually, as a world, have a common goal of eliminating
fraud, protecting the people, protecting the end users from falling victim to fraud. So
I hope that you learn something new each time you see one of these World in Your Phone episodes.
In case you haven't seen them, be sure to subscribe to OneRoute's YouTube page where
you can catch up on all the other World in Your Phone episodes, along with our OneRoute
Roundup, where we spotlight individuals and companies making a positive difference in
the telecom industry. Until then, we hope that you continue to learn, continue to collaborate.
And now back to you, Eric, for more of the great communications risk show. Cheers.
Thanks, Jeffrey. I always look forward to what Jeffrey has to say and where he is going
to take us each week. But now let's get down to the most serious part of the show, the
part where we interview a top expert. And today we are speaking to Silke Holtmans. Silke
works for PwC as a telecommunication cybersecurity expert with a particular focus on their 5G
security assurance services. Formerly, she was head of 5G security research at a near
adaptive mobile security. She's also worked in security and research roles at Bell Labs
and Ericsson. She's an expert security contributor. She's been an expert security contributor
to the GSMA, and she volunteers her knowledge as an expert contributor to the advisory group
of the European Union Agency for Cybersecurity. And so, in short, Silke, we couldn't really
get better in terms of your CV. You're the right person to speak to about 5G security.
That is a fact, a solid fact. Thank you so much, Silke, for joining us on the show. I'm
looking forward to grilling you, and yet at the same time, half an hour to cover 5G security.
Completely impossible. So, you're in a completely impossible situation, Silke. Apologies for
that. Where do we begin, Silke, in discussing this? One thing that we chatted about before
was private networks and the issues in terms of that are brought on by relying upon private
networks. Is that the right place to start in terms of unpacking what we need to do in
the security space?
Yeah, I think it's a good place to start because, first, thanks for the introduction, so…
It's your CV.
Yeah, well, that's what I did, so guilty as charged. I'm not sure about the seriousness
of the talk, but let's see. So, yeah, but on 5G private network, I think that's a good
point to start because that's what large part of 5G is about. It's not for you, it's not
for me, it's not for Lee or Ed, so it's made for business purposes. That's the idea of
5G. And, therefore, one has to take into account the requirements coming from the new partners
and the needs coming from these partners. While the specifications have been drawn by
engineers like me, so they think about nice, top, marvelous features that the world could
use, but then, of course, the world has also its own ideas about what they want to do,
and they have also their own ideas about security. I mean, if you plug in electricity grid, pretty
sure they have some ideas about what they want for security, or we even see military
applications today using 5G. So, there are a lot of external requirements now coming
to the telecommunication space, which have not been there before. So, this question of
5G security is critical. Also, basically, we hook up our whole society, we hook up water,
electricity, logistics, and we saw last year what happens if one thing goes wrong with
logistics, it can sort of cause a hiccup over the whole world. So, okay, rail comes a bit
later on connecting to 5G, that's a bit of a couple of years ahead, but anyway. So, from
a society point, the security of the 5G network is really becoming a critical question, and
governments have realized that, and ESA has realized that, and also US has realized that
even if they take different approaches, they all recognize the importance of communication
networks for the society. So, we see now regulations and guidelines and directives appearing, like
this NIST2 directive, which is for critical infrastructure from the EU. So, it basically
says, yeah, well, you have to get your basically cyber stuff in shape, and then this NIST2
directive, oh, well, sorry.
And that's the bit that worries me. That's the bit that worries me, is that you have
a directive like NIST2. Look, I'm cynical about government. I don't hide it, okay?
No, no, that's fair enough.
Okay. So, governments will tend to say to businesses, like you've been mentioning energy,
water, transport, whatever, you must be secure. But if I'm running an energy business, a water
business, what do I know about telecoms? I know I need to use it. I'm not a 5G security
expert like you are, Silke. Do they know how to translate what the governments want into
what they should be asking from who? Do they ask for it? Do they configure it? Is this
a big part of your work, just closing that gap now?
Yeah, it is. It is. Because basically, if you are, let's say, in harbor, you're not
particularly interested in 5G security protocols, because you don't care. I mean, that's fair
enough. Their business is shipping containers around where I have no clue of. But they want
to have a good and solid system, and they don't want to have trouble with it, trouble
including security. And they want, of course, not to have trouble with the government, meaning
they don't want to lose any licenses or permits or whatever they have that should also run
smoothly. So they have the obligation to the government, and therefore they hand down any
obligation to the suppliers. Suppliers, in this case, can be network vendors, it can
be smaller companies, it can be a cloud provider, or it can be an operator. And then comes the
question, okay, what should they ask for? So that's pretty tricky, because 5G is extremely
complex. And I mean, even when you just discussed, he is still shaking, and it shows the complexity
and this kind of gap that there is, so that things are not always so straightforward that
you can say, make it secure. Just to give a high-level example, you have a harbor that
uses an operator. The operator relies on services from a cloud provider and a vendor, network
vendor. So this is a pretty typical setup. Now, something goes wrong. So how should the
incident reporting chain to the government run? So there are a lot of things sort of
that need to be sorted out, sort of responsibility splits, who is control of what, who is responsible
for what. I mean, let's start with that one. And this is pretty deep, actually, because
very often depends on if you have a hybrid cloud, if you use infrastructure as a service,
if you have managed services, what kind of parties and services you have integrated.
So you really need to go into the dirty little details to sort that properly out. And that's
a big part of my job.
And I'm getting more and more stressed for you, because, okay, it's the European Union,
but there's a whole bunch of different countries in the European Union. Surely the danger is
that this country, that country, and you're trying to do things like, say, logistics across
borders. So you want to have a common approach, and yet you're going to find it maybe isn't
going to be common for one country to do the expectations.
Yeah, that's actually one point on extremely important point that, for example, let's say
cloud security and telecommunication security, just because they are both important part
of 5G, they are slightly in different laws in different countries, because each country
has their own structure. So we have, for example, the 5G toolbox, which the member states that
you are supposed to implement into local law, and everybody's doing that slightly in their
own way, because their law structure is different. But even if their intention in the beginning
was the same, the outcome in terms of compliance is different. So which means it's very hard
for vendors, if they are, let's say, complied in, let's say, I don't know, Germany, to carry
it over, let's say, to Finland. So if they are compliant in Germany, it doesn't mean
that they can use the same compliance letter sort of then to another countries. For some
notes, this is actually possible for some routers, for example, France and Germany,
they have some cooperation, but for many other things, this is not possible. And I think
this is really, really bad, because also for the big markets, it's not an issue. It's an
issue for the smaller markets in particular. Let's say the fourth operator in Estonia with
three and a half million people in Estonia. I don't think that the vendor will do a certification
just to get this order from this operator. They will just say it's not a big, it's not
going to be a big deal. So it's not worth doing the certification just to maybe get
that deal. So they might just stay out of the market, which then results in a reduced
vendor choice. So which I think is contrary to actually what the European Union tries
to achieve, to have more vendor choice. So it backfires a bit. So but I think they realize
that this needs much more harmonization. But let's see how they try to harmonize these
things. But they realized, at least knew, that this is an issue and that this is a very
serious problem and they need to tackle it. So that making it secure means the same in
different countries. If you have it in one country, you can use it in the other country.
I'm sure that's super difficult. You're obviously one of the people to talk to as the harmonization
process takes place, because even if it's not harmonized now, you're one of the people
to talk to in terms of advice and understanding how it will progress. You want to give any
advice in terms, so that you're not solely inundated with all the queries after this
show. Who else might we talk to in terms of who else is out there leading this harmonization
Well, they are sort of, of course, my org competitors, for sure, that also work in that
space. But it's a telecommunication security world. It's pretty small, as we also see.
So there are not that many people actually doing this. And the technology experts, most
of them tend to stay in the little cozy room, so being geeks. So it's actually very small.
So, yeah, but I think it's very important still. But on the other hand, there are white
papers available. I publish also quite a lot. I give, for example, this year. So this kind
of information can be used. So, for example, I gave Road Auto a block overview over different
legislation, how they match or do not match. So this kind of information is freely available
and can also support.
Is this an area where Europe is in the lead because of the nature of the political environment
with the explicit need to harmonize? Or are other countries, I mean, where does the US
compare in terms of Europe in terms of their approach? Because they've got different states
and they'll have the same harmonization, probably not careful.
US takes a slightly different approach how to tackle, let's say, security in mobile networks.
And they basically go via the, if you want to get in US a very nice, this kind of public
government contracts, you need to be fat ramp or otherwise compliant. So what they are doing,
they don't regulate directly the operators. They regulate what the governments when they
issue orders, what they are allowed to buy. So if you are now an operator and want to
get the juicy contracts of governments, then you basically have to ramp up your security.
So but not every operator in US will go for these governmental contracts. So there will
be a lot of operators which just say, OK, I don't care. So and then they might have
lower security. So because they are not targeting these kind of high value contracts. So there
will be gaps for normal consumers. So if as a consumer, I would recommend to go with operators
which also go for government contracts. So because they probably have the same back end
system for both of you. So while Europe targets more sort of everything the same for all public
operators. So and they try to regulate this. So there are sort of pros and cons to both
approaches, but that's how it's done. So there are some executive orders if that's going
to change or not, but I believe it when I see it.
It seems incredibly complicated thing in terms of expecting these things to converge, because
if I'm, say, using a phone, I'm interested in security. Well, I'm also interested in
the security of the far end of the phone, not just my end, because you can hear my voice
on the far end, or you can see my data, you can see my message on the far end. So that
affects me too. Yeah. Although if I'm, say, driving around a connected car, we're very
interested in connected cars driving across borders. Again, it's no good to have good
security one place I'm driving, I'm not good security somewhere else I'm driving. It feels
as though it's hard to work out how this will come together. Yes, we've got the European
Union, we talked about the US example, but there's other countries too. And it still
needs to work security across all of them. It feels as though there's a bit of a, we
don't know where this is entirely headed. Am I being unfair to you and your fellow experts?
Yeah, I mean, to have a global security standard, that's a dream, but I'm afraid we have to
live with the diversity of regulations. And I think we are just happy if we get, let's
say, secure bubbles on the map. So that's probably as far as we can get. So it also
has to do with sort of who is in charge. It's like a root certificate authority. We won't
see a world root certificate authority, because everybody wants to be in charge, which is
also quite interesting in the sense of these kind of local pride, let's call it that way,
that many regulators tend to add their own local country requirements, sort of like 10%,
I would say, sort of usually. So they take the global standard and then they sort of
add their own 10% on top of it. I mean, we are all happy that they already take the 90%
and they are the same. That's already sort of a big step forward, so.
But you're basically saying that you and the few people that you work with, we should just
copy what you're doing. Yeah. So is it in the ANISA documents that we should be looking
in terms of an ideal world would be copying what the ANISA documents tell us to do?
I mean, they have extremely good documents. They have threat analysis, they have market
overviews, they have also sort of for virtualization, they have an extremely good document sort
of how virtualization security should look like for telecommunications, which really
goes in the nitty-gritty details down to secure hardware and everything. So these are excellent
resources. And also a private network, I can recommend sort of take these documents and
then pick the ones that might be sort of most applicable to you. So that would be my recommendation
how to approach this. That's what I actually also do when the customer comes. I want to
ask them first of all, what do you actually want to do with that thing, with 5G? So are
you sure you want to do that? And from that I start. So because I'm independent, I'm not
with an operator or a vendor, so I can say sort of the conclusion might even be in the
end, use Wi-Fi. For some use cases, it doesn't make sense. I mean, I'm a 5G person, but I
still might say afterwards, nah, for what you do, Wi-Fi is enough, go with it. So that's
the advantage of being independent.
It's great advice. There's a lot of questions coming from the audience. I read out a couple.
One of these questions is impossibly hard, so I don't expect you to answer it, but I
think you've partly answered it already. The question goes, I think that we are all in
agreement on the fact that securing 5G is harder to achieve compared to earlier generations.
As you can see today, even before 5G is widely deployed, the telecom security posture is
quite bad. And so the question is, do you think we can achieve securing 5G and how?
I think I'm going to answer for you because you've already said look at the ANISA documents
and I don't think it's fair to ask you if you can achieve it. You're working to achieve
I do my best, yeah.
And the question that might be a bit easier to answer, what are the main differences between
securing a private 5G network and a regular 5G network?
I mean, the main difference for securing private, because that's an easy question, is that you
usually know the devices that are in your network. With a mobile network, a public network,
you have rumors, you have all kinds of things. So I think that makes it easier. You have
a better control if you have a private network because the interfaces are also limited. You
probably don't have roaming. So in that sense, you might not have external interfaces to
service providers and things like that. So you know better your network. I think that's
a security advantage of the private network compared to public network, if you just know
it better.
On how to secure generally 5G better. I mean, it uses IT technology and there's a lot of
IT security also out there, but it needs to be used. So it's not that they start completely
from scratch in 5G because they use no IT technologies. They can sort of recycle some
of the IT technology also for 5G.
Yeah, and this was a point that Carsten Knoll was making in the presentation he made. He
talked about 5G was as much about the cloud and it was about the cloud in general, not
just 5G. So obviously there's a cloud element to 5G and these things are now merging together.
I wanted to bring Lee into the conversation because Lee's done some work in some countries
along the lines of anticipating future risks and future requirements. Is 5G something that
you perceive to be very heavily on the radar of governments when we step away from North
America and Europe that other governments are worried about 5G and security? Or is it
still too early for them to know what to ask for, Lee?
I think that's probably more of a question for Silke than myself. She's the expert on
this. But if I look at the risk aspect, there was a lot of stuff over in the UK about the
telecom security requirements and the diversification around there. So I think it is a big risk,
on the vendor side of things. But we've kind of discussed this all before really, Eric.
I have customers that are not in Europe and not in the US and they are very security where
they sit in Middle East and they sit in Asia. So they exist.
Indeed. This is why I'm wondering if maybe some of the pull for requirements may actually
come from some businesses, quasi-governmental organizations where there wouldn't be necessarily
always an expectation that the government would dictate. They want to be more secure
because they're conscious of the risk of, say, a bad act, a foreign state act or whatever.
Is that something that comes up in conversation at all, Silke?
Yes, it does. It does. So they are worried and then they ask very often, okay, we are
worried about our infrastructure or the digital infrastructure. What would be the right questions
to ask to make sure that our infrastructure is as resilient as possible? These things
come up and then they ask for help because in the past, the regulators have been mostly
busy with spectrum and now they are responsible also for the whole core and interconnection
and overrun and whatever. So it's suddenly the same person has such a scope and that's
sometimes very challenging, especially if they cannot hire new people and so on.
Yeah. And of course, we talk about businesses that may be very conscious of the risk that
they play a vital role in society or a vital role in the economy. So I'm thinking of, say,
energy producers. If you're running a big natural gas terminal or you're running a big
oil pipeline, it's not just the physical threat. There's also now increasingly the cybersecurity
threat in terms of disrupting your operation. So there's probably going to be, I almost,
I'm curious to know who your clients are. I know you can't tell me, but I imagine it's
a real mix of clients from around the world.
Yeah, it is actually, it makes, at least from a personal view, this job very interesting.
So, but we see all kinds of risks, different risks and threat scenarios from clients and
they are worried. And that's also actually a showstopper for some of them to use 5G because
they are not sure what kind of resilience it will offer. And that's also why I think
this kind of compliance and certification is one way to ensure customers that the things
are in good order. So if people do, if operators do their homework and vendor, they can also
monetize it. So in that sense, so it's not just something nice to have to pin on the
wall, but something really where you can then say to customers, yeah, you really don't need
to worry. We have done our drills.
So here's a question for you Silke. We've got some big telecoms groups headquartered
in Europe. And so they'll have one for looking at the situation in Europe and complying with
the situation in Europe. They'll have markets elsewhere. They'll have telcos, operators
elsewhere and customers elsewhere. Is it possible that the European approach will spread as
a result of those big groups, you know, groups like Deutsche Telekom, for example, or Telefonica,
do you expect that Europe will kind of set the precedent as a result of those groups
wanting to be consistent from country to country, even if it's a different legal environment?
Yes, we see this already spreading. So we see stuff from 3GPP and GSMA is already spreading
in all corners of the world. And we also see sort of pick up, for example, the UK has these
vendor requirements. We see these kind of very similar ones popping up in other countries.
And also they need things we also see referenced or used in other countries. So sometimes it's
a bit more obvious, sometimes less so, but yeah.
I hear something I don't understand at all. So help me out. I know that there's a big
cloud element to 5G. I know that, but I don't understand the detail. Having a big cloud
element to 5G means that there's now some obligation on the cloud providers, the hyperscalers
to increase the security. So help me to understand in a simple way so that I can understand.
So basically cloud providers, or at least large ones, are in pretty good shape because
they have been offering to governments in the past. But they haven't been offering to
telecommunications. So for telecommunications, they need to have some additional requirements.
Like I mentioned, for example, this incident reporting, let's say a cloud center, I don't
know, catches fire and burns down. And then suddenly an operator has no network any longer.
So the operator needs to tell the regulator what has happened. So there need to be a communication
chain from the cloud provider to the operator and then to the regulator. And this would
be, for example, something which I don't think every cloud provider has yet. Because this
is regulated, it needs to be happening in 24 hours in some countries. So it's not that
you can sort of, yeah, let's do it manana. So this is one example. And there are some
other requirements, which are sort of similar style. So I think they are in pretty good
shape, but there might be this little extra for telecommunication missing because they
are part of the supply chain then.
So there is a little bit of tension there because we talked about the European telco
groups, but hyperscalers is based mostly in the USA. So there is, I mean, will they just
come together naturally in terms of wanting a common solution?
Well, I mean, already today you see that big vendors are working together with the hyperscalers,
the famous hyperscalers. So this is already happening today. But it's interesting that
also hyperscalers partially go for the private network market, which is sort of interesting
that in the same time they are working with the vendors, but they also go in a sort of
slightly competing position as going for the private network market. So let's see how that
works out.
Not slightly competing.
Yeah, exactly. So that's quite interesting. I'm not sure how that's going to work out,
but that's how it is.
I mean, there's some real tension here. There's some real tension here and it's difficult
sometimes to unpack how much of this is technological, how much of this is to do with who's an engineering
lead and how much this is political and commercial because these standards might be approached.
And I think here's the one that I think is really hardest for me to understand, the enforcement.
So we're talking about, say, rules across the European Union, we're talking about harmonizing
rules across the European Union, but then we've got hyperscalers who, okay, big hyperscaler
isn't going to want to fight the European Union. There'll be subjects to it. But there's
always degrees to which you want or don't want to comply to the requirements of another
country. And within the end in the telecoms world, we have to connect with everybody.
So there's a point where it gets harder and harder to understand at what point do you
impose rules and enforce rules as you start to get involved with the state-owned operator
in a country that is not your ally. It's, you know, historically a country that you've
been hostile to. And we've had all this fuss about networks being used for interfering
with other countries or disrupting their commerce. It's easy to say in an optimistic way, I'll
be getting solved. I get the feeling that this may be impossible to solve. Am I being
too pessimistic?
Well, in some degrees it will be solved because people, they just need each other. So they
will find some sort of agreement. So but there will be also some left out. I mean, we already
see that that some vendors are having quite difficulties making sales in certain countries.
So due to political situations. So, yeah, that's so I don't think that everything will
work, but there will be some solution. So okay, okay. I won't keep on proving because
I can imagine if I start pulling one thread, it gets more and more complicated. But one
thing I will ask therefore, because I'm not, you know, again, I hate governments, okay.
I just admit it. And the worst, the worst thing in the world, therefore, for me is the
United Nations, because it's like all the governments in one place trying to be a super
government. If you're going to make an argument for the United Nations, surely it should be
something like the International Telecommunication Union should be right at the heart of delivering
security for 5G, because it's global, because it's got to work worldwide, because they're
worldwide, because they're all the governments in one place. I don't understand their role.
It seems as though all this security work is being done by other people. And the ITU
has a little influence a little bit here a little bit there. Am I misunderstanding who
needs to be leading this?
I mean, the moment this is mostly driven by technical bodies like 3GPP or GSMA on operational
aspects or ITF on technical things like certificate management or things like that. And I think
that might not be a bad idea to let the technology drive this, because usually the political
influence there is much lower. So of course, there is also political games there. It would
be naive not to assume that this was political free, but at least it's on a lower level.
And hopefully there the best technical solution wins. While when you have a very political
driven agenda, then the technology maybe is no longer that important. And I think that's
what we exactly see. That's at least my opinion with the ETU. It's also I think why the ETU
from really what you have in your hand with your phone and so on, the importance, it has
decreased. So you have very little ITU and a lot of 3GPP in your phone. And for the network,
it's the same. So you have a lot of 3GPP in the network. You have the GSMA in the network.
In the future, you have also open run stuff in your network and a little bit of ETU for
probably more from the legal side.
Okay. Well, you're starting to sound like a libertarian like me. We should just let
the businesses sort it out and keep the governments to one side. Okay. I can go with that. I can
go along with that philosophy here. But here's the problem though. We're seeing this happen
more and more. I don't know if you've been seeing the recent stories about people driving
around SMS blasters in the back of cars, sending out SMS messages. So you've got an empty catcher,
you're connecting to the phone locally, and you're also downgrading the user right back
down to 2G from 5G. All we're seeing in certain countries, Iran, let's just say Iran as a
great example, where the philosophy of control involves arbitrary, being able to choose and
specify that a specific phone user will get downgraded to 2G because then they are less
secure. Is there a problem here that we can put a lot of effort into getting 5G security
right, but if people are just going to get downgraded, the network will all become irrelevant
anyway? Yeah. Well, I mean, empty catchers and downgrading
is a problem. It has always been, and the easiest way is basically for end user to not
allow downgrading. But that of course means that you might miss a call or something. That's
what you have then to accept because you might be just out of coverage for years. But on
the network side, it's very hard because there are also sort of my father, I think he has
a phone still from 2002. He buys the old version still on eBay when his old one dies, so he
buys a new old one again. And for operators, it's very often they don't want to cut off
users, even if it's low value user or something. So that's why they support still all the legacy,
and it's also return of investment from the network side. So getting rid of legacy and
telecommunication is extremely hard. I remember out facing an old algorithm in 3GPP and it
took ages to get that out of the door. And that's something which is a real challenge
because it allows these kind of attack angles of bidding down and so on. And we will have
fun with that one whenever quantum cryptography comes, because then we will have fun with
that topic about retail algorithms.
We won't cover that in today's show. It's been good going to pack so much into this.
There's been so many questions from you. I'm just going to pick one because it's a big
one and it's a good one to finish the show with. So this comment here comes from El Mehdi
Eru Safi. I hope I got his name right there. Sometimes regulation and enforcement are not
the only driver or ultimate goal to have standards. Maybe sometimes common sense, which is global
and human. Well, you would hope. I'm not so sure it is, but good for you, El Mehdi, that
you believe it's global and human. And fighting against the same threats that are targeting
every person on earth can help harmonize and set up a more realistic, less subjective baseline.
Security was and still is really one of the research fields that are the most open and
knowledge sharing in order to craft responses. Maybe we need to empower researchers in order
to get consensus on the best standards. Do you agree, Silke?
Yeah, I do, actually. I know an example of such a case. So, for example, we don't have
security on emergency warnings, public emergency warnings. You call it a tsunami warning. And
you know what the reason for that is? The reason for that is that it wouldn't be it
wouldn't be possible. It wasn't possible to ensure that also roamers or people with low
and no data phones would get the warnings. So we didn't do security. So because else
because having a security on, let's say, a tsunami warning would mean you wouldn't see
the message. So we decided, common sense decided for everybody on the world, we are not doing
security on that. So we didn't specify it. That's why there's no signature on tsunami
warnings. That makes perfect sense. Well, thank you
for sharing that, Silke. Yeah, that's a piece of history. So these
things do sometimes happen, but maybe it would be good if they would happen more, so.
Well, full power to you, Silke. We've overrun in terms of the time for the show, but oh,
don't you be sorry. It's probably me just gassing on that's made us overrun. But I have
so enjoyed our conversation, Silke. And I think what we've established is, if ever you
want to come back and keep on talking about these things, there's a lot more that can
be said. So I hope you'll be coming back in future and joining us again.
Yeah. Thanks for the invitation. Okay. Thank you so much, Silke. It's great
to have you on today's show. Well, that's it for today's show, I'm afraid.
My gosh, we tried to pack it in. Lee won't be able to join us next week. He denies claims
of being fabulously rich, but he's got to deal. So it's a man about a jet plane. So
and I know I'm so harsh on Lee, but I just enjoy it because he is doing so well in life.
I'm so poor in comparison to Lee. I don't know where I went wrong. But Ed and I will
return next week when our guest will be Tim Biddle of Cinch. Now, Tim has deep knowledge
of SMS fraud from his work at Cinch and from British telcos before that. He'll be telling
us about the reasons why there's artificial inflation of SMS traffic, also known as SMS
dumping. And what can be done to tackle this problem? And I expect a fair few people will
be watching the show, Ed. So Lee won't be helping us out, but we'll have to be manning
the decks here because this is a problem that we know has caused a lot of upset because
Elon Musk got upset about it. Well, Elon Musk gets upset about it. The whole world shapes
and it becomes a big story because switched off two-factor authentication for nonpaying
customers by SMS for nonpaying users of Twitter. So now SMS providers around the world are
a little bit nervous that more big businesses will follow Elon Musk's lead and that they
may also switch off two-factor authentication for SMS unless SMS pumping can be brought
under control. So join us next Wednesday, 26th April, 4 p.m. UK, 6 p.m. Saudi Arabia,
10 a.m. U.S. Central, and a whole bunch of other time zones, which I'm not going to read
out every single time zone. So why don't you just subscribe to our broadcast schedule on
the Communications Risk Show webpage and have every weekly show uploaded to your diary automatically
in the right time zone for you. Thanks again to today's guest, Silke Holtmann's 5G security
expert at PDBC. I love to talk to her, learn so much from her every time we have a conversation.
Thanks also to my co-presenters, Ed Finegold, Lee Scargall, fantastic experience they've
been showing with us today, and to the hardworking producers of this show, let's not forget them,
producer James Greenley, assisted by Matthew Carter. You've been watching episode six of
the Communications Risk Show. I'm Eric Priezkalns. Remember to visit the Communications Risk
Show website,, for recordings of previous episodes. Always keep reading
on a daily basis for the latest news and opinion about risks in the comms industry and visit for RAG's free content and services, including the RAG fraud blockchain
and the most comprehensive catalog to telco frauds and revenue leakages. Thanks for watching.
We'll see you next Wednesday.