Last week the Canadian Radio-television and Telecommunications Commission (CRTC) announced they would give telcos an additional five months to implement the STIR/SHAKEN anti-spoofing protocols, setting a new deadline of 30 November 2021. This is the third time that the Canadian deadline has been pushed backed. The CRTC originally resolved that STIR/SHAKEN must be implemented by 31 March 2019, but this was later changed to 30 September 2020. Then there was another extension to 30 June 2021 which was decided upon just two weeks before the end of September 2020. Now a new CRTC decision accepts the need for further delay because…
…some technical and policy issues have yet to be resolved, which will likely preclude a complete deployment of the STIR/SHAKEN framework by 30 June 2021.
Wishful thinking does not guarantee that new technology will become effective or affordable at the rate people may have hoped. Repeated postponements show this regulator was guilty of believing the hype it was fed by suppliers who over-promised. Regulators never like to admit they screwed up, which is why they never reverse a decision even if the only alternative is to wait 32 months for technical issues to be fixed. The CRTC’s latest announcement did not state why more time was needed for further development, but instead reiterated the reasons for previous delays.
… [several telcos] submitted that STIR/SHAKEN is an extremely complex project that requires an extensive core network build and individual TSP-to-TSP testing. They also submitted that the STIR/SHAKEN technical and operational framework is still being developed, and that a number of issues must still be resolved, including the development of interface standards… handset display standards; and attestation rules. Without handsets that can display the authentication, STIR/SHAKEN cannot fulfill its purpose.
Repeated delays in adopting STIR/SHAKEN send a bad signal to the rest of the world. It is an admission that implementing the new technology would actually cause embarrassment if deadlines were enforced. As a former risk manager, I was always sensitive to the danger that vendors can attempt to sell new technology that is not ready for the market and which has not been sufficiently tested in practice. One way to balance risk is to listen to both sides of a story, but when it comes to purchasing new technology the storytellers all repeat the same optimistic narrative because they are all paid to represent vendors. Nobody speaks for the pessimists, which is why it is risky for regulators to commit to enforcing the mandatory adoption of an unproven technology.
One way to manage risk is to test on a small scale and to evaluate the results before making a larger commitment. That option is no longer available to the USA or Canada, as neither waited to see if STIR/SHAKEN could be made to work in practice before they told telcos it would be mandatory. However, the rest of the world does have a choice: other regulators can wait to see what happens in North America before making any decisions. I am conscious that the salesmen who convinced North American regulators to adopt STIR/SHAKEN are now selling their ‘experience’ to other countries, telling their regulators to follow the example of North America. Perhaps the global adoption of STIR/SHAKEN will ultimately prove to be the right approach, but why make a regulatory decision that will cost hundreds of millions of dollars when there are still technical teething troubles to be resolved?
North Americans might not like reading this, but the smart choice is for other countries to sit back and allow North American telcos to bear all the costs for shaking out every bug with STIR/SHAKEN, not least because many knowledgeable parties say this technology is neither a solution, nor a silver bullet for CLI spoofing. It would be worth seeing how much STIR/SHAKEN benefits North American consumers in practice before other countries decide if this technology is worth its price, especially as the best justification for repeated delays is that the cost of STIR/SHAKEN to smaller telcos has not come down as originally hoped. If all the technical issues are resolved then the implementation of STIR/SHAKEN in other countries will then become faster and cheaper. And if those issues are never fully resolved…