I have been known to voice some unpopular opinions. This is going to be one of them.
Some weeks ago I wrote that Mobile World Congress (MWC) Barcelona 2025 was set to be the most important MWC from a security perspective. My argument does not need much reiteration. Adding a trade war to the already worsening relations between the USA, Europe and China will accelerate the transition away from the globalist cooperation that defined the early years of the mobile revolution, as networks increasingly serve as battlefields for an invisible power struggle between nation-states. However, you are unlikely to have heard this from the speakers who appeared on the main stage at MWC or those who contributed to the event’s security summit. They painted a different picture of the security priorities for telcos. National security concerns were barely mentioned, perhaps because it is impolitic to point out tensions between Americans, Europeans and Chinese at an event which attracts so many Americans, Europeans and Chinese. Instead of treating security as vital to the needs of each nation, the topic of security was more often treated as a means to generate revenue.
MWC is a trade fair. People go there to buy and sell things because they are motivated by the pursuit of profit. Only a fool would be surprised at how much emphasis is placed on profit at a trade fair. But there are times when prioritizing profit can be a stupid thing to do. For example, you will remember how few wanted to attend MWC at the height of the pandemic. An individual who habitually chases every dollar will still pause and reverse course if they realize they were running towards an existential threat. There was telco blood in the water at this year’s MWC, with executives openly calling for more consolidation. Google circled the event ominously, and they were joined by a greater variety of sharks than ever before. There was a pathetic aspect to the pleas of telco execs who begged for governments and regulators to save them. But none openly suggested they should be saved in the interests of national security.
The argument for monetizing telco security comes from observing that telcos want new sources of revenue to compensate for the decline of revenues from traditional services, and that the customers of telcos are plagued by bad actors. The logic is that customers who suffer losses because of bad actors will pay for additional protection. That may be correct. On the other hand, it is a risky strategy. Failing to adequately protect customers may represent an existential threat to some kinds of communications service. If telcos do not willingly protect customers, then customers may stop using those services. For example, I previously answered my phone when there were calls from unrecognized numbers; I do not do that any more. Asking me to pay extra for a call filtering service is not going to lead to increased revenues now. My behavior has already changed to neuter the risk of bad actors calling my phone number and I would gain nothing by reversing my behavior now.
They say a fool and his money are soon parted. This leads me to believe I cannot be a fool because I am so incredibly mean with money. This innate meanness also grants me some immunity from scams. But it is always a mistake to treat one individual as representative of the population, so I concede there are many bumpkins who will fall for scams, and who will also pay to be protected from scams. We know this because there are bumpkins who willingly pay silly amounts of money for so-called protection for their computers without understanding if the protection does anything of any value, and the same people also make attractive targets for IT helpdesk scammers. These people may also be the target market for some speakers at MWC who promised to generate increased profit by offering increased protection. But I think trying to make money by appealing to bumpkins is a dangerous strategy, unless you are running a criminal enterprise. Bumpkins also get to vote, and politicians are always seeking to make offers that will have maximum appeal to bumpkins at minimum cost to the national treasury. Why permit telcos to charge extra for services that protect bumpkins, when the government can mandate those services be provided for free? No telco exec is going to fight back against such a market intervention, especially when they need to grease politicians to get approval for mergers.
My examples have been flawed because they imply that consumers will pay directly for protection. The security sales pitch at MWC was usually subtler than that. The overriding message at MWC was that banks and other providers of financial services will purchase additional protection from telcos because they want to reduce the amounts they pay out when their customers are scammed. Perhaps a few naive souls entered the event without knowing the importance of APIs to the GSMA’s vision for telcos, or that the go-to examples would be the APIs for SIM swap and number verification. Those messages were hammered so hard that the message will still be ringing in ears from Tokyo to Timbuktu. The proposition makes a degree of economic sense. And you can see the sales pitch is working independently of MWC too. The most whorish of the American telecoms fraud associations now spends most of its time licking the boots of guest speakers representing American banks and their clan. Increased security in the abstract is almost impossible to monetize, so they are trying to monetize fraud reduction as a specific kind of security enhancement. Ordinary consumers will not be the best customers for this kind of service, so they are targeting banks and other big businesses that handle lots of money on behalf of consumers.
And so the main stage saw Vicky Brady, CEO of Telstra, talking about APIs and referring to the anti-scam relationship between her telco and Commonwealth Bank. And Sunil Bharti Mittal, Chairman of Bharti Airtel, briefly referred to the use of AI to detect spam after he finished pleading for tax cuts for telcos. So I suppose I should be pleased that such heavy-hitters now admit there are problems that need to be tackled, when previously telcos behaved as if there were no frauds and there was no spam. But I am not satisfied with telco bosses who are exaggerating the scale of the steps they have taken towards securing networks and customers. This may be virgin territory for most telco execs, but they are still not reaching many of the places that fraudsters reach, despite statistics about networked scams occurring at such a scale that they now influence how politicians appeal to voters in a growing number of countries. Politicians are promising to reduce crimes related to networks; how can telcos thrive if their bosses continue to behave as if a few APIs and a light sprinkling of AI will turn everything around?
The problem with being so unhealthily focused on selling protection to businesses like banks is that it distracts attention from other problems that also need to be urgently addressed. Good luck to any telco exec who wants to charge a bank for enhanced fraud protection, but what is the plan for all the scams that banks will not pay for? A bank that is being impersonated will not want to be impersonated, but romance scams and cryptocurrency scams and many other scams do not involve impersonating an actual business. Are the politicians supposed to believe that telcos which engineered their anti-fraud schemes around the liabilities of banks have also absolved themselves of responsibility for every other scam involving the spoofing of a number or the misuse of a Sender ID?
Telco fraud managers who think that selling anti-fraud services to banks is good for their career are allowing themselves to be shepherded into an even worse career ghetto than the one they occupied before. The smarter banks are already using over-the-top methods of communicating with customers so they can reduce their reliance on old fashioned telcos. The big money is in protecting the public at large, which is why the share price of German arms manufacturer Rheinmetall is shooting upwards as they plan to convert car factories into tank factories. But just as selling security to consumers is a weak proposition compared to selling security to banks, the secret to making money from tanks is to have the right relationship with the relevant customer. There is no bigger purchaser than the modern nation-state, and nation-states spend most when fighting wars. Telcos need to be doing a better job of selling enhanced security measures on behalf of the population, to the nation-state.
And that, ironically, means shooting down consumer scams as rapidly as possible, with the maximum coverage at the lowest possible cost. Scam enterprises that target victims in foreign countries are the networked equivalent of terrorists who launch rockets and drones across a border so they will explode in the parts of towns where most people gather. Unlike terrorism, scams are a source of income for the scammer, but they are like terrorism because the extent of the economic damage they cause is a very large multiple of the cost of the weapons used, and because they harm a nation by harming its people at random, so that nobody feels safe. And like terrorism, scams are run by armies and warlords, with the knowledge of governments who are happy to see them succeed so long as the scammers limit their attacks to the populations of enemy states.
Telcos need to the develop the ability to shoot down these attacks as cheaply and as broadly as possible, just like nations develop air defense systems to shoot down enemy drones. They must defend cyberspace like the military defends airspace. If allied telcos can share intelligence to help them pinpoint and defeat incursions into their space then so much the better, but a lack of cooperation is not an excuse for inaction. Given the extraordinary scale of networked crime, which is sometimes estimated to be around 1 percent of the entire global economy, and which has been estimated to be worth 40 percent of the economy of countries like Cambodia and Myanmar, we cannot afford to waste time and resources on calculating who will foot the bill for tackling each specific crime. Our future safety will be best enhanced by implementing the broadest protections at a low cost relative to the scale of the coverage provided, not by seeking to generate revenues from narrow defenses that protect the customers with the most money whilst bad actors remain free to attack everyone else.
Telcos must offer governments good and cheap solutions for nationwide security. AI will help with that, but there are plenty of cheaper defense technologies which also need to be used much more than they are currently. Our defenses are currently weak. This is not because we need to wait for new technological innovations but because of a long history of inadequate spending on basic protections. Sometimes we need to spend a little to save a lot. Telcos need to be spending on security to save the people at large, whilst also saving themselves.



