Why Did the US Adopt an Anti-Spoofing Solution That Does Not Work for All Calls?

Everybody is going to remember 2020 as the year of the pandemic. Many are also going to remember 2020 as the year when all their work was done via a screen. I will remember 2020 as the year where every week I switched on a screen and was told by polite men from North America about the reasons every telco should adopt STIR/SHAKEN to prevent the spoofing of Calling Line Identities (CLIs), also known as caller IDs. Long-time readers will appreciate my habit of remembering predictions and promises that were subsequently proven inaccurate; I prefer learning from other people’s mistakes to diplomatically forgetting them. Coronavirus is global, virtual conferencing is global, but STIR/SHAKEN is a North American approach that is not even designed to work for every network in North America. To deliver a global solution to CLI spoofing you first have to devise a universal solution, and STIR/SHAKEN is neither.

To recap, STIR/SHAKEN is not just a terrible choice of name for any technology that would also need to be implemented in Muslim countries. It is also a combination of protocols where IP networks add a cryptographically secure signature to a SIP header for each call, knowing that the terminating telco can ask a certification authority if the signature they see is consistent with the originating number they see. As the Federal Communications Commission (FCC), the US comms regulator, observed in its latest report on STIR/SHAKEN:

Because providers transmit the Identity header in a SIP INVITE and because SIP is IP based, STIR/SHAKEN only operates in the IP portions of a provider’s network. If a call originates on a non-IP network, that voice service provider cannot authenticate the caller ID information; if it terminates on a non-IP network, that voice service provider cannot verify the caller ID authentication information. And if a call is routed at any point over an interconnection point or intermediate provider network that does not support the transmission of SIP calls, the Identity header will be lost.

The FCC is not daunted by this, because they previously put in place a rule that says the telecoms industry should also come up with an anti-spoofing solution that would work across non-IP networks. IP networks can do everything that non-IP networks can do, and much more, so asking for an anti-spoofing solution that works for non-IP networks is just a roundabout way of asking for a solution that would work across all networks. But if the FCC knew they were also going to need a universal solution to spoofing, why did they begin with deadlines and demands for US telcos to implement a different solution that is not universal?

To make matters worse, the people who eagerly came up with STIR/SHAKEN have so far failed to deliver the universal alternative.

While standards bodies are currently working on non-IP call authentication solutions, and some vendors are developing potential non-IP solutions, there is yet to be an industry consensus on the path forward.

It is always funny to see the FCC refer to ‘industry’ consensus, as if they listened to the opinions of anyone outside of North America. They should listen to a much wider range of nations, because solving a problem where fraudsters disguise the origin of a call would require the cooperation of telcos at the beginning and end of each call (and possibly in the middle of calls, depending on how the solution works). Customers can make phone calls everywhere, so fraud can originate anywhere. So why has North America tried to solve the global problem of fraud without engaging interested parties elsewhere?

The US government has somewhat realized that the technology industry in 2020 is not what it was in 1980, as evidenced by the strategic downsides of allowing China to take a lead in so many aspects of manufacturing. But the US government’s appointees have failed to grasp that the US cannot dominate the internet-ization of telecoms in the way it dominated the original development of the internet. The internet was new and green; the telecoms sector has vested interests in every nation. If I was going to focus on a global reduction in spoofing, I would start by ensuring the method to reduce spoofing was so cheap that every telco could afford to implement it. Which brings us to another important observation made by the FCC…

The record reflects that a barrier to STIR/SHAKEN implementation for small voice service providers is the substantial cost, despite resource constraints, to implement STIR/SHAKEN.

It is no surprise that vendors give evasive answers when asked how much STIR/SHAKEN costs. They are relying on the heavy stick of government mandate to force everybody to buy their products and services. However, the FCC’s report includes a frightening section on why they must relax deadlines for smaller telcos in the hope that the additional delay will lead to a reduction in the cost of implementing STIR/SHAKEN. This section begins with a claim by the Wireless Internet Service Providers Association (WISPA)…

…that “[s]ome vendor’s minimum fees could exceed a small provider’s entire voice revenues.”

Another problem is that the charges which STIR/SHAKEN suppliers wish to levy are not influenced by effective competition between suppliers.

Indeed, small voice service providers report they have “been quoted annual rates from different vendors that range from the low five figures to the low six figures, not including any upfront costs to install the solution,” with no explanation for the rate disparity.

But luckily, the FCC predicts market forces will make everything cheaper eventually.

The record reflects that as medium and large voice service providers start to widely deploy STIR/SHAKEN, new and improved solutions will emerge, increasing competition among vendors and decreasing costs.

How fortunate that the people who incorrectly predicted the deadline for when STIR/SHAKEN must be implemented can now confidently predict that the cost of implementing STIR/SHAKEN is bound to fall! But not everybody is sympathetic to giving more time to small telcos.

Transaction Network Services and AT&T contend that we should not grant a blanket extension for small voice service providers. These commenters claim that such an extension would be overinclusive because not all small voice service providers face identical hardships, and allege that illegal robocalls may originate from these providers.

There is a pattern in the development of the North American approach to spoofing that surfaces throughout the FCC’s report.

  • Big telcos with all-IP networks have most to gain if small telcos are forced to raise the cash needed to upgrade their networks.
  • Big vendors do not want to relax deadlines for STIR/SHAKEN because time pressure leads to higher costs for telcos, translating into higher revenues and profits for the vendors.
  • Big telcos and vendors both gained by persuading the FCC to take a dual-prong approach where telcos either pay to upgrade to all-IP networks or develop a new way to satisfy their legal obligations.
  • With STIR/SHAKEN already costing so much to implement in all-IP networks, neither the big telcos nor the big vendors have any incentive to spend their research and development budgets on creating an alternative universal solution that would be cheaper and which would work across all networks.

You do not need IP networks to stop spoofing. That much is obvious at a technical level. If somebody uses a spoofed number to call me then I can check if the number was spoofed by calling it back; no new technology needs to be invented just to send verification messages between two parties. The cost of STIR/SHAKEN is driven by the insistence on using IP-based signaling to achieve the objective. It is a prima facie instance of placing a higher priority on the technology to be used than on the problem to be solved. The only strategically sound reason to willingly adopt a solution that could only work for IP networks is to put maximum pressure on telcos that would rather delay expenditure on replacing their non-IP networks. This was always inherent to a dual-prong approach where the FCC…

…proposed to require voice service providers using non-IP technology, which cannot support STIR/SHAKEN, to either (i) upgrade their networks to IP to enable STIR/SHAKEN implementation or (ii) work to develop non-IP caller ID authentication technology.

If the second option had been enforced first, then nothing would be gained by upgrading to IP networks just to implement STIR/SHAKEN. Hence it is reasonable to conclude that the North American industry ‘consensus’ was to push for all networks to become all-IP, and to use the consumer pain caused by spoofing as a political stick to beat smaller telcos that want to delay the transition.

Unfortunately for the FCC, and the telcos and vendors which have influenced it most, they are going to find the politics of North America is dissimilar to politics elsewhere. Some might hope the US will use its political influence to bully other countries into adopting STIR/SHAKEN. This seems unlikely because the US is currently spending a lot of political capital on persuading other countries not to buy from Chinese network manufacturers. Indulging an argument about caller ID spoofing would only distract from the strategic imperative. But this also means that North America has no reason to expect the rest of the world will help their fight against spoofing by following their technological lead.

The problem of robocalling is greatest in North America, which is why their politicians have acted first. However, vacillation over the development of a cost-effective non-IP universal solution for spoofing has left a window of opportunity for more agile foreign firms and nations to develop a better and cheaper approach, which will probably be based on out-of-band signaling. The irony is that out-of-band signaling is the basis for the only credible non-IP solution currently being contemplated in North America, but its development is starved of oxygen by STIR/SHAKEN. A universal non-IP alternative can succeed if it is cheap enough. And if that alternative is cheap enough, then STIR/SHAKEN will follow the same path as Nortel and Motorola.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.