2023 is already shaping up to be a bad year for telecom and cybersecurity.
It’s no secret that North American corporations have struggled to deal with the increase in cyber-attacks as aging IT infrastructure has failed to keep up with the exploding scale of malicious network activity. This malicious activity has targeted consumers, through an explosion in scam robocalls and robotexts, and corporations alike. So far this year, all of the major US 5G operators – AT&T, Dish Network, Verizon, and T-Mobile — have all experienced hacks or other cyber-security incidents this year.
On the consumer side, 2022 was a banner year for scam robotext and robocalls. In February, T-Mobile’s second annual Scam and Robocall Report showed that the number of robocall attempts were up 75% in 2022 from the previous year. According to the report, January saw an all-time high for robocalls, with a steady decrease throughout the year thanks in part to implementations of technology like T-Mobile’s Scam Shield app, which blocked a total of 41.5 billion robocall attempts in 2022.
However, the massive growth in scam texts saw SMS overtake calls as the most common contact method at 22% of all fraud attempts reported to the FTC in 2022, for a total of $326 million in total reported losses by victims. Scam phone calls were a close second in frequency, and netted the most per victim with a median loss of $1400.
The other type of malicious activity taking place on telecom networks is DDOS (Distributed Denial of Service) attacks — particularly volumetric attacks (attacks where a network is shut down by flooding it with requests for information). An August 2022 report by cybersecurity firm Radware showed that DDOS attacks were up 203% in the second half of 2022 compared to the first six months.
Unfortunately, so far most companies have yet to invest in the security needed to deal with this threat.
Enterprise companies need to prepare for the changing scope and scale of security threats.
AT&T’s yearly Cybersecurity Insights Report has previously warned that enterprise companies need to do more to prepare for the security threats that will come with 5G, especially as the growing number of connected devices means volumetric attacks could “hit new peaks” in the coming years.
However, enterprise companies have been slow to make necessary investments in technology to deal with the escalating threat of DDOS attacks. In 2021, only 15% of respondents surveyed for AT&T’s annual report said that their companies were researching or implementing DDOS protections, and only 3% had completed implementation. It’s unsurprising, then, that only a bit more than a third (37%) of respondents to that same survey had high or medium-high confidence that their organization was prepared for the security challenges that 5G would bring.
While regulators largely are not considering regulation to address malicious network attacks, the pressure is growing for telecom operators to do more to fight consumer-facing malicious network activity like robocalls and robotexts.
U.S. regulators are growing increasingly impatient with the lack of consumer protections.
The FCC has already taken significant action in 2023 to enforce existing regulations and propose new protections, and have signaled that service providers of all sizes will be subject to enforcement.
In late January, the FCC issued a cease and desist letter to Twilio—a publicly traded company with more than 5000 employees — demanding that “voice service provider Twilio cease and desist from carrying the suspected illegal robocall traffic which it was apparently receiving from PhoneBurner”.
Separately, the FCC issued a Robocall Enforcement Notice to all US-based voice service providers stating, “We hereby provide written notice to all U.S.-based voice service providers to take steps to effectively mitigate apparently illegal traffic from PhoneBurner and MV Realty. We consider blocking the traffic to be an example of effective mitigation.”
And in February, FCC Chairwoman Jessica Rosenworcel proposed new rules which will be up for a vote in March that would crack down on robotexts as well. Rosenworcel said, “I’m asking my colleagues to join me in adopting the first FCC rules to focus on shutting down scam texts. But we’re not stopping here. Because we are going to keep at it and develop more ways to take on this growing consumer threat.”
The proposed rules would extend some of the strategies the FCC has already implemented against robocalls to deal with robotexts, including a requirement that text messages that originate or purport to originate from invalid and/or unused phone numbers be blocked.
Whatever happens with these proposed regulations, this will be a trend to watch closely as it continues to develop.