MWC: Day 2 Recap, Day 3 Watchlist

Open Gateway and APIs were a key focus today, but the conversation often felt more about potential than practical implementation. Meanwhile, Security emerged as a major theme, with real concerns about evolving threats and the need for stronger defences.

Many thanks again to Tony and Luanna, who’ve been attending talks I couldn’t make it to. Their thoughts and observations have been invaluable in shaping this update.

Security

Security is naturally a topic close to our hearts at Cellusys, but elsewhere it’s often given only lip service. We’re always keen to hear about new threats and fresh ideas in this space, and the subject featured quite a lot today. Unsurprisingly, AI was a major theme once again, with the usual mix of promising innovations and unrealistic bluster, but there were plenty of interesting insights. A few that stood out:

The need to balance innovation with privacy and security. While the industry is excited about the democratisation of AI through more efficient models, it’s just as important to consider their privacy and security implications – not just cost.

Security comes at a cost, and the industry has traditionally linked security to fraud as a way to demonstrate measurable cost savings. However, with growing complexities, greater investment in security is needed—even when the costs can’t be justified by immediate, measurable fraud prevention alone.

The National Cyber Security Centre (NSCS) stressed the need to really understand software being deployed today, as it’s often a blackbox for companies buying products. A software bill of materials (SBOM) was cited as an important security element for software going forward.

Amidst the AI hype, an interesting comparison was raised: Google Search vs. Gemini (or any equivalent AI-powered search). While Google Search provides many answers, Gemini offers just one. In the context of security, this raises a key concern for me – can we trust a single response without verification? Does such a reductive approach increase the risk of misinformation, and what are the implications for security when AI-driven decisions rely on potentially flawed or incomplete data?

Joanna Woods from Vodafone shared an interesting use case where combining telco and banking data enabled more accurate fraud detection – yielding results that wouldn’t be possible in isolation. At Cellusys, we strongly believe in adding as much context as possible to make the best security decisions, and this was a great example of the power of that approach.

Finally, a typically stellar performance from Karsten Nohl at the Security Summit. We were heavily invested in his messages about security over ten years ago, which directly led to the creation of our Signalling Firewall, and we continue to put great stock in his opinions. He remains a leading voice in security, and one standout quote from his talk was:

“You can’t know in the launch phase what all your security risks are going to be. Don’t expect to be able to secure by design at the outset to the highest possible standard. Security by design is slow by design. Security comes primarily from operations, not from design.”

It’s certainly not a message we often hear in the industry, and it definitely gave me and the team some food for thought to bring home!

Open Gateway & APIs

Open Gateway has been a major focus, carrying high expectations as the next big revenue opportunity for telcos. At Cellusys, we fully align with the concept – opening networks (securely!) to API calls and leveraging the unique position and data available within mobile operator networks. However, much like AI, despite the real value we see in it, there’s also plenty of hype. We need to carefully assess and distinguish between genuine potential and wishful thinking. It’s an area we’ll continue to watch closely, but for now, here are some key takeaways from MWC:

The stated goal of the Open Gateway Programme is to standardise the approach, simplify the supply, and create demand. So far, it has been effective in the first two – especially compared to past initiatives – but the real challenge lies in driving demand and scaling up with more users and use cases. There were some concrete examples of progress, with most demand currently centred around SIM Swap, Device Location, and Number Verification use cases. Notably, deployments in Brazil and Singapore have shown promising results, offering encouraging signs of success.

Many more use cases are being imagined and defined, but so far, few have actual users. While there are plenty of promising ideas, the real test will be whether external customers adopt these new API endpoints. Beyond the core endpoints that have already proven successful, it seems supply is growing much faster than demand. This isn’t necessarily a problem, but it does warrant some caution when considering the more ambitious projections and expectations for this space.

Some speakers highlighted the real needs and demands of enterprises, with Toyota emphasising the need for global availability to match the scale of their business. Achieving widespread adoption remains the biggest challenge. T-Mobile shared a more use-case-driven approach, implementing solutions end-to-end with a real customer, with the expectation that others will follow. This seems like a sensible strategy for driving adoption.

Achieving consistent adoption at both country and global levels remains a significant challenge. Operators need to be convinced to come on board, which requires investment on their part. Speakers highlighted that the blueprint is in place and much of the groundwork has been done, making it easier for operators to join. However, as we know from experience, achieving ubiquitous adoption is never straightforward – no matter how many hurdles are removed. This remains a key concern in realising the full potential envisioned for Open Gateway.

Number Verification sparked some interesting discussions, particularly around whether it would cannibalise the OTP SMS market. A number of speakers argued that this isn’t cannibalisation, but rather a way to preserve the business in a world where SMS trust is at an all-time low. The key message was that if operators don’t disrupt from within, disruption will come from elsewhere – potentially pushing them out of the picture entirely.

A notable point of encouragement came from Google, who stated they are ready and willing to move all their traffic to Number Verification once it is ready (presumably meaning fully rolled out in all markets). However, given Google’s deprecation of OTP SMS, this puts all the eggs in the Number Verify basket if operators are to maintain their role in this space. This could be a cause for concern given the difficulty of ubiquitous roll out.