SHAKEN/STIR Adoption - A Lesson in Regulatory Failure
Today at day four of the SIPNOC 2022 conference, Jacques Sarrazin, President & CEO of the Canadian Secure Token Governance Authority (CST-GA) gave an update on the state of SHAKEN/STIR in Canada and the state isn't good.
If we go back to CRTC decision 2021-123, the CRTC decided that TSPs must implement STIR/SHAKEN in order to authenticate and validate IP-based voice calls, effective 30 November 2021. Yet here we are in March 2022 and less than half of TSPs with direct access to numbers have obtained certificates and only 5 of the smaller TSPs without direct access to numbers have obtained certificates. For the 36 TSPs with direct access to numbers that do not have a certificate yet this may be because they do not currently utilize any IP based services and therefore do not yet need certificiates, but for the TSPs without direct access to numbers almost all would be IP based and so the lack of adoption is of major concern.
On the SIPNOC webinar, I asked Mr. Sarrazin what the CST/GA was doing to help bring the hundreds of smaller TSPs into the SHAKEN/STIR framework. His answer was that was 'a dilemma as to why they haven't joined but they don't see it as their role to actively solicit TSPs to sign up'. I don't disagree with Mr. Sarrazian that it isn't their role, but they also haven't made it easy for smaller carriers to join as I outlined in an eariler blog post.
In my opinion, the finanical impact of implementing SHAKEN/STIR for smaller carriers combined with the regulatory uncertainty from 2018 to 2021 has directly led to the lack of adoption by them today. Smaller players were left out of of the SHAKEN/STIR process because of regulatory ambiguity between the 2018 CRTC decision of "all TSPs" must participate and the CST-GAs interpretation that only parties with direct number assignment could participate. The CRTC itself didn't do smaller players any favours during this time - between the issuance of the 2018 mandate for the implementation of SHAKEN/STIR and the 2021-267 Mitel decision many parties rasied the issue of access to certificates for smaller TSPs with the CRTC and were met with silence. With only two months between the isuance of the 2021-267 decision and the November implementation date, I imagine most smaller TSPs have only recently started investigating how they can implement SHAKEN/STIR, which depending on network topology, equipement vendors, and other factors may not be simple to implement. Others may not even be aware yet of this requirement - for example the CRTC has not directed the larger participating TSPs that they need to ensure that their customer carriers are compliant.
What we need to resolve this is real change in the whole process, moving it from one led and run by the larger incumbant telecommuncations providers to more of a multi-stakeholder model. At a minimum, the governance of the CST-GA needs to include representation from smaller TSPs so that the challenges and obsticles they are facing have visability at the board level. In additon to changes at the CST-GA, the CRTC itself needs to look at how its process works for implementation of new technologies into legacy environments. The traditional model for the CRTC is for them to issue a decision or call for comments and then direct telecommunications providers to do something. For a new technology, such as SHAKEN/STIR, this doesn't work and a different approach is needed. You need to actively engage all stakeholders and ensure they are represented, not just fire off letters and decisisons and hope that smaller TSPs read them. And when they do participate, you need to listen to and address their concerns rather than waiting for someone to file a part one application to clear up obvious ambiguities.
Hopefully over the next few months we start to see an uptake in adoption by smaller carriers but I'm not holding my breath - until we find a way to bring smaller carriers to the table as equal partners in the solution the adoption rates will continue to languish.