Telecoms Cyber Security Insights from Mobile World Congress 2025

Unchecked AI: Security's new blind spot?

Artificial Intelligence (AI) dominated the conversation at MWC 2025, with virtually every exhibitor showcasing AI-powered solutions. While AI promises huge efficiencies, enhanced security monitoring, and more robust scanning capabilities, there are significant concerns about validation. 

Chris Proctor, our Telecommunications Practice Director, noted,

"I am reminded of an earlier experience I had in the aviation sector as we adopted a minimum of 3 computer systems on board aeroplanes. Most flight operators implemented multiple computers to cross-check each other. A pilot could make an informed decision and reliably use what a majority (2 of the 3) systems each observed. Many AI security implementations currently lack counterbalances or verification mechanisms."

Our team spoke to one major vendor who admitted they hadn't developed systems for their AI to verify itself or be checked by other AIs. That raised crucial questions about hallucinations and the reliability of AI-based security decisions. We've made it a mission to support organizations in considering how to validate AI outputs before implementing these solutions in critical security environments.

Back to basics

A leading theme of conversation amongst the delegates emerged after UK NCSC's CTO Ollie Whitehouse's presentation at MWC's Security Summit. He highlighted that many telecommunications companies have been compromised through straightforward vulnerabilities rather than sophisticated attacks. Despite the industry's focus on advanced threats, compromises often stem from simple security failures like default passwords. One of his most memorable quips was: 

"We know more about what's in our sausages than what goes into our software." 

This blunt reminder emphasizes that organizations cannot defend what they don't understand, making The Software Bill of Materials and basic cyber hygiene essential to any security strategy.

National security and sovereign capability

The geopolitical dimension of telecommunications security was evident throughout the three days at MWC. There's a clear countermovement toward "sovereign capability" in security solutions. Many countries showcased pavillions with home-grown security solutions, reflecting increasing concerns about supply chain security and national interests. Japan, for example, is ramping up established security solutions within its borders, while European countries are sponsoring university spin-offs and startups to develop domestic security technologies.

API security challenges

As telecommunications companies create new services through application programming interfaces (APIs), security remains an interconnected concern. These interfaces, designed to enable third-party connections and innovative services, present significant security risks if not adequately secured. Several presentations highlighted the need for robust API security frameworks, especially as these interfaces become more widely adopted.

Interestingly and somewhat controversially, renowned cryptography expert and hacker Karsten Nohl encouraged cyber security leaders in the room not to be the "naysayers" when it comes to supporting innovation and technological advancement within organizations. At one point, stating:

"You shouldn't bake in security at the start." 

While there is no doubt that security by design principles and the idea of "shifting left," the embodiment of more robust security into solutions, are important, our experts also agreed with Carsten that they must be balanced with the need not to stifle creative and innovative processes. 

Once the plan and direction are better defined, it's much easier to work with a clear brief, and security can then ensure that actions and next steps are progressed safely and securely as part of the design and development stages. 

With two out of three organizations now regularly using generative AI in their business and one in five DevOps professionals leveraging it across the software development lifecycle, the race between progress and security is well underway.

These types of conversations reinforced our belief in helping AI DevOps teams establish best practices to protect their organization's data, systems, and bottom line.

Non-terrestrial networks and new attack surfaces

Communication-leveraging satellites were a significant topic of conversation among the delegates. Numerous exhibitors and vendors showcased their Non-Terrestrial Network (NTN) solutions. These technologies are solving some critical challenges, especially in developing nations, but extended connectivity comes with expanding attack surfaces that organizations must secure.

Many of the cyber leaders our experts met agree that these networks' security considerations differ significantly from traditional terrestrial infrastructure.