Urgent Communications recently recapped a panel discussion on the security challenges of FirstNet, the prospective nationwide wireless broadband network dedicated to first responders for which proposals are due May 31. As I read through Donny Jackson’s piece, which summarized the expert panel at the March International Wireless Communication Expo (IWCE) meeting, I realized there were some really important points about security of the network that deserved broader circulation, so I wanted to highlight some of them.
Let’s start with the cybersecurity goal of FirstNet, which is ensuring end-to-end security for the network. “Each of the subdomains that comprise the FirstNet network have to stand on their own and be secure,” said Glenn Zimmerman, senior security architect for FirstNet. “And, when you put it all together, the holistic aggregate of those subdomains needs to be secure, as well.” That lays out the challenge pretty precisely. It’s a tall order but an absolutely necessary one.
Zimmerman continues to show that he gets how difficult this challenge is going to be, saying, “There is never, from a planning perspective, the assumption that anything is fool-proof. The reason is that fools are actually pretty ingenious. They’ll figure out a way around almost everything. That’s why you have to have means and methods to counteract and mitigate those threats, capabilities and inherent weaknesses.”
As a former Border Patrol agent, I know FirstNet will be an incredible boon for the public safety community. But the network’s integrity will be tested, as the hacking community will undoubtedly try to infiltrate the network from the get-go. That’s why I’m pleased that the FirstNet architects realize the role security plays in the network’s success and has placed such an emphasis on cybersecurity from the design phase, rather than treating cybersecurity as an afterthought. That said, security within the network can’t get in the way of first responders’ jobs, or severely impact the way they respond and react to emergencies. Said Zimmerman, “The whole concept is that first responders need to be able to do their job, and cybersecurity should not prevent them from doing that. But it does need to protect them.” This is a point that needs to be emphasized because security is imperative to the network’s success and efficacy, but not if it interferes with the ability for first responders to do their job.
Another concern is the gradual switch to next-generation 911 (NG911), an all IP-platform that will integrate quite nicely with FirstNet. Said Michael Kassa, FirstNet’s director of technology planning, “As we move to next-generation 911, we can send video to a PSAP, we can send text, we can send payloads of just about anything that is multimedia in nature. So, now we have a problem where I’m getting video, and I’m getting texts. I don’t really know what’s in these files, but I know these are all great attack vectors. How many of you have opened up the wrong e-mail and had your IT department come and find you, because you infected the entire network?”
As Kassa indicates, NG911’s ability to receive texts, photos and videos poses an additional risk, as malicious actors could embed media that could make its way onto a dispatcher or first responder’s phone or laptop, should they be hooked up to the network. Much of this could be alleviated by software that scans attachments, but when first responders or dispatchers are dealing with real-time emergencies that are often life or death, there’s a good chance they’ll skip that step and get right to the attachment.
In addition to NG911, the Internet of Things (IoT) poses an additional attack vector for FirstNet, as the new technologies providing communication on the network include sensors that no doubt could be problematic. While IoT sensors will provide first responders with valuable data, we must ensure these sensors are secured because much like NG911, contamination could have costly consequences since those sensors are embedded into the network itself.
Sometimes a panel discussion is a collection of rather boring remarks that people might not pay much attention to. Not this one! I’m glad I took the time to revisit the panel through the Urgent Communications article; it was a great reminder that the remarks made by Glenn and Michael are spot on.