As 911 goes digital, security and training pose major challenges
Government computer systems are frequently updated as a matter of course, but a sanguine nationwide effort to shift the country’s aging 911 systems onto a digital platform belies a moral dilemma that could touch the lives of everyone who might one day call for help in an emergency.
Counties across the United States are gradually trading in analog systems that run on copper wire for platforms that will allow 911 operators to receive photos, video and other digital media, while automatically collecting critical intelligence like caller location — new capabilities that are expected to shave seconds off response times and ultimately save lives.
A readiness to adopt next-generation 911 is reflected in a steady stream of announcements from local governments touting unprecedented capabilities and budding talks in Congress to fund a national rollout that could cost more than $12 billion . But along with the advantages of a more advanced digital network will also come new security risks that today’s outdated analog systems have had the accidental good fortune to be insulated from.
The lack of connectivity in decades-old computer systems is both the reason they’re considered outdated and the primary reason they don’t get hacked. It’s the same reason the federal government and many states have delayed migrating mainframes used for critical functions — like health care and public works — onto more modern platforms. Being outdated can be a tremendous security asset.
But this security in antiquity will soon fade. The implicit question facing governments updating these systems is whether the new capabilities they are enabling will save more lives than will be threatened when a next-generation 911 system is inevitably hacked and taken offline.
John Zanni, chief executive of the Arizona-based IT security company Acronis SCS, said systems used for public safety purposes today are compromised infrequently, but that when they are, it usually happens in smaller jurisdictions. One exception was Baltimore, which last year saw a “limited breach” to its computer-aided dispatch system. But even in that attack, operators were able to continue taking phone calls, jotting notes with pen and paper.
As 911 call centers begin handling different types of data and sharing it across jurisdictions, though, Zanni said these uncommon occurrences will become frequent.
“All of that means integration across networks, which means you need to think even more deeply about how you secure those systems,” Zanni said. “The more elaborate those systems become, the more they become the targets for bad actors.”
Doors ‘wide open’
Ransomware attacks against public networks seem to arrive on a near-weekly basis, preventing administrators and the public from accessing their data and services. At a minimum, it’s an expensive annoyance, and at worst a dangerous disruption of critical services. Technology officials leading the 911 upgrades say they’re doing their best to ensure the necessary security precautions have been taken before emergency services finally go digital, but they’re still worried.
“The doors are going to be wide open,” said Wisconsin Chief Information Officer David Cagigal. “These organizations are going to have to ramp up in an area they’re very unfamiliar with.”
Emergency call centers have decades of training to catch up on, Cagigal said. While state and local government agencies still struggle to absorb now-familiar security truisms about software updates, email-based phishing attempts and adhering to standardized frameworks, Cagigal said he worries that public-safety officials are even less prepared.
“They don’t have the skills and talents,” he said. “They don’t have a chief information security officer or an IT director to assist them if there is an issue. Next-generation 911 is necessary and very promising, but we must prepare for the eventuality that they’ll be susceptible to everything that’s facing us today. They’re going to be attacked.”
Worse still, Cagigal said, is that he believes those running public safety answering points, as 911 call centers are known, are mostly unwilling participants in the upgrade.
“Most of the operators would prefer not to do this,” Cagigal said. “There are some benefits of a digital platform, but what they would tell you is it’s not worth the risk. It’s going to be an onslaught and everyday concern of maintaining operations.”
One PSAP coordinator in Kansas who did not wish to be interviewed about next-generation 911 directed StateScoop to his state’s coordinating agency for 911 services.
“It was their idea,” the coordinator said.
Leading ahead
Not everyone is opposed to next-generation 911, said North Carolina CIO Eric Boyette. In fact, he said, the majority of those he meets with are ready to upgrade. More importantly, he added, it’s the right move.
“We would not be doing our part as leaders to not move forward with it,” said Boyette, who also leads North Carolina’s 911 board.
North Carolina is a leader among states on next-generation 911. It launched a first-of-its-kind Network Monitoring and Assistance Center in Raleigh last month, a central hub for assisting its 127 PSAPs, 16 of which are now equipped for the next-generation switch. Boyette said he expects all 127 centers to be ready by July 2021.
He admitted there will be new security risks — that’s one of the reasons the monitoring center was built. The state is also relying on its next-generation 911 vendor, AT&T, for additional support.
“If we have an issue with a PSAP that’s down, we have back-up ways that we can reroute traffic and the end user never knows that they’re on a secondary versus a primary,” he said. “We have the same capability now with the copper, but you have a lot of [telecommunications companies] you have to work with to make sure the traffic is routed all the way through.”
With next-generation 911, information such as caller location is stored in the cloud, rather than on-site, so the platform is expected to be far more resilient than contemporary systems. Having basic caller information is important so operators can indicate the correct location when they answer calls, Boyette said. During Hurricane Florence in 2018, operators on analog systems taking calls routed from other jurisdictions didn’t know where their calls were coming from and how they answered the phone sometimes confused callers, who then hung up.
Despite being an advocate for the technology, Boyette isn’t oblivious to the threats 911 will soon face. Next-generation 911 is one of hundreds of technology projects he’s helped launch during nearly 25 years with the state. He knows that increased complexity means increased risk.
“I didn’t say it was easy,” he said.
‘Seconds matter’
One group that’s always looking for additional support for next-generation 911 is the National Emergency Number Association. Its CEO, Brian Fontes, has been a strong advocate for modernizing systems and attracting new funding for a platform he’s been trying to promote for more than a decade. But he agreed that educating and training PSAP operators will likely prove to be one of the greatest threats to 911.
“They’re comfortable with the way things are, the way they’ve been operating for 50 years,” Fontes said. “I hate this expression but I hear people say, ‘I don’t have to worry about it because I’m retiring in three years.’ It’s a challenge.”
Like others, Fontes said the challenge is worth facing. Cloud-based technology will make it easier to isolate cyberattacks, he said, and the general benefits of next-generation 911, like reduced response times and enhanced situational awareness, are too great to pass up.
“At the end of the day, seconds matter,” Ohio CIO Ervan Rodgers said.
Rodgers recently hosted a statewide 911 symposium marking $4.3 million in new federal funding for his state’s 911 upgrades. Ohio was one of 34 states and territories to receive a chunk of $109 million in new funding — a pittance compared to the $12 billion needed nationally — but Rodgers said the event conveyed a positive reception to the new technology.
“There is a great amount of excitement, especially with the funding,” Rodgers said. “I’d say the lion’s share majority are excited about this moving forward.”
The self-selected individuals attending a symposium for 911 may be more likely to have enthusiasm for next-generation 911 then the population at large, however. The challenge of educating thousands of PSAP administrators and operators not only on what the technology is, but how to securely use it, remains.
In Paulding County, Ohio, a region of 19,000 residents tucked away in the northwest corner of the state, Matt McDougall, the county’s deputy sheriff who also serves as the regional PSAP coordinator, said he’s heard there’s a big push for next-generation 911, but that he doesn’t know much more than the fact that it would allow his operators to handle new types of media.
But is he security-conscious?
“Sure,” McDougall said. “We try to be ready with those firewalls.”
Is he ready for next-generation 911?
“The state hasn’t even come out with what next-generation 911 is, really,” he said. “I just don’t know how we’re going to handle all that.”