The upcoming generation of 911 technologies is exciting for a lot of people working in public safety today because it represents the first major upgrade in decades.
The idea that people at the scene of an accident or a crime will be able to not only call for help, but send first responders images and videos of what’s happening, holds great promise for those who’ve been charged with keeping the public safe. But with any new technology comes new security risks, and those who are designing the new system are thinking about that, too.
One of those people is Brandon Abley, a technical issues director with the National Emergency Number Association who also sits on an NG911 working group convened by the Federal Communications Commission. In an interview with StateScoop, he explained why he expects next-generation 911, though more complex than today’s systems, to also be more secure.
How does next-generation 911 compare to traditional 911 in terms of cybersecurity?
In NG911, your attack vectors expand significantly because you have more stuff you can interact with that is within the domain of 911, whereas in legacy 911 we just have telephone calls and to a limited extent text messages. But there’s really almost no security built into any of that so it’s really fragile, it’s really vulnerable and it’s something I worry about constantly. I’m almost hesitant to talk about it at risk of giving people ideas.
We’ve had 911 outages. Are cyberattacks on 911 less common?
Yep, I’m surprised they aren’t more common, but as we see with swatting attacks, it’s trivial in a legacy 911 system to spoof your location and everything about yourself. We have some fixes, not just with NG911, but with caller authentication, and we have some proposals, at least in standards, for location authentication. I think the FCC might look into some of this formally in the near future, which is promising. But that’s just one vector.
What are some of the main precautions that are being taken in next-generation 911?
One of the things is that it’s just a modern IT system. So there’s a lot of stuff that improves just because of that. The 911 that you have right now in most places is kind of like a 1990s vintage system, so the vulnerabilities are of that vintage, also. On top of that, in NG911 you have a bunch of mechanisms that are designed to make the whole ecosystem more secure and more survivable. One of them is something called a public key infrastructure that is for NG911 specifically.
Can you explain that?
I guess in layman’s terms it’s kind of like the way a large enterprise network can secure its own network on a large scale, like if you’re a multinational company that has a very secure internal virtual network. The public key infrastructure and the standards for NG911 kind of sets up a framework where all of the NG911 system operators that participate in this scheme can be part of what is analogous to a large secure enterprise network. You have trust that’s built in between entities in that framework, so different jurisdictions can trust each other’s traffic to a certain extent, which aids in interoperability.
Are there others?
You have a lot of other mechanisms that are designed just for survivability. You have stuff like a policy-routing rule. In many cases, adjusting the routing needs to be done manually and needs to be done as a reaction to an outage or something that’s happened and then wherever that call gets diverted to might not be able to serve the call in a full capacity. So in NG911, there are mechanisms that are standardized to be based on certain circumstances and you can divert calls with full functionality to a neighboring jurisdiction, or even to a faraway one on the other side of the country, and the service to the caller isn’t degraded at all.
Could the increased connectivity of next-generation 911 make it possible for someone who compromises a single call center to take down all of the country’s 911?
This was anticipated in the architecture. It’s one of the features of the public key infrastructure. It’s the same mechanism that is securing phone numbers to combat robocalls. Like, a shady VoIP operator that is giving service to robocallers can be reported by other telcos and their certificate is revoked. They can’t be blocked, but they’ll be marked as spam on your phone. In the NG911 space, within the trust framework that was designed, if there is a [public safety answering point] or 911 system, even an entire state that has been compromised, other members of the community can report that and their certificate will be revoked. And once they recover their 911, they can get a new certificate and rejoin the community.
What are the odds of a successful cyberattack against next-generation 911 compared to today’s 911 systems or transitional 911 systems?
Much less likely. The current systems we have have vulnerabilities that date back to 80s and 90s phreaking culture. So that goes away, thankfully. And then beyond that there are just many mechanisms that have been included in the work that we’ve been doing to design a really secure interoperable framework that is shared by hundreds and thousands of jurisdictions in North America.
But cyberattacks against 911 won’t be impossible.
Once we have end-state NG911 implemented widely, obviously cyberattacks will happen eventually and they will be successful. That’s just life now, but in end-state NG911 it’s much more difficult than it is today with this weird kind-of-modern, kind-of-legacy transitional system that exposes the worst of both sides of that transition. If a compromise is successful, its scope is mitigated. Today when a PSAP is a victim of a ransomware attack, it’s just pretty much that’s it until they manage to recover. And even worse, if an attacker is able to gain control of the 911 facilities in a legacy 911 environment they can do significant harm to other jurisdictions. In NG911 we have these agreed upon standardized mechanisms to mitigate all that.
Putting aside cyberattacks, could we say that more complicated systems will generally be more error-prone?
The number of vectors and the attack surface grows, but the likelihood there’s an issue is orthogonal to that. Just because there’s a more complicated ecosystem with more providers and stakeholders involved certainly does not mean that there is an increased likelihood of there to be problems.
An example early, early in my career when I was a radio engineer in the Midwest, there was a county sheriff whose radio system went down and it was because the custodian had unplugged the radio repeater when they were cleaning. They needed to plug in their vacuum. So that’s a very simple system with only one attack vector — a box in the back of a room.
It sounds like there won’t be a widespread 911 outage.
The United States doesn’t have a 911 system. We have hundreds of 911 systems, we have thousands of answering points, we have many, many companies that provide different kinds of services to entities involved in handling 911. So there isn’t one thing to attack. Maybe one provider that has a lot of customers can have an issue that affects many 911 calls around the country, but even then, it’s difficult to take down the 911 system in the United States because there isn’t one.