FirstNet seeks to ‘rock the cyber world’ with security input via special-notice proceeding

FirstNet will issue a special notice this month to initiate a proceeding that is designed to identify the cybersecurity requirements that will be included in the request for proposal (RFP) for the much-anticipated nationwide public-safety broadband network, FirstNet’s cybersecurity expert said during the Industry Day event last week.

Glenn Zimmerman, FirstNet’s senior security architect, said that the special notice will be issued in September and that officials are seeking responses that lead to FirstNet “formulating a solution that is going to be innovative and is going to essentially rock the cyber world.” The special notice will include a draft of the C-10 cybersecurity section that was not included in the FirstNet draft RFP that was released in the spring.

“This will be where we will lay out the framework of what our expectation is—from an objective standpoint—for cybersecurity within FirstNet,” Zimmerman said during the Industry Day event, which was webcast last Thursday. “Now, this will be as detailed as we possibly can, and we will lay out something that has never been done: We will have you develop the requirements to address the objectives, which will generate the requirements.

“Now, if that sounds convoluted, then I’ve successfully presented exactly what I meant.”

FirstNet has a key advantage in its efforts to make its first-responder broadband network secure, because security will be a key component of the initial system design—a characteristic that has been missing in the many high-profile enterprise and government data breaches that have been publicized in recent years, Zimmerman said.

“How do we fix these issues, and are they fixable?” he said. “Interestingly enough, the solutions are not that difficult. What is identified as the most prevalent and insidious source of all of these breaches is that—without exception—every one of the networks have never had cybersecurity addressed from its initial design. Literally, security was a bolt-on; it was not an intrinsic component of what the network was supposed to provide.”

But making the FirstNet system as secure as desired will not be done simply by following existing best practices—new ideas are required, Zimmerman said.

“We need a model that is agile, nimble, responsive, adaptable and capable of keeping pace with the needs of that organization,” Zimmerman said. “How do we create this new cybersecurity paradigm? That’s why we are talking to you.

“Because one thing we have adopted from Day 1 is that simple compliance does not equate to security. Successfully marking boxes on a checklist means you’ve only succeeded in one thing that we can verify: You have successfully marked boxes on a checklist. It doesn’t equate to actually securing your network. It doesn’t relate to things being done that they’re supposed to. It simply means that you’ve reported that you have.”

Instead, FirstNet officials hope the special-notice proceeding will yield new ideas from all stakeholders—public safety, industry and consultants—that can be included in the final RFP that is scheduled to be released by the end of the year, which will be reached in four months, Zimmerman said.

“We’re looking for innovation,” Zimmerman said. “Do not be constrained by what you have seen before or done before, although I don’t to ignore any successful things that you’ve accomplished in the past. But the key is that we want to look at doing things a different way. Doing thing that make sense in the FirstNet environment are effective, reliable and reproducible.

“Our goal long term is not simply to have a network that is secure for the first six months of operation, but [to have a network] that will continue to remain that way throughout its lifetime. That means it has to be able to evolve, it has to be able to anticipate, and it has to be able to overcome. FirstNet will be the best network that we can possibly make it. It will be the most secure network we can possibly make it.”