Cybersecurity experts outline challenges associated with FirstNet, other public-safety communications
Designing and implementing a secure network is challenging, but the task is made even more difficult by the fact that FirstNet’s security and authentication solutions need to be easy and quick for first responders to use.
“My view and operating philosophy is that the best security is as invisible to the user as possible and requires minimal interaction on their part—it just works,” Zimmerman said, noting that technologies such as biometrics, pattern recognition and voice recognition could be leveraged in a potential solution.
Kassa said that this is one area where it is important that the larger public-safety community understands the FirstNet offering and adopts policies that integrates its cybersecurity protocols.
“At the end of the day, a public-safety agency can add security layers on top of what FirstNet does; that’s where it really comes down to policy,” Kassa said. “We may be able to provide some of the things that Glenn mentioned—biometrics and things like this—but if your agency policy says, ‘We don’t trust biometrics, and I have to use a 15-character, upper-case, lower-case password,’ and a police officer has to type that in, something has gone horribly wrong.
“Security has now potentially interfered with (1) his ability to do his job, and (2) his very life safety. You have to consider—if you are a public-safety agency that is going to be coming onto FirstNet, to really look at what we’re going to offer within the FirstNet network and see if that’s going to meet your security policy. If it doesn’t, maybe look at your security policy to ensure that the two things mesh … The whole concept is that first responders need to be able to do their job, and cybersecurity should not prevent them from doing that. But it does need to protect them.”
Zimmerman said that FirstNet plans to vet equipment on its network that could provide the greatest potential security risks. But new technologies that provide communications interfaces to the public could be more problematic, particularly sensors and other devices associated with the Internet of Things (IoT), he said.
“Security is to the Internet of Things as shame is to a politician—neither have any; there are just blatantly stupid things that happen,” Zimmerman said, citing the example of an LED light bulb from an unnamed manufacturer that connects to the Internet. “It has no lockdown whatsoever and provides a wonderful direct gateway to your internal Wi-Fi network at home.”