Cybersecurity experts outline challenges associated with FirstNet, other public-safety communications
FirstNet plans to provide state-of-the-art cybersecurity by employing innovative methods that offerors are expected to propose in the request-for-proposals (RFP) process, but the entire public-safety community needs to take action to help ensure that subscriber agencies are not negatively impacted by cyberthreats, according to a panel of cybersecurity experts.
FirstNet’s cybersecurity goal—outlined in the RFP, which calls for proposals to be submitted by May 31—is “ensuring end-to-end security for the FirstNet network,” according to Glenn Zimmerman, senior security architect for FirstNet. There
“Each of the subdomains that comprise the FirstNet network have to stand on their own and be secure,” Zimmerman said during a cybersecurity panel conducted at IWCE 2016 in March. “And, when you put it all together, the holistic aggregate of those subdomains needs to be secure, as well. That means what we’re looking for is designing offsets within each of those domains to counter a failure in another aspect of the overall network.
“There is never, from a planning perspective, the assumption that anything is fool-proof. The reason is that fools are actually pretty ingenious. They’ll figure out a way around almost everything. That’s why you have to have means and methods to counteract and mitigate those threats, capabilities and inherent weaknesses.”
Patrick Flynn, Intel Security’s director of homeland/national security programs, said this philosophy makes sense, noting that FirstNet is going to have a “giant target on its back” in the eyes of hacking community and “you’re going to get hacked, so you better have a good sandbox.”
Indeed, Intel already is seeing a notable proliferation in the occurrence in the cyberthreats launched against its own existing customers, based on its global database of cyberattacks, he said.
“Do you know how many times it receives hits in a day? 4 billion hits a day—things that are changed, things that are bad, things that are manipulated, that sort of thing,” Flynn said. “That’s the dynamic nature of the profession that we choose today in security—it’s very, very dynamic.”
Flynn applauded the FirstNet approach to cybersecurity, because cybersecurity is being integrated into the nationwide public-safety broadband network (NPSBN) from the design phase and the RFP allows enough flexibility for vendors to propose innovative approaches to address the difficult problem.
That was by design, according to Brian Kassa, FirstNet’s director of technology planning and development.
“Engineers love to write requirements … and we could have written an RFP that had 10,000 requirements,” Kassa said. “But, when you write a requirements-based acquisition, you start limiting the creativity that potential offerors could bring. So, we went with an objectives-based RFP.”
“When we start to get responses back and hopefully make an award late this year, we will fully understand what our cybersecurity solution is. But until then, it’s safe to say that Glenn and I are kind of like kids at Christmas: We know Christmas is coming, we see stuff starting to show up under the Christmas tree, and we’re kind of excited to see what may be coming shortly.”
