Latest attacks underscore need for cybersecurity in next-generation critical communications
A 911 caller, an expert or even an off-duty officer claims to have information vital to response situation—maybe a picture/video of a perpetrator committing a crime, medical records or a diagram that clearly shows how to diffuse a bomb—but the item is flagged as not meeting security criteria. Murphy’s Law dictates this will happen when a first responder does not have much time to take action.
My guess is that everyone has opened an e-mail attachment that was said to lack some sort of security certificate or designated as a possible phishing mechanism, if it was from a trusted source who was delivering timely information (particularly something you had discussed previously). Personally, these have seemed to be harmless.
But what if the trusted source his/her device compromised by a hacker the previous day without knowing it? What if the trusted source is not a human, but some sort of sensor or surveillance device that is being accessed via the Internet of Things? What if the source is not trusted or even known to be a bad actor?
From a system-security standpoint, it could be argued that the system policies should dictate that such communications be blocked or quarantined in all circumstances. But others believe that humans associated with first-responder agencies should have the ability to override such security flags, particularly when delayed access to the information could endanger an individual or the community.
If the message is blocked and its information proves to be critical, the aftermath will not be pleasant—particularly if the security issue turns out to be something relatively minor. On the other hand, if a human overrides a security warning that results in a system being compromised—thereby jeopardizing potentially many lives—another unpleasant aftermath will transpire.
I don’t know enough about cybersecurity to pretend to know what approaches are effective and which ones are not. But Patrick Flynn, Intel Security’s director of homeland/national security program, is qualified to know the difference. With this in mind, I was encouraged by Flynn’s initial assessment of the cybersecurity language included in the FirstNet request for proposal (RFP).
“This network, it can’t fail,” Flynn said. “This is not a business-as-usual type deal. People will die, if it fails. So, it’s got to be a cut above. It’s got to be a cut above.”
“It’s not business as usual. You have to anticipate the very worst in this. I think, as you read the RFP and the 60- or 70-page cyber annex, it’s very specific about what it requires. It was something very, very close to my heart that they took all of the feedback and all of the advice that the industry gave from a security-practitioner way of doing things. It’s very, very complete.”
I hope so, and I hope that FirstNet’s cybersecurity scheme can be coordinated with other critical-infrastructure networks to which it will be linked, particularly 911 systems. Meanwhile, the difficulty of this cybersecurity task is just one more example why I’m glad that my job only entails writing about this stuff, instead of being the one responsible for making the critical network and operational policy decisions.