Panelists discuss current ransomware attacks, public safety’s need to coordinate cybersecurity efforts
To date, public-safety answering points (PSAPs) have not been victimized by ransomware, but that does not mean they are immune from these attacks or others, English said.
“Today, they can take over everything,” he said. “Every time you turn your computer on, every time you turn on your TV on—many of which are connected to the Internet or your wireless networks—you are susceptible to cyber crime. There is a cybersecurity risk in an IP network, by its very nature. Now, there are ways to protect it, but the risk is there.”
Cyber attackers have increasingly sophisticated tools they can use to initiate attacks on enterprises and plenty of motivation to use them against any enterprise, according to David Simpson, chief of the FCC’s public-safety and homeland-security bureau.
“Those toolkits [used to execute cyber attacks] are cheap, or free,” Simpson said. “And there is a high payoff for the attacker. In particular, there is a high payoff when the attack is against a society or an organization that is highly interconnected. Well, if public safety isn’t the epitome of highly interconnected, I don’t know what is.
“So, there is a low cost of entry, high payoff for the attack, and low consequences for the attack. How many hackers have you seen put up in shackles and standing before the judge for their attacks? Not a whole lot. And it’s difficult to say, ‘Well, we’ll attack back.’ And take what from them—their information system? They’ll just hop onto another information system. This is not a symmetric battlefield. It is an asymmetric battlefield, because they can take something that is much more dear to you than you can take away from them.”
With public safety’s access to a treasure trove of sensitive information, it is “a rich target for terrorists,” Simpson said.
Minimizing the risk associated with cyber attacks—none of the speakers indicated that removing the risk entirely is a realistic expectation—is critical throughout the public-safety environment. That means it is not enough for an individual PSAP or law-enforcement department to implement good cybersecurity practices; all of those providing data to the entity or accessing data from the entity also need to follow similar practices, or hackers can find a way to infiltrate the systems.
“As we look at this, we have to look at it from an entire emergency-communications ecosystem,” Ron Hewitt, director of the U.S. Office of Emergency Communications (OEC) said. “Because, as we all move to an Internet Protocol [IP] environment, everything is connected, one way or another.
“We’ll go out and do an assessment of [an entity’s] network, and they say, ‘It’s a virtual private network, so we’re safe.’ [And we’ll say,] ‘Yeah, but your router also has an Internet connection. And, if you have an Internet connection, you can get ahold of it.’ There have been a few labs that are showing that they can track your computer keystrokes, just putting a virus in your system that puts out an RF frequency that they can actually track.”
