GAO: Protect next-gen 911 from cyberattack

The Government Accountability Office wants the Department of Homeland Security to work with the departments of Commerce, Justice, and Transportation and the Federal Communications Commission to ensure next-generation, IP-based 911 emergency response systems are not vulnerable to cyberattack.

The Next-Generation 911(NG 911) technology that local Public Safety Answering Points (PSAPs) are installing in towns and cities across the nation relies heavily on IP and cloud-based technologies to handle emergency calls from the public, GAO noted in a report released Jan. 28. The next-generation technologies carry photos and other data-heavy packages such as building blueprints and maps to help emergency responders do their jobs, which also can make systems more vulnerable to cyberattack, GAO said.

The National Public Safety Broadband Network being set up by the Commerce Department under its FirstNet initiative to improve communications among local emergency responders is also expected to rely heavily on IP-based communications.

The GAO report recommended DHS spearhead an effort among the five agencies to ensure the new, more feature-rich NG 911 emergency response systems are secure.

GAO said the list of possible cyber intruders that might interfere with, or even commandeer, 911 systems is a long one: insiders with personal grudges; thrill-seeking hackers; phishers intent on stealing personal identification information; spammers looking to sell bogus products or set up phishing schemes; and terrorists trying to disrupt emergency response or cause mass casualties. Natural disasters, like the powerful June 2012 storm that knocked out 911 systems in the Washington, D.C., area, could also disrupt new systems.

Last spring, a rash of crude denial-of-service attacks flooded PSAPs' administrative telephone lines with calls. FCW's sister publication, GCN, reported at the time that DHS had issued a notice saying there had been about 600 denial of service attacks on critical government phone systems and as many as 200 of those had targeted government public safety offices. The agency speculated the attacks were associated with extortion schemes.

The new GAO study looked to determine how federal agencies could coordinate with state and local governments' cybersecurity efforts at emergency operation centers, PSAPs and first-responder organizations involved in handling emergency calls. The study noted there are more than 6,000 PSAPs at the county or city level that answer more than 240 million 911 calls each year.

Although GAO said DHS has been working to insure 911 systems' security through its Emergency Services Coordinating Council, it believed the new technology needs a closer look. DHS told GAO in a Jan. 14 letter that the latest version of its National Infrastructure Protection Plan released in December integrates core cyber security considerations for critical infrastructure.

It concurred with GAO, however, that a closer look at NG911 services was in order. Under the newly revised NIPP, DHS said it is working with its partners across all critical infrastructure sectors to update sector-specific plans and it will include NG911, as well as the National Public Safety Broadband Network in those plans. The agency expects to complete the updated plans by the end of 2014.