Critical Infrastructure Resilience
911? We Have an Emergency: Cyberattacks On Emergency Response Systems
Cyber problems are people problems. When thinking about “cyber,” many people automatically default to thinking about interconnected hardware or software. This is not entirely incorrect. Interconnected computer systems are part of “cyber,” but people (or “wetware”) are too. People design software and construct hardware. People convert the data that flows through cyberspace into information. People connect networks.
For interconnected information systems to work properly, people must be able to trust the information and instructions transferred between them. The same concept of trust is what allows societies to function. Members of society must trust in the systems they depend on. When people do bad things, they are often deemed corrupt. The same is true of bad information. For example, both can be corrupted through transmitting compromised data (data integrity issues) or transmitting bad instructions (a virus). If a computer system or society is corrupted, it eventually ceases to function toward its intended purpose.
Some malicious actors seek to undermine the trust citizens have in each other and their government. One way in which a malicious actor can further undermine trust in society is by targeting a critical sector, such as emergency services. According to publicly available materials, the tactics targeting U.S. 911 emergency services have been employed only by individual hackers who lack nation-state resources and access to emergency services information systems. Yet, despite these limitations, hostile actors have targeted emergency services through multiple vectors, including hardware, software, and wetware. Given the scale of the problem at the local level across the U.S., the insufficient attention paid to the problem compared to other governance issues, and the dependence of everyday citizens on emergency services when they find themselves in a crisis, malign nation-states could easily employ these same tactics on a larger scale—not only to compromise emergency services during a crisis but also in a much more strategic sense to further undermine the trust many Americans have in their government system and taxpayer-funded services. This hard-earned, yet already tenuous trust—which accumulates over many years—can vanish rapidly and without warning.
The ability of malign countries, such as Russia, to access U.S. critical infrastructure (for example, U.S. power plants) is an increasingly dangerous reality. Although emergency services are one of the 16 critical sectors in the United States, they generally garner significantly less attention and resources than other sectors, such as the defense industrial base or energy. Given the U.S. government’s active decision to consolidate risk into three national power grids, the U.S. energy sector in a crisis could impact more people at scale than localized emergency service providers. Thus, the energy sector understandably receives additional monitoring and physical protection, given the potentially catastrophic consequences of an attack. Methodically targeting emergency services through minor mishaps (such as through repeated denial-of-service attacks) over time will lead to a slow decline in trust, which ultimately makes them an ideal target.
When services provided by the government are unreliable or accessing them is arduous, the people using the services are bound to become frustrated and over time will lose at least some faith in their government and institutions. Already, residents complain about excessive wait times when dialing 911 due to emergency services incorrectly assigning non-emergency calls and a lack of available 911 operators. Imagine how much faith a resident would lose if they lived in Portland, Oregon, where some 911 callers were forced to wait more than five minutes for an operator to respond. Imagine the caller’s fear, anxiety, and frustration. Imagine all the horror that could happen in those five minutes. How much longer must someone wait on hold during an emergency, waiting for potentially life-saving help, before they lose faith in their government? To sow even more distrust, a nation-state actor could add 30 seconds, a minute, or perhaps longer to that time via repeated distributed denial-of-service attacks on 911 services or via an intermediary that facilitates the operation (a cutout), perhaps by bribing an underpaid 911 operator to delay answering or even drop an emergency call. This wait time is just enough to matter for an emergency caller facing a life-or-death situation but likely not enough of a delay to indicate that 911 services have been compromised.
Since the first documented hack of emergency services in 1997, independent hackers have significantly increased the scale of their attacks on this critical sector. This is due to various factors, including a reliance on aging emergency software programs, outdated hardware, and a disturbing lack of morale among 911 operators. As the director of Utah’s emergency communication centers notes, “People could get more from other jobs with less stress and more pay.”
Undoubtedly, the vast majority of 911 operators are unacknowledged heroes. They report to work every day to literally help put out fires. However, in many places, emergency service operators are paid very little, approximately $15 per hour. They frequently do not receive proper training, are overworked, and are often forced to take the blame when things go awry during emergency calls. Across the country, 911 operators have complained of low pay, low morale, and bullying by supervisors, and of working very long hours. Given these conditions, a malicious actor could target and bribe vulnerable emergency services insiders to provide privileged access to internal systems or even delay or drop calls.
The frequency and intensity of cyberattacks on emergency services will likely only worsen as individual states move toward Next Generation (NG) 911 services. Today, in most places using current 911 services, emergency calls can be made only via a voice call. As part of the next evolution in emergency services, NG 911 proposes that all future emergency calls can be made through voice, text, or video from any communications device that can send and receive messages via the internet. Additionally, NG 911 services will connect to various new sensors and existing systems and databases, further enabling emergency service providers.
Accordingly, NG 911 services are often presented as the solution to vulnerable emergency systems. While software replacement—including capabilities for GPS location tracking—will certainly improve emergency services, connecting more sensors and devices to NG 911 services will increase the emergency services attack surface and its accompanying entry points for malicious actors to infiltrate and wreak havoc on emergency response systems. It will also allow for SQL injection attacks where corrupted information or instructions are fed into the NG 911 systems, which grants malicious actors the ability to delete, corrupt, or steal database information that they otherwise would not have access to.
Hardware upgrades, like moving away from copper phone cables and toward fiber-optic cable to transmit higher quality data more quickly, are also welcome. However, these “outdated” communications media are perhaps the strongest link in emergency services, since copper wires are not connected to the internet and therefore cannot be exploited via cyberspace. That said, copper wiring is notoriously “noisy,” meaning it puts out electromagnetic radiation, which could lead to signal leakage and possible collection by malicious actors.
These issues can be addressed only with adequate resources from the federal and state governments. Investments in hardware and software upgrades, and a focus on attracting people with an interest and the right skills, to accommodate the demands of the NG 911 services must be matched with investment in cybersecurity skills for their operators and the right tools to keep the systems safe. The increasing connectivity of the system means this funding cannot be patchwork, as “playing zone defense” leaves the network open to attack at its least-resourced areas.
The government can accomplish this goal with funding that is channeled to several critical areas for maximum impacts on resiliency. The first is hiring, training, and adequately compensating professionals who can protect the 911 systems. Attracting and maintaining top talent is difficult for major corporations and especially challenging for organizations as resource challenged as 911 centers. By framing these opportunities as launchpads to more lucrative cybersecurity careers, aspiring cybersecurity professionals will be incentivized to join the emergency services sector to gain valuable experience while also improving a critical public system. This can be accomplished via veteran-transition programs, offering certification and an entry-level career pathway to individuals with a proven track record of service in high-stakes capacities. Other options include an apprenticeship model, where entry-level cybersecurity jobs in 911 systems include certification as part of the journeyman process and a minimum contract length to ensure a return on investment. While this model does have the downside of high turnover, it provides most 911 call centers with cybersecurity partners who can work with their current teams in case of an attack, serving as an unofficial reserve capacity.
The 911 system is unlikely to see major increases in federal funding or support, making it necessary for the NG 911 administrators to plan for personnel and qualification constraints in the system. With those constraints in mind, 911 systems could be an excellent early test bed to select and implement tools that assist humans with maintaining system security. One option is a project the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA) are currently working on, known as CISA Advanced Analytics Platform for Machine Learning (CAP-M). This initiative is an artificial intelligence (AI)-based analytics sandbox designed to help train professionals in analyzing, correlating, and enriching data about threats. Programs like this offer pathways to reduce the personnel demands of quality cybersecurity, teaming crewed and uncrewed systems to increase efficiency.
There are precedents to draw from for integrating AI solutions. Companies such as LinkedIn and Microsoft have had successes in detecting and defeating cybersecurity threats using AI-enabled technology since at least 2017. Currently, commercial solutions such as IBM’s Security QRadar Advisor are seeking to integrate AI to complement human cybersecurity teams, helping them make faster connections between attack indicators, identify patterns, and handle alert management. While AI will not be a total solution any time soon, building out the NG 911 systems to handle and integrate AI security partners such as CAP-M is an excellent way to mitigate the challenges brought on by 911 centers’ lower, less capable resources. Additionally, integrating AI into emergency services’ cybersecurity efforts could provide a test bed for agencies such as the Department of Homeland Security and CISA to refine their integration of AI into the protection of other vital systems such as electric grids, defense computing, and more.
Federal funding for NG 911 systems cannot be an afterthought in programs such as the cybersecurity workforce accession concept described above or in partnering with AI solution providers. The U.S. 911 system suffers from decentralized funding sources composed of a mesh of local and state funding supplemented through federal grants. It is not enough. A nationally secure system needs stable funding levels—established by a regular funding provision in the federal budget—across its breadth to ensure all the nodes have the appropriate hardware, are staffed by professionals with the right skills, and have the right tools available to effectively secure 911 centers.
The growing threat presented by malicious actors around the globe to erode Americans’ trust in the U.S. government (or potentially disable U.S. emergency services during conflict), and the startling weaknesses in the 911 system, can be addressed with increased funding. This becomes only more crucial as the system moves toward fully implementing the NG 911 initiative. Its long-term success will take a concerted investment in talent to defend the systems, tools to help those defenders in the context they operate within, and a steady line of funding to make those investments a reality.
As discussed above, cyber problems are people problems. The systems people depend on, both social and technical, are based on trust. Trust is built over time and tapped into during an emergency. It is time the United States begins building resiliency around U.S. society’s common trust reservoir by hardening its emergency systems. Continuing to undervalue emergency systems’ cybersecurity will further undermine the trust that undergirds any well-functioning society. It is backing words with action that will restore trust in the emergency systems that people depend on and the trust they have in the political system. Until the American people pursue a common purpose in securing and hardening their interconnected systems, both technical and social, adversaries will target U.S. vulnerabilities and exploit the systems Americans depend on when they are most vulnerable.