Since the 9/11 attacks, the United States government has been increasingly concerned about the implications of cybersecurity on a technologically dependent society. While cybersecurity has been a significant priority for policymakers and the national security organizations of the United States, the intersection of cybersecurity and traditional emergency management remains less well-known, with relatively few agencies considering the cyber implications of their emergency management roles. This lack of awareness and preparedness leaves the public safety community at risk. It is safe to say that those risks are being exploited as we speak.
Let’s start from here: Nearly every emergency response in the United States today is dependent on computers, networks and other technologies that are vulnerable to cyberattack. I’m not just talking about the spectacular “cyber Pearl Harbor” scenarios that politicians often mention (as I write this, the news is filled with articles about how the head of the US National Security Agency announced that China has the capacity to disable the power grid of the United States via a cyber attack). I’m talking about the ordinary kinds of emergencies that are responded to thousands of times across the country every day. The house fires, the car accidents, the medical and law enforcement calls that are the bread-and-butter of most public safety agencies are all dependent upon technology, from the PSAP that answers the 9-1-1 calls, to the CAD and WebEOC systems, to the individual laptops, smartphones, and tablets carried by the responders in the field. As more networked technology is adapted for public safety use (such as public safety LTE, or “FirstNet”), the potential footprint of vulnerability will continue to grow – which is why those risks must be mitigated to the extent possible.
At this point, an emergency manager might say “Hey, isn’t this really an IT problem? My agency has an IT department. I don’t know anything about how the Internet or hackers work.”
The answer is absolutely “No. It is your problem too!”
If the effects of cyberattacks were strictly limited to the electronic world, one might safely leave the problem in the hands of (a hopefully capable) technical staff. But cyberattacks in the right circumstances have the capability to affect the physical world – the systems that public safety and critical infrastructure alike depend on. And that, emergency manager, is where it becomes your problem.
Emergency managers must shake themselves of the notion that cyberattacks against their communities must look like something out of a Tom Clancy novel. Here’re two recent examples of cyberattacks against public safety. Both of these examples are rather ordinary, and could happen on any similar incident anywhere in the country.
Example One: Carlton Complex Fire, Washington State.
The Carlton Complex fire earlier this year was the largest fire in Washington state history, burning an area roughly five times the size of the city of Seattle. Because of the remote location of the fire, communications and connectivity for first responders were ongoing challenges for incident managers (in fact, this was widely reported in the media at the time). In coordination with the FEMA TechCorps program, and at the request of the State of Washington ESF-2, our team responded to the south zone of the Carlton Complex fire, where we enabled mission critical communications for the Type I IMT managing that portion of the fire, as well as providing an open “morale” Wi-Fi network for approximately 750 firefighters and support staff.
While many teams have the ability to deploy Wi-Fi and other connectivity on the fireground, the security of the users and those hundreds of devices are typically not considered. In short, there’s no such thing as a Chief Security Officer (CSO) at a brush fire! When we deployed to the Carlton Complex fire, we brought along a number of intrusion detection, network management, and application-level technologies with us. In short, we weren’t just providing a “dumb pipe” to the Internet, but one that assumed the likelihood of a cyber threat.
Initially, we started to detect incoming attacks against the users on our network on both the open and the mission networks. We do not believe that the first responders were under a targeted attack in this case, but rather our users were subject to the sorts of attacks that all users of the public Internet are subject to on a constant basis – everything from port scans, to compromised webpages that were taking advantage of vulnerabilities in users’ web browsers.
This next part is important: just because we could detect an attack or set a response posture, we could not unilaterally act to block traffic. We were in support of the IMT and it would not have been appropriate for us to arbitrarily move to a more aggressive response posture. Luckily for us, the Communications Unit Leader (COML) and Communications Unit Techs (COMT) staff were aware of network security risks. When we went to them with our data that showed the network and certain users were being attacked, we pointed out that we could move the network into a more protective posture (intrusion prevention instead of intrusion detection)
According to our data collection, in the four days that we were active on the fire, we were able to detect and block 30+ high risk or sophisticated attacks against users on our network, as well as defeating any number of more minor risks. Keeping the network operational and protected enabled the incident managers and firefighters to keep focus on where it was needed: on responding to the fire itself.
Example 2: Ferguson, Missouri.
Recent unrest in Ferguson, Missouri has made news around the world, and particularly challenged emergency managers and other public safety agencies responding to the situation. The Missouri State Police deployed a mobile command vehicle to support law enforcement operations in Ferguson, but according to media reports, the command vehicle itself became the target of an unspecified cyberattack:
“However, Thurston said that ‘Big Blue’ also became a target during the protests as the MCCV experienced it’s first real cyber threat. Thurston said that people were attempting to try and spoof communications from the vehicle at several times during the protests.
Thurston warned attendees at the conference from the law enforcement community that they need to place an increased emphasis on securing their communications. ‘Your communications are targets greater than you ever thought,’ he said. ‘There are groups trying to intercept your communications.”
The Missouri State Police has not released any additional details about this attack, and it’s not clear from the context whether they were talking about spoofed radio traffic, or spoofed data traffic. Regardless, the incident is an example where a public safety resource was specifically targeted because of its role or mission.
A wakeup call.
These two recent incidents should serve as a wake-up call to the emergency management and public safety community that cybersecurity must move out from just being an IT responsibility to part of good all-hazards planning. While there have been some large-scale cyberattacks (Stuxnet and Shamoon being two good examples), most cyberattacks against public safety are smaller scale, and may go largely undetected unless the attack causes significant disruption. Emergency managers need to consider their own vulnerabilities, as well as how to respond to potential disruptions. Here’re some ways to get started…
- Identify the information security team within your own agency or organization. Go get coffee with them. Find out how they support your mission, how do they respond to threats that may target your emergency management infrastructure. The goal here is to engage with your IT and security organizations, not just as the “make the printer work” people, but as partners who are committed to your mission success.
- Consider the security of field networks and resources. In my experience, hastily formed networks created to support specific emergencies are often not monitored for security issues, nor is the responsibility of incident response identified. This must change. Cybersecurity in field emergency response must actively be managed.
- Work with your partners to develop and test realistic cybersecurity scenarios against your responders, your EOC, or your critical dependencies.
- Consider who will own security policy and policy enforcement in situations where you have multiple agencies, and multiple devices showing up in mutual aid scenarios that all need to collaborate on the same networks and applications.
Cybersecurity isn’t just the job of the IT department or the private sector. Emergency Managers should work with their technical partners to identify cyber risks, mitigate them where possible, and plan and train for incident response. Disruptions to critical systems may complicate response or put responders or the public in danger. A failure of public safety to secure its own systems and plan for broader responses can leave people already affected by an emergency situation vulnerable to further victimization.