As the nation’s 911 call centers move into a next generation of technology that will allow them to respond to texts or even pictures from cellphone users who need emergency services, security experts said this important first line of defense grows ever more vulnerable to cyberattacks.
Ten years ago, most of the 911 calls centers in this country were not connected to the internet. Now all of the nation’s nearly 5,900 call centers are moving toward completely digitized systems – but 80 percent of them are small operations with “no time to read primers or any sophisticated IT staff,” said Tim Lorello, president and CEO of the Odenton-based SecuLore Solutions, a cybersecurity firm that serves the public safety industry.
“A lot of people think, ‘I’m just a little guy. They’re not going to hurt me,’” Lorello said. “But public safety is our first line of defense. They can’t think that way.”
In October, the Maricopa Sheriff’s Department in Arizona arrested an 18-year-old man who posted a message on Twitter that, when clicked, continuously called 911, interrupting the service in areas of Arizona and at least 11 other states.
One of the affected agencies immediately contacted the Department of Homeland Security, whose agents quickly communicated with a host of other agencies to stop the attack. They included the Federal Communications Commission, the Association of Public Safety Communications Officials, the National Emergency Number Association (NENA), the National Association of State 911 Administrators, and the National Fusion Center Association as well as the major telecommunications providers.
One tweet, 12 states, two federal agencies, four public safety associations and several phone service providers.
“This is the kind of stuff I worry about right now,” Lorello said.
After the attack, DHS issued the following statement: “The Department of Homeland Security continues to work with federal, state and private sector partners to mitigate the effects of recent Telephone Denial of Services attacks affecting Public Service Answering Points (PSAPs) in various states. Upon becoming aware of the incident, DHS immediately began disseminated information and mitigation strategies to state, local, tribal and territorial partners to protect their PSAP systems. The incident is currently under investigation.”
At least 12 states in multiple geographic areas were affected, with multiple 911 call centers affected in each state, a DHS spokesperson said. The department was not aware of any mechanisms that were used to spread the malware.
DHS is among many public safety agencies that are encouraging 911 call centers to evaluate their risk at this time, the spokesperson said. Denial of service attacks are to be reported to telephone service providers and the FBI. The agency also referred public safety officials to the Alexandria, Virginia-based NENA for a best practices review to minimize risk in a denial of services attack.
“The advice we are giving 911 call centers at this time is related specifically to responding and mitigating the effects of the attack,” Trey Forgety, NENA’s director of government affairs, said.
There is “no way to directly influence attackers to not attack,” he said. But there are plenty of steps that 911 operators can take when an attack happens. If a caller unintentionally perpetrates an attack through a third party who has hijacked his or her phone, for example, operators can find out the make of the phone, the service provider and have the caller reboot his or her phone.
This kind of preparation doesn’t involve a lot of resources, which is good, Forgety said. Because 911 call centers have worked so well historically, state and local governments have become “complacent” about making cybersecurity resources available.
That is changing, though, Forgety said, in part because of a public safety cybersecurity conference held earlier this year in Columbus, Ohio, that brought together the tech types and politicians who oversee 911 centers.
“In public safety, we don’t like to talk about vulnerabilities,” he said, adding that now it is important to talk “long and loudly about the problem.”
Paying for firewalls
Back in Maryland, Lorello agreed that 911 operators need better training, as well as more funding.
“Better firewalls are going to take money and that is hard for small 911 centers,” he said. “Many centers can’t buy a $100,000 firewall.”
He cited another 911 call center attack – this one was in Tennessee and hackers used ransomware to break into the call system and shut it down, demanding a payment to get it started again. But the center operators chose to pay computer experts to repair their system, relying on backups until they could get back online – 36 hours later, Lorello said.
“Thirty-six hours is too long to be out of commission.”