IWCE 2022: Public safety digital security and the threat of cyberattacks

A few decades ago, government security managers were tasked with overseeing physical features like fencing, CCTV cameras, doors and locks. Today, security stretches far beyond brick and mortar infrastructure—into the digital realm. With the meteoric rise in ransomware and cybercriminals for hire in recent years, threats are omnipresent online. Many American dispatch centers and public safety organizations aren’t prepared, according to experts on the subject speaking at last week’s 2022 International Wireless Communications Expo (IWCE) in Las Vegas, Nev. 

“Public safety is one of the most under-protected infrastructures in all of North America. We all protect our phones more than we protect 9-1-1, and it should not be that way,” said Paul Hill, a cybersecurity expert from Motorola speaking on a panel about the subject moderated by Dick Tenny, of the Cybersecurity and Infrastructure Security Agency. 

Hill was speaking alongside Lindsey Cerkovnik, vulnerability disclosure lead at CISA’s Industrial Control Systems and Chief John Harch, of the New York Police Department’s intelligence bureau, in a session titled “Ransomware and public safety comms: A municipal perspective.” 

In New York City, Harch described his organization’s journey to its current comprehensive approach to digitization and cybersecurity, citing a decision in 2014 to distribute a cellphone “to every uniformed police officer. The point of that was to give them access” to cameras, 911 scripts and prior reports tied to a specific address. 

“On my work phone, I can pull up any camera in the city. I can pull up license plate reads from anywhere in the city,” Harch said, highlighting just how far the department has come. Amid the push toward smarter policing, in 2017, he cited a cyberattack in Atlanta that “virtually shut them down. … Cops are writing everything by hand,” he said. 

This prompted his department to take a serious look at their cyber-defense measures and respond accordingly. 

“We started to look at what we did, as an agency. We were fortunate in that we had looked at this from a criminal perspective for a long time,” he said. Department-wide, there was an understanding that cyberthreats weren’t just a digital problem. “This, for New York City, is a public safety issue. That was our real focus. In New York City there are 25,000 911 calls a day. If my 911 system goes down, there’s real public harm.” 

Citing the Colonial Pipeline Cyberattack, Harch said his organization has seen a “significant step up in danger levels” over the last few years. To meet those threats head-on, New York City created the NYC Cyber Critical Services and Infrastructure (CCSI) Project, an office that facilitates networking between public and private organizations, alerting them to possible security threats. Participating organizations include energy operators, water facilities, hospitals, public safety, airlines, banks and technology companies. 

“We decided about a year ago to start to expand that to cyber-attacks, cyber information,” Harch said. These days, the office has a board and has a steady stream of volunteers who host training events and get ahead of online threats through awareness, crisis response and information sharing. 

As a testament to its effectiveness, Harch said when The Brooklyn Hospital Center was hit by a cyberattack in the last year, “We were able to get a team in there within a day.” 

In comparison to New York City—a metro center of nearly 8.5 million people—bringing up to speed legacy communication and administrative systems might seem like a difficult mountain to climb. 

“Cybersecurity is a journey, not a destination,” Hill said. “But you have to take that first step and ask, ‘how do I improve security on my network?’”  

In helping communities address cybersecurity threats, Hill said he’s realized one thing: “People are always going to be the weakest link in the chain. Every single time.” From opening suspicious emails to following malicious links, “it always could be avoided.” 

Responding to a question about the vulnerability of land mobile radio systems, which are generally considered to be more secure than more modern broadband telecommunication setups, Hill noted, “These attacks are happening. I travel quite a lot. I just got back from Saudi Arabia, and one of the reasons I was there was because an insider decided to do something, and it took down comms for the whole country.” 

Beyond those security concerns that are within an organization’s ability to contain, through training or otherwise, “The viruses of today are different. They’re designed to destroy. They’re designed to destroy and take systems down,” he said. “The important thing is that you’re doing something. And if you’re doing nothing today, take that first step. Start your agency on a journey—and it’s a continuous journey that will never end. It’s part of what we do forever, now.”