The move to an Internet-based 911-system in California comes with the promise of faster response times and the ability to send first responders valuable video and text messages. But it also carries a host of potential vulnerabilities that could disrupt emergency services.
“We need to keep in mind, that as we move forward, cybersecurity is a greater concern than ever before,” California Office of Emergency Services Director Mark Ghilarducci told a legislative panel on Wednesday.
Ghilarducci delivered his comments before the Joint Legislative Committee on Emergency Management, which convened the two-hour hearing to examine California’s move from its legacy 911 system, designed in 1980 for landline phones, to what is known as next-generation 911.
Like many other states, California is developing an Internet protocol-based system intended to harness the latest technology and create an emergency response network that’s more efficient and effective. The idea is the growing number of wireless phone users will be able to send digital information through the 911 network, via California’s Public Safety Answering Points (PSAPs), to first responders.
The simple act of connecting the PSAPs over an IP platform brings a greater potential for a cyberattack, Ghilarducci told lawmakers. Such attacks are already occurring, he added.
For example, 911 callers who use a cellphone are routed through a mobile switching center rather than connected directly to a PSAP, allowing a hacker to potentially change the location of callers who need assistance, an act known as spoofing.
Other cyberintrusions that have plagued emergency services include instances where malicious actors: use non-registered burner phones to call in reports of an event to lure police response; flood the system with calls preventing legitimate calls from getting answered; install malicious software known as ransomware onto computer systems; or insert themselves into the communications between callers and first responders and the PSAPs.
Just a few weeks ago, a Bay Area agency was a victim of ransomware, Ghilarducci told lawmakers. He did not disclose the agency, and an OES spokeswoman had not responded to Techwire’s inquiry by deadline.
“All of this doesn’t mean that the next-gen 911 is ultimately unsecure,” Ghilarducci said. “We do believe that proper training of staff and encryption of data and hardening of PSAPs and network data provider databases is going to be really important.”
Specifically, Ghilarducci said it was critical the state partner with the private sector to address such cybersecurity threats and share information as California builds out its next-gen system.
“Our communities and our citizenship should not be held hostage to cybersecurity threats that have the potential to cut them off from access to 911 and our law enforcement, fire, emergency medical first responders,” Assemblymember Freddie Rodriguez, D-Ponoma, said before he closed the hearing.
Rodriguez pledged to pursue legislation next year that would ensure reliable funding for the deployment of a secure next-gen system, which is estimated at $900 million. That’s money the state doesn’t have in the dwindling account that pays for the current 911 network, upgrades and new equipment. Revenues collected in the State Emergency Telephone Number Account have fallen steadily since 2008 thanks to an outdated statutory user fee designed for landline users.
