Texting 911: Why States Can’t Wait for Next-Generation Services

Texting 911: Why States Can’t Wait for Next-Generation Services

The 911 alert was clear enough: The San Bernardino, Calif., woman was having a heart attack. But this 911 call was different: The woman was deaf and couldn’t use a regular phone. She texted and emergency responders saved her life.

Across the country in Bartholomew County, Ind., an early-morning 911 call ended abruptly after the dispatcher heard a voice on the line call out “drop the weapon.” Unable to reconnect the call, the dispatcher was able to text with the caller, directing police to defuse the situation.

Americans are more than twice as likely to text as call using a cell phone, according to market research from Nielsen. Yet across the nation, texting 911 is more likely to result in an automatic bounce-back message than emergency response. Despite Federal Communications Commission rules encouraging text-to-911 capability, only about 850 of more than 6,500 nationwide 911 call centers were equipped to take text messages as of March 2017, according to the FCC.

The issue is particularly acute among the disabled, especially those with speech or hearing impairments.

Vance Taylor, Chief Office of Access and Functional Needs, Cal OES

Vance Taylor, Chief Office of Access and Functional Needs, California Office of Emergency Services

“In California alone, you’ve got almost a half million people who are deaf or hard of hearing,” says L. Vance Taylor, chief of the Office of Access and Functional Needs in California’s Office of Emergency Services (Cal OES). Text 911 is only available in about 10 percent of the state. “For them, and for individuals with speech-related difficulties, 911 has been and continues to be a limited resource.”

Technologically, today’s 911 systems have advanced only slightly since emergency calling was instituted in the 1960s, built on an analog system of hard-wired connections that has only slowly adapted to today’s wireless and internet-connected world. Meanwhile, the rest of the world has changed. Back then, every call came from a conventional landline. Today, more than 80 percent of 911 emergency calls come from mobile devices and many homes no longer have landlines, instead relying on mobile or voice-over-Internet Protocol (VOIP) connections. That presents problems for a system designed generations earlier.

Future Next Generation 911 (NG9-1-1) systems will support improved connections, high-speed location data, text, photos and video. But it could take a decade or longer to bring those systems online across the country.

The National Emergency Number Association (NENA) is developing standards for NG9-1-1 and in some parts of the country, communities have begun installing next-generation systems. Massachusetts and Indiana are both nearing completion of statewide efforts. In other areas, individual counties and groups of counties launched programs and began seeking information and proposals from vendors to replace their legacy 911 systems.

“Today’s 911 system is built on technology that was built in the 1960s and ‘’70s and deployed in the ’80s and ’90s,” said Trey Fogarty, NENA director of government affairs at a March 29 hearing of the House Energy and Commerce Committee. “These systems make it very difficult to move calls around, ensure availability and defend networks against new forms of attacks.”

Procurement and installation will take time. California, the nation’s most populous state and often a national trendsetter, developed an NG9-1-1 plan and signed contracts with several suppliers in 2016, but officials there believe they still need a more comprehensive game plan. That plan is now in draft form and should be completed by June, according to Walter “Budge” Currier, 9-1-1 Branch Manager for Cal OES. Once approved, he aims to begin discussions with local community public safety access points (PSAPs), or 911 call centers, in July, followed by vendor discussions in August.

With 443 PSAPs across the state, each controlled by local sheriff and police departments, the transition will be a major challenge, involving hundreds of different state and local governments and organizations. Currier’s office has full jurisdiction to drive the process. Even so, he acknowledges the state can’t wait for NG9-1-1 before providing text access to emergency services.

Only about one out of 10 PSAPs in California supported text-to-911 as of March, Currier says, but by summer’s end, the number of text-capable PSAPs will more than quadruple to nearly 200 — nearly half the state.

Cellular phone service providers have six months from the time a PSAP alerts them they are capable of accepting 911 texts until the time they are required to deliver such messages, according to FCC regulations. Most providers beat the deadline. But turning on 911 service requires more than just technology. The community must be alerted, and attention must be paid to neighboring jurisdictions, as well. PSAP coverage areas don’t necessarily follow county lines and highways, mountains and rivers may be all that separate two coverage areas. If a service works on one side of the highway and not the other, the community doesn’t have a reliable solution.

“We’re trying to deploy it on a county-wide basis so that whole groups can go at once,” Currier says. When a citizen texts 911 and there is no system in place, cellular carriers are required to provide a bounce-back message alerting the sender that the message was not delivered. That takes time that cannot be spared in most emergencies.

The state originally considered waiting on text-to-911 service until NG9-1-1 was online. But once it was clear that would take years, it became obvious an interim solution was necessary. Adding text-911 services to existing services is relatively fast, simple and inexpensive.

Fairfax County, Va., installed an interim text-to-911 system in 2015, even as it was preparing for an NG9-1-1 build out. Similarly, New York City – among other jurisdictions – seeks an interim text-to-911 capability to provide a bridge to the future and NG9-1-1. Waiting might make fiscal sense, but not fielding a short-term text solution doesn’t square well with the public.

“How do you tell someone with an autistic child who can only text, ‘Sorry, we don’t have an emergency call system for you?’” says Ed Naybor, a vice president with General Dynamics Information Technology, prime contractor for Massachusetts’ NG9-1-1 system. “It’s hard to wait.”

Taylor of Cal OES, goes a step further: “This is a basic system and service,” he says. “It’s something we want everyone to have access to.”

NG9-1-1 will go much further, notes NENA’s Forgety. “NG911 has native support for voice, video, text, pictures and data and built in resiliency and reliability features,” along with the ability to map and visualize in three dimensions where a call is coming from inside a building, which is critical in big cities where apartment and office towers can rise up 30 or 50 stories or more.

Taylor acknowledged how valuable those features will be someday, but he argues advances are needed now, not just when those are ready later “It’s easy to get lost in the cool factor of a next-generation system that will support photos and video and all that stuff,” he says. “But text is an imperative. Waiting isn’t an option.”

Adds Currier: “It’s an interim solution we need so we can reach as many folks as we can – today, not a couple of years from now.”

Text technology is also evolving. Today’s short message service (SMS) standard wasn’t designed with emergency communications in mind.

“Although users may equate texting with real-time communications, that’s not accurate,” says Stephen Ashurkoff, Director of Public Safety Solutions at GDIT. SMS messages are burst communications and can be delayed by numerous factors, from a weak battery to a weak signal.

“A user traversing the middle ground between two cell towers or riding in a vehicle travelling faster than 35 mph is likely to face delivery delays, as are users operating on two different cellular networks,” Ashurkoff says. “And since cell networks slow when traffic picks up, delivery may be slowest when it’s needed most.”

But SMS does have one advantage: It’s a standard supported by every U.S. wireless carrier. Indeed, it’s the only messaging standard that can make that claim.

Next-generation cellular networks and emergency services will replace SMS with something better, though exactly what is not yet clear. Currier anticipates communications so fast that characters will move as they’re typed. According to a white paper published by the Ad Hoc National SMS Text-to-9-1-1 Service Coordination Group (SCG), future networks will support Multimedia Emergency Services (MMES), for which the Alliance for Telecommunications Industry Solutions (ATIS) is the standards-setting body. “MMES will allow for simultaneous use of pictures, videos, text, and voice between an emergency caller and a PSAP,” the paper states. 5G MMES standards are still being finalized.

NG9-1-1 will revolutionize the way the public alerts first responders to emergencies. But for the next few years, as governments line up funding and secure plans for upgrading their 911 infrastructure, those same agencies will have to choose whether to invest in a short-term text-to-911 solution or risk lives by choosing to wait.

Related Articles

Tom Temin 250×250
GM 250×250
GEMG 250×250
AFCEA Bethesda: Law Enforcement and Public Safety Technology Forum 250×250
Jason Miller 250×250
USNI News: 250×250
gdit cloud 250×250

Upcoming Events

Border Security Concerns Aren’t Limited to the South

Border Security Concerns Aren’t Limited to the South

The U.S. border with Canada stretches 5,525 miles from Maine to Alaska, nearly three times as long as the southern border with Mexico. But securing the southern border consumes more than eight times the resources.

That could change.

All indications suggest the southern border is gradually becoming more secure. But as tougher immigration policies, improved infrastructure and new technology produce the desired results, officials say, early indications suggest activity may be heating up on the northern border. As with any other economic problem, constricted demand in one place creates opportunity somewhere else. “If you’re going to have a decrease in people coming across the border, you’re going to see an increase” in activity elsewhere, says Kate Mills, formerly director of legislative affairs for U.S. Immigration and Customs Enforcement (ICE) and now with the Monument Policy Group. Asked later about the northern border, she noted: “There is already an increase in Mexicans travelling to Canada.” Her implication: Some of those individuals are probably seeking an easier way into the United States.

The 1,989-mile-long border with Mexico is manned by more than 17,000 agents, while the northern border is manned by only about 2,000 border patrol officers, according to U.S. Customs and Border Patrol (CBP) data.

Border security can resemble squeezing a balloon: Press on one end and it just pushes the air to the other. That’s why flexibility –in where CBP deploys forces as well as in which systems it employs in each location – is an increasingly important concern.

“Clearly the focus has been on the southern border, and appropriately so,” said Jay Ahern, a former CBP acting commissioner now with The Chertoff Group, a Washington, D.C., consulting firm. But the northern border has been largely taken for granted. Its great length, characterized by dense forest and the Great Lakes, poses significant challenges. “There has been a lack of resources put to the northern border.”

Manning on both borders has increased significantly since 9/11. The southern border expanded from about 9,000 to about 16,000 agents in that time, while the northern border patrol increased from about 600 to 2,000. Now, as Congress considers the president’s request to add 5,000 more officers, some are concerned that it should be left to CPB to decide where those forces should be deployed. In the past, Congress sought to set limits on how those resources were used.

It’s all part of a pattern in which people focus on the physical border and forget about the bigger picture. “Too often we focus on the border,” Ahern said on April 11 at the Border Security Expo in San Antonio. “We say: ‘Let’s build a bunch of fence, let’s hire a bunch of new agents for enforcement.’ But it has to be a really comprehensive plan.”

The plan requires coordination with foreign policy, across agencies – including with the State and Defense departments, strong border security controls and strong internal law enforcement – all with support from local jurisdictions and private employers – through programs like e-Verify, a system for proving eligibility to work.

CBP, Ahern said, “needs the flexibility to move resources to where the threat is.”

Along the southern border, CBP does that today, routinely shifting resources as the threat changes. Most recently, after strengthening the border in Arizona, attention has begun to shift to Texas’ Rio Grande Valley, which CBP now sees as its biggest current area of vulnerability.

Having the flexibility to quickly respond to changing threats is a critical piece of CBP’s strategy. The agency wants to invest in Relocatable Remote Video Surveillance Systems (R-RVSS), rather than permanent sites, because these trailer-mounted systems could be quickly hitched up to a truck and moved to where they can have the greatest effect. Fixed locations require site preparation, making them more expensive to install and complicated to move. CBP awarded the R-RVSS program to General Dynamics Information Technology (GDIT), of Fairfax, Va., under the Federal Aviation Administration Technical Support Services Contract (TSSC-4).

In a joint announcement April 11, GDIT and CBP said RVSS has achieved “Full Operating Capability” on the southern border, where GDIT built and installed fixed-location RVSS systems in Nogales, Douglas, Naco, Yuma, and Ajo, Arizona. Additional relocatable deployments are planned in McAllen and Laredo, Texas later this year.

CBP sought additional ideas for remote video surveillance in a January request for information. With both fixed and mobile RVSS systems already in place in the south, the agency plans to add them to sites along the northern border, including Buffalo, N.Y., and Detroit.

“Currently we use a variety of technologies” on the southern border, said Benjamin Huffman, chief of strategic planning and analysis for the U.S. Border Patrol. These include RVSS, mobile surveillance systems and in the most remote areas, long-range radar-equipped Integrated Fixed Towers, along with aerostats, manned and unmanned aircraft and unattended ground sensors.

“Relocatable surveillance is an important tool to have in our security system,” Huffman says. “As these walls go up, as we’ve seen historically, it will shift some traffic. So the relocatable pieces allow us to flex with the flow of that traffic.”

It’s all part of a strategy aimed at having full operational control of the border, in which the wall impedes breaches, technology provides situational awareness and people use that awareness to stop those unimpeded by physical barriers.

Technology underpins the entire strategy. “That technology piece is going to be key,” Huffman said.

Indeed, gathering the technology is only half the battle. Making sense of it – rapidly identifying the nature of a threat and dispatching an appropriate response – remains a work in progress. Along the whole stretch of the southern border, CBP is just one piece of a coordinated multi-agency effort including the Coast Guard, ICE and other agencies. Together, they collectively manage information gathering and interdiction activities in the air, on the ground and at sea.

As more sensors are added, the need to fuse and sort those inputs and turn raw data into actionable intelligence will become the next frontier in border security.

Related Articles

Tom Temin 250×250
GM 250×250
GEMG 250×250
AFCEA Bethesda: Law Enforcement and Public Safety Technology Forum 250×250
Jason Miller 250×250
USNI News: 250×250
gdit cloud 250×250

Upcoming Events

Technology Is Border Patrol’s ‘Highest Need’

Technology Is Border Patrol’s ‘Highest Need’

Securing the U.S. border with Mexico is within reach – provided the government mounts a coordinated strategy focused on technology and people, rather than infrastructure alone, experts told Congress last week.

“There is not a one size fits all solution to border security,” David Aguilar, former deputy commissioner of U.S. Customs and Border Protection (CBP) told the Senate Homeland Security and Government Affairs Committee April 4. The border is complex and varied, changing with terrain, the seasons and the way in which it’s defended. Illegal cross-border activity ranging from drug smuggling to human trafficking ebbs and flows as the border patrol and criminal gangs engage in a continuous game of cat and mouse, each adapting every time a new tactic is introduced.

Technology, however, holds the key.

“Technology is going to be the highest need the border patrol has,” said Aguilar, now a Principal at Washington, D.C.-based security consultant Global Security and Innovative Strategies (GSIS). “It gives you situational awareness, it gives you intelligence and it gives you the capability to respond in an effective manner – and in a safe manner, as well.”

In urban areas, gangs move drugs through tunnels under the border wall or bundle their illicit cargo in packages. Outside of town in less crowded areas, they launch packages over walls with home-made cannon and catapults.

Lawmakers from both parties along with Department of Homeland Security (DHS) Secretary John Kelly concede a full-fledged border wall “from sea to shining sea” may not be needed. Some areas will need two or three rows of fencing; others need defoliation and roadbeds for patrols. But regardless of how much hard infrastructure is added, the border patrol needs the intelligence-gathering capacity of cameras and the deterrent value of bright lights and loudspeakers.

That’s where the Remote Video Surveillance Systems (RVSS) comes into the picture. RVSS is a proven concept already in use in Texas and Arizona, where it has played a key role in reducing trafficking and reducing casualties on the border.

Yuma County, Ariz., was once one of the most porous stretches along the border. Not anymore.

“In 2005-2006, Yuma County was the worst in the nation in regards to cross-border traffic and the criminal element that accompanies it,” said Leon Wilmot, sheriff of Yuma County, Ariz., in February testimony before the House Committee on Homeland Security. “Our officers were going out there if not weekly, monthly, to attend to victims who were left there to die. The combination of fencing, law enforcement, presence on the border and the technology with cameras and sensors – to be able to detect individuals crossing the desert – was all a contributing factor in reducing that criminal element and of individuals being victimized [through] rapes, robberies and homicides.”

“RVSS increases situational awareness and enhances officer safety through a number of factors,” according to a CBP spokesman. “First and foremost, it is a deterrence. Think of RVSS as a home which has an alarm and security camera system. That particular home is much less likely to be burglarized than one that doesn’t have those layers of security.”

The first RVSS systems were deployed along the northern and southern border between 1997 and 2005. Upgrades on the southern border were completed by General Dynamics Information Technology (GDIT) in 2016 and the agency announced in February it was seeking other upgrades and additional installations.

RVSS employs day and night cameras, loudspeakers and floodlights. In the most remote areas, motion and seismic detectors may be used to trigger alerts, the CBP spokesman said. “CBP is always looking for and testing new technology to combat the threats we face.”

Along the southwest border, CBP pilots the use of trailer-mounted RVSS towers that can be repositioned as needs change. Unlike legacy RVSS platforms, they don’t require construction, reducing cost and increasing flexibility. These relocatable systems are seen as a complement to conventional RVSS, rather than a replacement.

In a request for information published in January, CBP said it is “contemplating an expansion of the RVSS Upgrade Program throughout the entire [southwest] and northern border.” The solicitation states “the RVSS Upgrade program will provide day/night surveillance from stationary and re-locatable locations with dedicated power and command, control and communications capability managed remotely by operators. … [and] will additionally support vectoring of Border Patrol Agents (BPA) … for event resolution and provide continuous monitoring of encounters for BPA safety.” The number of these RVSS Upgrade systems will vary by geography and operational needs, and the agency anticipates upgrading control stations at every Border Patrol Station. RVSS Upgrade Subsystems will be mounted on existing RVSS infrastructure or on other new or existing towers, rooftops or other structures.

The technology works as a piece of a system, in which barriers and technology are used to raise not only the physical barriers to illegal border crossing, but also the psychological and logistical ones.

“Agents alone can’t stop every intrusion,” says Robert Gilbert, a former sector chief at CBP and now a senior program director for RVSS at systems integrator General Dynamics Information Technology (GDIT). “It’s the combination of physical barriers, advanced detection technology and manned patrols that raises the stakes for intruders, increasing the time and effort it takes to get across, and influencing their decisions. When the risks become great enough, fewer people will try to cross, and that means more agents will be available to take on those that remain. But it’s the technology that makes that equation possible.”

Aguilar agrees. “The purpose of the fence is to deter, to impede – to basically create more time and distance for the officers to be able to responsibly react and take action,” he said.

Adding officers is another critical piece of the strategy. DHS has announced plans to add 5,000 more border agents, but that could take years to accomplish. Rep. Bennie Thompson, D-Miss., the senior Democrat on the House Homeland Security Committee, noted in a February hearing that the CBP continues to struggle to keep the uniformed officers it has, let alone add new ones. The border patrol is short some 1,500 officers now, even before new positions are added. He sees increased use of surveillance technologies as the answer.

“If we can see somebody five, 10, 20 miles away, approaching an area, and if we have the ability to communicate with local law enforcement and [CBP agents on the ground], we could direct more assets to that area for interdiction,” he said.

At that same hearing, Steve McCraw, director of the Texas Department of Public Safety and a former FBI agent, told lawmakers that there is no doubt that the combination of technology and human focus can change the security equation along the border.

“We’ve seen over time that you can influence the amount of drugs coming in and the amount of illegal aliens coming in – there’s no question about it. It’s border control physics,” he said. Technology must be “stacked,” beginning with cameras and towers and continuing up through aircraft, he said.

But just having the technology is not enough, he added. It must be continually maintained and upgraded.

“We don’t need yesterday’s technology for tomorrow,” McCraw said. Some existing “sensors are archaic,” and government must look to the private sector – “the experts in developing technology and making it work” – to ensure the border patrol has the equipment it needs to get the job done.

Peter Howard

Peter Howard,
Senior Director at GDIT

From a situational awareness standpoint, Border Patrol agents cannot be everywhere all the time, said Peter Howard, senior director at GDIT. “Having the ability to remotely detect illicit activity and threats increases the efficiency of operations and helps make sure the right number of agents get the call for any given situation. That makes a difference. It increases safety and also confidence, and the combination makes everyone more effective.”

Ronald Colburn, consultant for Washington, D.C.-based security firm Command Group and former deputy chief of U.S. Customs and Border Patrol, said the risks along the border are not always fully appreciated. “The violence of the [Mexican drug] cartels makes ISIS look like amateurs,” he said.

But increasing personnel, infrastructure and technology works, he said. “Those are the things that slowed illegal criminal activity.”

What will it take for future improvements?

“The right mix, rapidly deployed,” Colburn said. “Without the tactical infrastructure, [the border] is too weak. Without the right number of agents, it is too weak. Without the right mix of technology it is too weak.” That technology has to be “integratable,” he added, and must be replaced and upgraded over time to remain effective. And it must be deployed in concert with the other two elements of the strategy.

“Without the tactical infrastructure, we will not have accomplished border security,” Colburn said. “With it, along with technology and manpower, I feel we will finally see that light at the end of the tunnel. We will finally secure the border – not just in stretches, but all of it.”

Related Articles

Tom Temin 250×250
GM 250×250
GEMG 250×250
AFCEA Bethesda: Law Enforcement and Public Safety Technology Forum 250×250
Jason Miller 250×250
USNI News: 250×250
gdit cloud 250×250

Upcoming Events

What to Expect from the NSA Hacker Turned White House Cyber Advisor

What to Expect from the NSA Hacker Turned White House Cyber Advisor

The choice of Rob Joyce, former head of the National Security Agency’s Tailored Access Operations unit as cyber security coordinator puts an experienced offensive cyber operator at the nexus of the nation’s cyber policy and strategy at a time when nation-state cyber interference is at the forefront of public consciousness.

Joyce succeeds Michael Daniel, who had a public policy, economist and finance background and spent nearly a decade in cyber policy at the Office of Management and Budget and the White House. Joyce’s background, by contrast, is as an operator in the cyber realm, bringing an intimate understanding of the threat to the forefront of national cyber policy.

As cyber coordinator, Joyce is not the federal chief information security officer (CISO). That post is largely focused on securing the federal enterprise; the cyber coordinator drives policy beyond the federal government. “The cyber coordinator is also interested in cybersecurity across the entire digital ecosystem,” including private industry, state and local governments and foreign governments, as well. “So it’s a much broader role than what the federal CISO focuses on,” says Daniel, who is now president of the Cyber Threat Alliance, a non-profit focused on cyber threat sharing across the industry. “There is some degree of overlap and complementarity – obviously the cybersecurity coordinator has to care about the security of federal networks – but the cybersecurity coordinator has a broader mandate than that.”

Little is publicly known about NSA’s offensive cyber activities. But in a rare public appearance last August at the USENIX 2016 conference, Joyce described the five steps to a successful cyber intrusion – initial exploitation, establish presence, install tools, move laterally and collect/ex-filtrate/exploit – and then walked through the weaknesses he and his hackers came across and exploited each day.

“If you really want to protect your network,” he said then, “you really have to know your network. You have to know the devices, the security technologies, and the things inside it.” His clear message: His team often knew better than the network’s managers. Indeed, while NSA hackers might not understand products and technologies as well as the people who design them, Joyce said they learn to understand the security aspects of those products and technologies better than the people who created them.

“You know the technologies you intended to use in that network,” he said. “We know the technologies that are actually in use in that network. [There’s a] subtle difference. … You’d be surprised at the things that are running on a network versus the things you think are supposed to be there.”

Penetration-testing is essential, as is follow-up. Joyce’s OTA regularly conducted Red Team testing against government networks. “We’ll inevitably find things that are misconfigured, things that shouldn’t be set up within that network, holes and flaws,” he said. The unit reported its findings, telling the network owner what to fix.

Then a few years later, it would be time to test that network again. “It is not uncommon for us to find the same security flaws that were in the original report,” Joyce said. “Inexcusable, inconceivable, but returning a couple of years later, the same vulnerabilities continue to exist. I’ve seen it in the corporate sector too. I’ve seen it in our targets.”

Laziness is a risk factor all its own. “People tell you you’re vulnerable in a space, close it down and lock it down,” Joyce said, reflecting on the fact that network administrators frequently don’t take all threats and risks seriously enough. “Don’t assume a crack is too small to be noted or too small to be exploited. … There’s a reason it’s called advanced persistent threats: Because we’ll poke and we’ll poke and we’ll wait and we’ll wait and we’ll wait, because we’re looking for that opportunity to [get in and] finish the mission.”

As an offensive cyber practitioner, Joyce sought to identify and, when needed, exploit the seams in government and enemy networks. He focused on the sometimes amorphous boundaries where the crack in the security picture might come from getting inside a personal device, an unsecured piece of operational security, such as a security camera or a network-enabled air conditioning system, or even an application in the cloud. “Cloud computing is really just another name for somebody else’s computer,” he said. “If you have your data in the cloud, you are trusting your security protocols – the physical security and all of the other elements of trust – to an outside entity.”

Most networks are well protected, at least on the surface. They have high “castle walls and a hard crusty shell,” he said. But “inside there’s a soft gooey core.”

Figuring out how to protect that core from a national security and policy perspective will be Joyce’s new focus, and if Daniel’s experience is any indicator, it will be a challenge.

From his perspective, cybersecurity is only partly about technology. “Adversaries tend to get into networks through known, fixable vulnerabilities,” Daniel says. “So the reason those vulnerabilities still exist is not a technical problem – because we know how to fix it – it’s an incentive problem – an economics problem.” That is, network owners either fail to recognize the full extent of the risks they face or, if they do, may be willing to accept those risks rather than invest in mitigating them.

The challenge, then, is formulating policy in an environment in which the true level of risk is not generally understood. In that sense, Joyce’s ability to communicate the extent to which hackers can exploit weaknesses could be valuable in elevating cyber awareness throughout the White House.

“The NSC is about managing the policy process for the national security issues affecting the US government,” Daniel explains. “You don’t have any direct formal authority over anyone. But you do have the power to convene. You have the power to raise issues to people in the White House. You have the ability to try to persuade and cajole. The background he brings will obviously color what he prioritizes and what he puts his time against. But the role itself will not be dramatically different. … understanding how to get decisions keyed up in a way that you can actually get them approved.”

Joyce’s background could affect how this administration views commercial technologies, such as cloud services, mobile technology and other advances that, while ubiquitous in our daily lives, are not yet standard across the federal government.

“Trust boundaries now extended to partners,” Joyce said a year ago. “Personal devices – you’re trusting those on to the network…. So what are you doing to really shore up the trust boundary around the things you absolutely must defend? That for me is what it comes down to: Do you really know what the keys to the kingdom are that you must defend?”

National security cyber policy is not just defensive, however, and having a coordinator with a keen insider’s understanding of offensive cyber capabilities could have a significant long-term impact on national cyber strategy.

Just as Daniel sees cybersecurity as an incentives, or economics problem, Kevin Mandia, chief executive at the cyber security firm FireEye and founder of Mandiant, its breach-prevention and mitigation arm, sees incentives and disincentives as playing a critical role for cyber criminals and nation-state attackers, alike. Simply put, he says, the risk-reward ratio tilts in their favor, because the consequences of an attack do not inflict enough pain.

Mandia agrees that the first priority for U.S. cyber policy should be self-defense. “Every U.S. citizen believes the government has a responsibility to defend itself,” he said at the FireEye Government Forum March 15. “So first and foremost, our mission security folks must defend our networks. But the second thing the private sector wants is deterrence. We need deterrence for cyber activities.”

And in order to develop an effective deterrence policy, he argues, the nation needs fast, reliable attribution – the ability to unequivocally identify who is responsible for a cyber attack.

“I’d take nothing off the table to make sure we have positive attribution on every single cyber attack that happens against U.S. resources,” Mandia says. “Because you can’t deter unless you know who did it. You have to have proportional response alternatives, and you have to know where to direct that proportionate response.”

Where Joyce stands on deterrence and attribution is not yet clear, but what is clear is that sealing off the cracks in federal network security is sure to get more intense.

“A lot of people think the nation states are running on this engine of zero-days,” Joyce said a year ago, referring to unreported, unpatched vulnerabilities. “It’s not that. Take any large network and I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days. There are so many more vectors that are easier, less risky and quite often more productive than going down that route.”

Closing off those vectors forces threat actors to assume more risk, expose zero-day exploits and operate with less cover. When that happens, the balance of cyber power could finally start to tilt away from the hackers.

Related Articles

Tom Temin 250×250
GM 250×250
GEMG 250×250
AFCEA Bethesda: Law Enforcement and Public Safety Technology Forum 250×250
Jason Miller 250×250
USNI News: 250×250
gdit cloud 250×250

Upcoming Events

7 (Samurai) Cyber Insights from the Former NSA Hacker Advising the White House

7 (Samurai) Cyber Insights from the Former NSA Hacker Advising the White House

Rob Joyce, White House Cybersecurity Coordinator, brings to the job years of experience with the National Security Agency and its Tailored Access Operations unit. In an unusual public appearance at USENIX 2016 last August, he described how institutions can best protect their networks from attack.

Here are his seven keys to protection:

1 In almost any intrusion, people are trying to get credentials.

Login credentials are the keys to the kingdom for which cyber spies are phishing and snooping. Protecting and monitoring credentialed access is crucial. The best-defended networks:

  • Require two-factor authentication, making it that much harder to steal credentials
  • Monitor users and look for anomalous behaviors
  • Require specific actions to gain access, and look for those actions from users
  • Minimize the number of privileged accounts. “Only give the privileges needed to specific users. Not everybody’s happy with that world, [but] … those are the kinds of wide ranging credential reuses that end up turning into large-scale compromises.”
  • Never hard-code administrator or system credentials into scripts. Though most modern protocols do not pass credentials in the clear, nation states are looking for the older ones. “You’ve got to look for those older protocols and drive them out of your networks.”

2 Look at your logs.

“You’d be amazed that incident response teams go in after there’s been some amazing breach, and yup, there it is in the log. If you’ve got logs, it will tell you that you’ve been had. Enable those logs, and look at them.”

Logs are key to understanding whether you’ve got a problem or if someone’s ‘rattling the door’ and trying to become a problem.

3 Use a reputation service to test software

“Every piece of software that wants to execute on your machine gets hashed and pushed up onto the cloud,” Joyce explains. There, the service determines if it is safe or not.

“Let me tell you, if you’ve got a reputation service and it says that interesting executable that you think you want to run in the entire history of the internet, has been run one time and it’s on your machine, be afraid. Be very afraid.”

4 Use a reputation service to test web domains

Most hacker tools, once active, “want to talk out to a domain, they want to call back home, they want to report success, or bring back data,” Joyce says.

But if your network is testing domains before letting traffic go through, there’s a good chance it can stop those calls home. “If something is evaluating that reputation, if no one is going to that domain or the content is stale, it will have neutral or negative reputation,” Joyce says. “That’s a hard thing to overcome.”

5 Stop lateral movement

Once an intruder is inside your network, the next step is to move laterally in search of better credentials or other access. Stopping lateral movement is critical to limiting damage. Among the best ways to do that:

  • Limit access privileges
  • Segment privileges, so that additional authentication is needed in different parts of the network
  • Enforce two-factor authentication everywhere

6 Control everything, Trust little

Better networks employ comply-to-connect to ensure remote connections are legitimate. Some determine the remote user’s location and can be programmed to question the response.

Expect that your network is vulnerable and has already been penetrated, then ask: Do you have the means to understand who is already in your network?

7 Back it up!

Digital attacks come in many forms. Some seek to ex-filtrate data for intelligence or profit. Others are just plain malicious. Be prepared for destructive attacks by ensuring you have offsite backups as part of your plan. Anticipate how you will deal with data corruption, data manipulation and data destruction.

Related Articles

Tom Temin 250×250
GM 250×250
GEMG 250×250
AFCEA Bethesda: Law Enforcement and Public Safety Technology Forum 250×250
Jason Miller 250×250
USNI News: 250×250
gdit cloud 250×250

Upcoming Events