New bill would push for cybersecurity improvements at 911 call centers
Faced with national 911 systems deemed increasingly vulnerable to cyberattack, Sens. Bill Nelson, D-Fla., and Amy Klobuchar, D-Minn., will introduce a bill within the next few weeks to federally fund and hasten the national transition to next generation 911 (NG911) systems.
A recent draft of the legislation seen by CyberScoop shows the new legislation will set an as-yet-undetermined target date for “full implementation” of NG911. The bill will also keep control of 911 systems completely in state and local hands, as NG911 systems allow emergency communication by text message, photos, videos and other information from smartphones, tablets and other devices.
Additionally, the bill would deliver additional federal funding to states through 911 grant programs at the Departments of Commerce and Transportation; develop uniform technical standards; provide increased federal administrative and procurement support for 911 systems by creating a “NG911 implementation coordination office;” and provide cybersecurity training to 911 personnel.
The push for the new bill comes four months after Meetkumar Desai, an 18-year-old iPhone app developer in Phoenix, launched a self-described malware “prank” that phished iPhone users and caused their phones to repeatedly call 911.
The telephone denial-of-service (TDoS) attack ended up putting emergency call centers in 12 states “in immediate danger of losing service to their switches,” according to officials. Desai is out of jail at the moment but faces two looming felony charges in a March 30 hearing.
When 911 services become overwhelmed by fake calls or go down completely, real emergencies fall to the wayside, creating a potential for loss of life directly attributable to a cyberattack.
A rising tide of TDoS attacks against mostly undefended 911 centers and related public safety systems have caught the attention of security and emergency experts. Coming just a few weeks after researchers showed how just such an attack could hammer 911 services, Desai’s real world attack was an exclamation point on a years-long effort to move the country’s 911 services away from the mid-20th century technology and toward modern internet-based services that, among other improvements, would aim to offer substantial defense against attack.
As of 2015, just 420 of the nation’s approximately 6,500 911 centers have a cybersecurity program. A 2015 FCC report showed no spending on 911 center cybersecurity in 38 states.
Millions of dollars have been spent in the last two years on research to protect 911 from DoS attacks. Research at SecureLogix, a Texas-based telephone-security company, focuses on automatically spoofed called and knowing the difference between fake and real calls. Research at the University of Houston in cooperation with the Department of Homeland Security is focused specifically on NG911’s ability to defeat TDoS. A handful of 911 call centers across the country are currently piloting some of the new solutions.
“This could become a life or death matter for callers in medical distress or reporting a fire,” Larry Shi, assistant professor of computer science at the University of Houston, said as he began research on the problem in 2015. “Whether it’s a person experiencing a heart attack or an explosion at one of Houston’s many chemical plants, every minute is critical in mitigating damage and reducing issues. We aim to address this now before it becomes a problem, as well as develop solutions to be better prepared in case a cyberattack does come to pass.”
In response to late 2016’s Mirai DDoS attack, Homeland Security last month announced a new initiative through the Advanced Research Projects Agency’s Cyber Security Division to fund several research projects to help defenders against denial of service attacks.