Supply chain risk matters when it comes to cybersecurity for next-gen 911

The 911 system is important to all Americans, and a bill before the Senate on next generation 911 infrastructure, or NG911, will provide states and territories the resources to close many 911 capability gaps — but it is missing critical provisions regarding the cyber supply chain.  

Importantly, the bill includes funds and policies to address cybersecurity as part of modernizing public safety communications. 911 is vulnerable to cyber attacks, and municipalities and organizations have been compromised by low-end ransomware, denial of service attacks and other vectors. Senate Bill 2754 provides $10 billion to help facilitate the transition from legacy public safety networks to the NG911 standard by distributing grants to local agencies responsible for 911. 

For the first time, agencies seeking these grants must address cybersecurity. Among the grant eligibility elements that the bill requires:

• Establish a local agency sustainable funding mechanism for NG911 cybersecurity;
• Outline clear roles and responsibilities for storage, analysis and protection of collected data;
• Identify, protect and detect cybersecurity tools in NG911 emergency communications centers;
• Participate in a new intrastate NG 911 cybersecurity center information-sharing program;
• Determine a single state focal point for 911 and a governance body to address 911 cybersecurity; and
• Adopt National Institute of Standards and Technology (NIST) cybersecurity best practices for authentication, credentialing, access, interoperability and resilience.

This needed support has been a long time coming, and hopefully lawmakers will pass the bill this month. But its supply chain hole is glaring: It has no provisions to Buy American or even consider supply chain risk. 

These funds will transform how citizen data is exchanged with local governments. But the bill will accelerate the unfortunate trend of public safety communications hardware being replaced by “infrastructure-as-code” from foreign-owned companies using code developed and sustained in other countries. Many of the goals of the 2019 Secure Networks Act — which directed broadband providers to remove China’s Huawei and other high-risk components — will be undone by having foreign code higher in the public safety services stack. The introduction of foreign infrastructure supporting sensitive, unencrypted personal and law enforcement decrypted data exchange is an unacceptable risk.

It is probably too late to change the language in the bill, but it is not too late to call upon the Department of Commerce’s National Telecommunications and Information Administration (NTIA) to require that grant awardees follow NIST supply chain best practices and ensure that code comes from domestic sources.

We call or text 911 when bad things happen and often the interaction is a “worst day of my life” moment.  911 is undergoing a major revision across the country as it shifts to internet protocol-based infrastructure. The new emergency services IP networks support not only 911 calls, but also machine-to-machine sensor reports to law enforcement, alarms, surveillance images, acoustic and radio frequency observations, and the decision support software that organizes the dispatch of first responders. It is where the electronic evidence chain begins and supports connections cuing lawful intercept of suspect communications.

The omission of domestic sourcing for NG911 solutions is in stark contrast with how the Senate infrastructure bill has approached supply chain risk for transportation and energy grids. Buy American provisions ensure that these grants include obligations to address cybersecurity and supply chain risk — and we should expect no less for 911.

In announcing the bill, Sen. Gary Peters (D-Mich.) aptly described the threat: “Recent attacks against American networks show that our foreign adversaries and criminal organizations will stop at nothing to breach federal networks, steal information and compromise our national security.” He co-sponsored a bill to address supply chain risk for federal government procurements, pointing out that “federal employees need to know how to recognize possible threats when they are purchasing software and equipment that could allow bad actors a back door into government information systems.”

Although Peters is to be commended for taking steps to address the risk for federal agencies, the Senate has not taken steps to ensure that federal money authorized in the NG911 bill is similarly protected. 911 grants are to be disbursed by state and local public safety entities, which may have even less insight into well-funded foreign adversary efforts to gain access into critical law enforcement and public safety systems through supply chain exploits.

Congress should address the supply chain hole in the NG911 legislation and insist that, when federal money is involved, grant awardees utilize U.S.-developed infrastructure with effective supply chain risk management. The Commerce Department should require that awardees follow NIST guidelines and ensure that NG911 applications with access to unencrypted law enforcement and emergency services data are sourced domestically.

David G. Simpson, a retired rear admiral with the U.S. Navy, leads Pelorus Consulting Services, specializing in public safety, telecommunications and cybersecurity. He was chief of the Federal Communications Commission’s Public Safety and Homeland Security Bureau (2013 to 2017); vice director of the Defense Information Systems Agency (2011 to 2013); and director of Communications and Information Services for U.S. Forces Iraq in Baghdad (2009 to 2010). Follow him on Twitter @SimpsonGrey.