Chapter 8

Noncivilian Government Context

Abstract

The agencies involved with public safety, emergency management, and national security operate under tighter schedules and, typically, more stressful conditions—regardless of government level (i.e., federal, state, local). Individual lives (not just livelihoods) are frequently endangered, both for agency representatives and citizens. Their missions carry a different sense of urgency, and their information assets may be more susceptible to attacks from other nation-state actors or their agents. These are environments that stress-test technology tools, people, and policies/processes. The organizations discussed here operate in at least semi-autonomous fashion, which can lead to challenges with respect to interoperability, in terms of process, recognized lines of authority, and technical platform compatibility. Initiatives underway in the United States to address these challenges include the FirstNet program and CyberStorm exercises.

Keywords

National security; public safety; emergency management; emergency response; interoperability; FirstNet; process engineering; common operating picture (COP); Government Emergency Telecommunications Service (GETS); Wireless Priority Service (WPS); access class barring (ACB); Ukraine; Estonia; nation-state

Moving from the civilian or administrative dimension of government—with which citizens, government agencies, and organizations tend to have regular or scheduled interactions—also represents a move away from bureaucratic or calendar-driven deadlines for action, which may be important but not urgent. What we are referring to here as the noncivilian agencies—those whose missions are predominantly action-oriented and event-driven—are characterized by a greater sense of immediacy, criticality, and applicability. Although a considerable amount of time is spent in any government agency on administrative, bureaucratic process work, the agencies involved with public safety, emergency management, and national security operate under tighter schedules and, typically, more stressful conditions. Individual lives (not just livelihoods) are frequently endangered, both for agency representatives and citizens. Their missions carry a different sense of urgency: more acute, harder.

The security contexts discussed in this chapter differ from those in other chapters in terms of attacker resources, legal controls, and societal and individual impact. The level of importance—and complexity—increases dramatically in these environments. These are environments that stress-test technology tools, people, and policies/processes.

National Security

Consider, for example, the attacker resources that exist within the national security context. Attackers/hackers range from small, political hacktivist, terrorist, and mercenary cell groups to coordinated nation-state teams of several thousand technical experts. They likely have access to sophisticated tools, privileged information and credentials (some obtained illicitly), money to subsidize efforts for an unlimited period of time, and immunity from government prosecution, maybe even a degree of anonymity or identity protection. They also have physical resources available to them including safe work spaces and, in some cases, military forces. Their cyber work may be part of a broader kinetic effort that includes the use of physical force, as is discussed in the attack scenario that outlines incidents involving Estonia, Georgia, and Crimea.

With respect to legal controls, attackers in the national security sphere may actually act with more impunity than those working at the subnational level. Enforceable laws exist at the latter level that act to discourage large-scale, persistent attacks on critical infrastructure. International law, on the other hand, is fuzzy: What is not explicitly prohibited is permitted. Sovereign state boundaries present barriers to effective prosecution and compliance with some common agreement about the inviolability of cyberspace. Cyberspace seems to evade unanimous agreement about what constitutes international or national space, even in derived extensions to the Geneva and Hague conventions and dedicated efforts like the Tallin Manual and the Cybercrime (or Budapest) Convention. Unlike historical battlegrounds, cyberspace is a man-made construct that is not geographically delimited: Human activity defines it. Engagements in cyberspace may be construed as physically nonviolent (although activity may be seen as a precursor to physical violence). As one scholar observes:

The gap between use of force and armed attack is already a contentious one, creating disputes about what level and kind of violence meets the ‘armed attack’ threshold. Cyberspace’s unique properties dilute the meaning of these terms further: they enable non-violent electronic incursions – such as data theft, or systems sabotage – on a scale so vast that states’ core security interests can be threatened, without any of the immediate kinetic damage traditional attacks produce.1

Within the broader noncivilian government genus, agencies in the public safety and emergency management categories—which may include private sector partners among operations staff—function in a more decentralized fashion than those agencies that are responsible for collecting, distributing, and managing common goods (e.g., “civilian” agencies). They are also more decentralized than those involved in promoting and defending national security when considered from a US government perspective although, as discussed earlier, they are highly decentralized when considered from a global perspective.

For this chapter, we will look at entities concerned with national security separately from the first two because of the differences in organizational structure, decision making hierarchy, recruitment/retention strategies, operational work (or response) group size, and enrollment and cultural artifacts. The agencies associated with national defense are characterized by more centralized authority, less behavioral diversity across agencies (as determined by policy and articulated in standard operating procedures), and national rather than local budget support.

These differences lead to significant ripple effects observed when one looks at technology deployments and ensuing communications compatibility across groups. The underlying philosophy of information asset security is also affected because of more centralized planning and (at least hypothetically) adherence to, and longer experience with, a consistent digital security framework.

Law enforcement and emergency management organizations tend to plan and act more locally (i.e., less systemically) than do national security organizations within the United States. In particular, mission-critical, on-the-ground actions are performed within the United States or its contiguous tribal nations: jurisdictions that are subject to common laws. Agencies in the national security arena deploy their operations groups outside these boundaries, typically, and may be subject to a different set of formal laws and informal practices. They also interact with others operating under different legal jurisdictions, in which assumptions about rules of engagement can be dramatically varied and even incompatible with those that operate domestically (i.e., within the United States and its territories and tribal nations).

Public Safety and Emergency Management

The lines between public safety and emergency management are blurred since an incident can range from as small as a traffic accident to as large as pandemics, major earthquakes, and nuclear war (Fig. 8.1). The incidents affect individuals, organizations, and infrastructure differently and require various resources for assistance. Incidents do not necessarily happen in isolation from one another also. Priorities must be established along with crisis response windows for common understanding about how incidents are to be managed.

Figure 8.1 Various events requiring response by National Security and Emergency Preparedness (NS/EP), public safety, or both.2

As Federal Emergency Management Agency (FEMA) observes so adroitly: “Incidents typically begin and end locally.” Logically, then the most effective responses to such incidents—especially their daily management—will be carried out at the level closest to the source, whether at the geographical, organizational, or jurisdictional level. As the scope of the incident increases so does the likely beneficial “involvement of multiple jurisdictions, levels of government, functional agencies, and/or emergency-responder disciplines.” Local resources can be tapped out in natural disaster or emergency events. For example, the 2013 “1000-year flood” in Colorado created an island of one community and resulted in emergency airlifts and hundreds of people unaccounted for a week after the rain stopped. The National Guard was called in to help along with state agency personnel; 14 Colorado counties earned emergency disaster designations. Responses to more complex incidents like this “require effective and efficient coordination across the broad spectrum of organizations and activities.”³

To support effective coordination, the FEMA created the National Incident Management System (NIMS). NIMS provides a flexible but standardized set of incident management practices with an emphasis on common principles, a consistent approach to operational structures and supporting mechanisms, and an integrated approach to resource management to guide departments and agencies at all levels of government, nongovernmental organizations, and the private sector to work together seamlessly to manage incidents involving all threats and hazards—regardless of cause, size, location, or complexity—in order to reduce loss of life, property, and harm to the environment.⁴

Interoperability Challenges: People, Process, and Technology

With decisions about budgets, technology deployments, and specific policies and procedures being made at the substate level for these organizations, coordination across jurisdictions becomes more complicated. In the past, this has led to communications disconnects and technical platform incompatibility, as can be seen by the multiple land mobile radio systems in use across the United States.5 Procedural and training differences, in addition to communication platform incompatibilities, contribute to the challenges attributed to inadequate interoperability. At some level, interoperability challenges create a de facto DoS situation for first responders. Such a DoS can trigger cascading failures in communication during large-scale emergencies like those witnessed in the hours after 9/11 and during the 2005 Hurricane Katrina operations. For example, the 9/11 Commission Report records numerous instances of failed communications (in addition to recording that emergency plans developed over the years were inaccessible, locked in a file drawer in a building that was cordoned off near Ground Zero). The US DHS invested billions of dollar in equipment grants for local-level first responders in the first four years after 9/11—between $2.5 billion and $5 billion in FY 2004 alone for digital equipment⁶ —but difficult communications during Hurricane Katrina provided clear evidence that the interoperability goals had not yet been achieved.

Under the auspices of the Middle Class Tax Relief and Job Creation Act of 2012, $7 billion in funding was pledged to build out a new First Responder Network Authority (FirstNet). The objective was to override the service provider patchwork of public network telecommunications and develop a single, interoperable broadband architecture to support activities of public safety and emergency management professionals, especially with respect to wireless services. An additional $135 million was included for state and local implementation, in addition to US DoT grant funding to improve local 911 services through the National Highway Transportation and Safety Administration.⁷ In January 2016 FirstNet released its request for proposal (RFP) for building the public safety network. The award, which could total $6.5 billion to the winning contractor for this indefinite-quantity-indefinite-delivery business, carries with it access to some 20 MHz of spectrum and requirements for returning investment funds to FirstNet over the course of the 25-year agreement.⁸ The RFP includes mobile devices and requirements for hardening the network to guarantee end-to-end data transmission security. Globally, the estimated market for public safety networks is at least 2 billion Euros in 2019.⁹

In the early 2000s, those sitting around state-level emergency planning committee meetings bemoaned the lack of standards across jurisdictions with respect to communications equipment and channels. The US broadband communications infrastructure is much more built out now than in 2005: Connection via 4 G long-term evolution (LTE) is available to 99% of the US population, and 80% of US residents can choose from among at least four LTE providers. Fig. 8.2 shows the build out of US wireless and wired broadband connections between 2009 and 2013.¹⁰

Figure 8.2 US wireless and wired broadband connections since 2009.11

Of course, great responsibility comes with the communication potential afforded by this broadband growth. A January 2016 letter to FCC Chairman Tom Wheeler has requested that restrictions be placed on ISPs’ current “by default” ability to capture and store data on users.¹² White hat researchers and black hat adventurers have verified that ISPs can be hacked. Some of the techniques are accompanied by convenient YouTube tutorials. (This is definitely more sophisticated than signal-jacking a neighbor’s ISP connection by leaning against one’s apartment door and becoming a human antenna.)

Clearly technology, especially the commercial wireless broadband infrastructure over which much public safety and emergency management passes, has become more sophisticated. Interoperability is not determined just by the network or its components, however: People and policies/procedures are also necessary components of interoperability.

This learning is underscored by observations about what worked and did not work in terms of communication in the immediate aftermath of both 9/11 and Katrina and in summary reports of structured interactive exercises by assembled members of the first responder stakeholder communities (e.g., CyberStorm¹³). The first observation is, in effect, that everything changes in a large-scale emergency. Cascading failures are difficult to predict—although experiencing them does help planners who develop a variety of scenarios. The failures occur in each component of interoperability. In addition to technical failures, failures at the level of policies and procedures and personnel complicate communications. The latter failures have not always received as much attention (at least as evidenced by funding) as have technical failures, in spite of the truism attributed to Sun Microsystem’s John Gage, “Technology is easy. People are hard.”

Representative Challenges: Policy and Procedure (AKA Process Engineering)

The joint CyberStorm exercises provide longitudinal information about organizational impediments to effective response in emergency situations. They include the following14:

 Complexity causes confusion and requires more coordination horizontally (between public and private sector entities) and vertically (across attack vectors and incidents) (CyberStorm I, p. 5).

 Response procedures tailored for physical crises need to continue to converge and integrate with those developed for cyber events (CyberStorm II, p. 4).

 Increased noncrisis interaction can solidify communication paths and strengthen relationships (CyberStorm II, p. 4).

 Public/private interaction “can be complicated by the lack of timely and meaningful shared situational awareness; uncertainties regarding roles and responsibilities; and legal, customer, and/or security concerns” (CyberStorm III, p. 5).

 Shared situation awareness—a cyber common operating picture (COP)—is critical (CyberStorm III, p. 5).

 It is imperative to catalog and communicate available resources within both the public and private sectors during noncrisis and crisis periods (CyberStorm IV, p. 7).

 Interdependencies, critical systems, and required communications must be documented (CyberStorm IV, p. 6).

Representative Challenges: Personnel (AKA Human Engineering)15

Certain psycho-physiological responses to emergency situations can interfere with effective communications, thus creating the appearance of an interoperability problem, even though the root cause of that problem is not technical platform incompatibility. Examples observed include the following:

 Reversion to normal usage habits rather than adaptation to emergency context can result in suboptimal use of equipment and networks (e.g., increased communications when communications channel capacity is already taxed).

 “Sensory overload and myopic operational tendencies” are activated when responders go into “automatic mode.”

 Cognitive bias can interrupt effective communications when information is incomplete or key elements are inaccurately relayed.

 Stress-induced verbal impediments can complicate voice communications (and cause confusion with respect to the intention and/or identification of the speaker; the FCC recommends text over voice communications in emergency situations because of the former’s lower capacity requirement).

 During periods of high-volume, high-stress crisis situations, the user’s expectation of and reliance on good communication continues, but the increased pace and load on the radio system, combined with the unique emotional influences present, typically acts to hamper, rather than facilitate, the communications process.

 Personal protective equipment is not designed with access and use of commercial (i.e., general public use) cellular equipment in mind. The reverse is also true: Consumer-grade commercial equipment is not designed with crisis situations, harsh operational environments, and assured communication requirements in mind.

 Idiosyncratic use of codes and other nomenclature can obscure the meaning of messages.

Representative Challenges: Technology (AKA Network and Design Engineering)

Issues surrounding spectrum allocation and network infrastructure ownership are being addressed based on current and near-term need. The prospect of acquiring significant additional spectrum in the 700 MHz band makes FirstNet an even more appealing opportunity for narrowband and broadband providers, especially because that spectrum allocation will not be restricted solely to public safety use by the carrier. Use of wireless broadband is expected to increase, especially given the growth in machine-to-machine (M2M) communications associated with IoT and IoE. Although constituting only 3% of current mobile data communications, M2M is projected to be 20% by 2020 and as much as 35%–47% by 2030.16

Predicting future capacity needs is complicated by uncertainty about how various wireless devices will be adopted into use by public safety and emergency management service organizations. In 2016, for example, only about 25% of police officers use body-worn cameras. Broader adoption would expand requirements for tablets (to tag data); upgraded camera technology and procedures to ensure the admissibility of evidence in court (e.g., adequate resolution even under low light and other difficult environmental conditions, chain of custody assurance); security control mechanisms to protect data captured, transmitted, and stored; policy enhancements to preserve privacy, meanwhile respecting public disclosure expectations. Even now, use of smartphones and other mobile devices in the field has launched concerns about how to managing sharing devices among personnel (i.e., having a device “pool” rather than a single dedicated device per individual) and maintaining device application standards.

Mobile Apps Vetting Process: Test, Approve or Reject17

It is important that applications used by public safety and emergency management personnel work as intended during both normal and emergency situations. In addition, it is important that the applications not have “backdoors” that can be used by third parties. To verify the capabilities of both commercially-available and agency-developed applications, the US NIST has developed guidelines for managing mobile apps:

 Define the security requirements for app use.

 In general, implement controls to “prevent unauthorized functionality” or “protect sensitive data.”

 In specific contexts, for example, implement “location-aware access attempt” (taking advantage of GPS capabilities of apps) or “user-specific functionality” (who can take video or audio recording).

 Use context-appropriate security controls (e.g., a blanket requirement for encrypting data going into the cloud can be overkill if the transmission is via VPN).

 Use a variety of app testing tools plus human interaction.

 Apply “chain of custody” type protection to apps down to the code level in the vetting process (no inadvertent end user license agreement violation!).

 Restrict telephony activities and unauthorized functionality that put PII at risk (e.g., exfiltration to a third party, fake website injection into browsers, pop up banner ads, communication with black-listed or nonwhite-listed sites).

 Disable privacy-compromising functionality (e.g., location and broadcast data, eavesdropping, shared system-level logs).

 Define acceptable network protocol access (e.g., no Bluetooth or NFC).

Government Emergency Telecommunications Service/Wireless Priority Service

The Government Emergency Telecommunications Service (GETS) and Wireless Priority Service (WPS) are programs administered by the DHS Office of Emergency Communications (OEC). These programs support Executive Order 13618, Assignment of NS/EP Communications Functions:

The Federal government must have the ability to communicate at all times and under all circumstances to carry out its most critical and time sensitive missions. Survivable, resilient, enduring, and effective communications, both domestic and international are essential to enable the executive branch to communicate within itself and with: the legislative and judicial branches; State, local, territorial, and tribal governments; private sector entities; and the public, allies, and other nations. Such communications must be possible under all circumstances to ensure national security, effectively manage emergencies, and improve national resilience. The views of all levels of government, the private and nonprofit sectors, and the public must inform the development of national security and emergency preparedness (NS/EP) communication policies, programs, and capabilities.18

OEC has contracted with key United States commercial telecommunications companies to provide these services to NS/EP users. These telecommunications companies augment their networks with NS/EP-unique functions (such as queueing for telecommunications resources) and specified provisioning of commercial QoS features to provide NS/EP users with a greater probability of call completion when the public networks are congested. Since use of the GETS and WPS features can increase the time for the call to get through the network and be completed, users are told to not to hang up if they “hear” dead air, as the call may still be progressing through the network. GETS and WPS are designed to work under all hazards due to both man-made and natural disasters, including shootings, terrorist attacks, floods, earthquakes, tornadoes, hurricanes, and nuclear war. GETS and WPS are designed to give priority to the call end-to-end, regardless of whether the called party is an NS/EP user or not.

The GETS program is a wireline calling card service that was started in 1995 and obtained its Full Operational Capability in third quarter 2001. As carriers upgrade their networks (e.g., to IP Multimedia Subsystem [IMS] components), the OEC works with the GETS carriers to migrate the GETS features to the new technologies.

The WPS program was started immediately after September 11, 2001, with the goal to provide WPSs to New York City; Washington, DC; and the 2002 Winter Olympics in Salt Lake City. Satellite phones were used for an immediate capability while the government worked with wireless carriers to develop and implement features in nationwide global system for mobile (GSM) and code-division, multiple-access (CDMA) networks. As newer technologies (e.g., universal mobile telecommunications system or UMTS and LTE) were deployed in the WPS carrier networks, the Government worked with the carriers to develop approaches to ensure WPS continuity. In UMTS networks, recognition of a WPS call by the network causes the network to tell the phone to “fallback” to the GSM network. WPS features are currently being developed and deployed in LTE.¹⁹ While this is occurring, users are told how to make their phones fall back to the GSM or CDMA technologies.

Unlike other countries, US carriers cannot preempt public calls for Government emergency use; in addition, the FCC mandates that carriers must make some bandwidth available for public calls during congestion events. For major identified “congestion events” (e.g., Times Square New Year’s Eve; Washington, DC, Mall on Presidential Inauguration Day), the OEC coordinates with the wireless providers on their use of deployables (i.e., mobile wireless cellular access points like cell on wheels or cell on light trucks) for on-demand increased network capacity. Deployables may be used in disaster recovery areas where existing infrastructure has been damaged or in places (e.g., wilderness areas) that are typically “off-grid.”

Since the WPS features are infrequently used at any component within the carriers’ networks, the Government and service providers validate its viability regularly in the following ways:

 Conduct scheduled and ad hoc WPS calls. Government and service provider personnel make WPS calls when they travel, and test the service before and during identified “congestion events.”

 Perform periodic configuration audits of all components with WPS features to ensure that operational changes to the carriers’ networks do not “turn off” WPS features.

 Perform periodic tests of each component type within a carrier’s network to ensure that new features in the component do not impact the functionality of the WPS features.

Lesson 1—Network Performance Under Heavy Congestion

Most carriers design their network to provide acceptable performance under peak hour loads. They recognize that during rare events, such as Mother’s Day, their networks may become congested and performance may degrade. It is not cost-effective for them to engineer their networks to support these rare events.

WPS is engineered to work in congestion events in which the offered load to the wireless networks could exceed 20 times the engineered load of the networks. Even though carriers may have vendors stress-test their components to two times the engineered capacity of the device, OEC needs to be assured that the devices will not collapse under greater loads. Stress-testing to 20 times overload is not always feasible, so a mixture of modeling and testing is used. Performance of components under actual stress events is fed back into the modeling and testing process for future use.

Lesson 2—Things Change

It is important to validate the engineering assumptions for a service periodically. When originally designed in 2002, congestion on the random access channel (RACH) was not seen as likely. During the July 29, 2008 Chino Hills earthquake, WPS users claimed that they could not make calls. Analysis by the Government and private industry providers showed a RACH collapse due to “everyone” attempting to make a voice call at the same time. The Government and industry worked on an approach to resolve this problem using automated access class barring (AACB). A RACH collapse again occurred during the Virginia earthquake of August 23, 2011 in most networks. When the Boston Marathon bombing of April 15, 2013 occurred, the AACB feature was being piloted by one carrier; a RACH collapse again occurred on most carriers’ networks, causing news reports to say the Government had shut down the wireless networks to prevent additional terrorist attacks.20 The Government is currently working with private industry on how to migrate this capability into their LTE networks.

Lesson 3—Good Intentions Can Lead to Bad Results

In GSM and CDMA, 911 calls do not have priority over public calls. As currently implemented using LTE, 911 calls and WPS calls have the same priority over public voice calls. This priority allows WPS and 911 calls access to LTE resources before public calls. This can be a very bad thing under 20 times overload.

Providing 911 calls priority over public calls makes sense under normal circumstances, based on the assumption that only one or two 911 calls will be made in a congested cell. In a major event like a magnitude 8 earthquake in San Francisco with extensive damage to buildings and infrastructure, however, the majority of calls are likely to be 911 during the first hours. These calls will get resources to the Public Safety Access Point (PSAP) but then they will get a busy signal or be put on queue.21 Because there are many more 911 calls during this event than WPS calls, the WPS calls have a much lower likelihood of successfully accessing the congested resources to be completed. And yet, many of the WPS calls support the response to 911 requests. Thus, having 911 and WPS at the same priority provides a poorer response than if WPS had a higher priority to 911.

An access class barring (ACB) mechanism could be implemented to provide priority to WPS over 911. This approach is politically unacceptable to members of the telecommunications industry, however, since they do not want to be sued for being the responsible party for blocking 911 calls (even though the calls will be blocked at the PSAP). Government rulings and regulations from the FCC will be required to solve this issue. As discussed earlier, issue resolution requires balanced coordination of policy/procedure, personnel, and technology elements.

The National Public Safety Broadband Network (AKA FirstNet)

The National Public Safety Broadband Network (NPSBN) is “a nationwide, standardized, private network with dedicated spectrum to provide public safety access to advanced broadband communications. Once deployed, the NPSBN will enable public safety communications to leverage commercial broadband standards, technologies, devices, and innovations. The NPSBN will also connect to commercial networks and the Internet. Underlying this network will be next generation network (NGN) infrastructure that is converging to packet-switching technology for all forms of communication.”22 Fig. 8.3 provides the overall NPSBN architecture.

Figure 8.3 Notional NPSBN diagram depicting ecosystem.23

There is some overlapping of the communications requirements for the NPSBN and NS/EP (Fig. 8.4). Some capabilities like dynamic prioritization and QoS, however, are unique to the NPSBN. These unique requirements can be fully implemented on the NPSBN but may not be (fully) implemented on commercial networks. Public safety users roaming onto commercial networks will need to be aware of these differences and adjust their communications activities accordingly.

Figure 8.4 Notional diagram of several NS/EP and public safety functional requirements.24

The development of the NPSBN provides the US Government an unprecedented opportunity to coordinate and align policies, requirements, and standards in order to enable innovation, create economies of scale, and ensure that both NS/EP and public safety users’ unique communications requirements can be met. A National Security Telecommunications Advisory Committee (NSTAC) report on the NPSBN recommended rationalizing NS/EP and public safety organizations and functions, updating and aligning policies, directing technical initiatives that can support both NPSBN and NS/EP, requiring reporting to facilitate implementation, and addressing funding gaps. Many of these recommendations have not yet been addressed.

National Security: Real-World Attack Scenarios

The challenges of balancing elements like equipment specifications, policies and procedures, and security mechanisms are somewhat different for members of the national security service community than for the emergency management and public safety community members, at least theoretically, because of mandated compliance with FISMA (signed into law as part of the Electronic Government Act of 2002). Policies and procedures, including those that guide product procurement, are more standardized and decision making is more centralized through federal agencies than at the level of state and local governments, in which jurisdictional boundaries are legal and geographical, in addition to being organizational. The differences are converging over time as FISMA and other federal requirements are pushed down to state and local government entities—and manufacturers, consultants, and other business or supply chain partners. Some sourcing practices can be worrisome when applied to national security procurement decisions. For a period of time, as recently as the mid-2000s, 100% of the US Navy's circuit boards were sourced from China. Vulnerabilities can be introduced at lower levels of the OSI stack and cost should not drive procurement decisions.

The particular challenges of mobile, wireless, and VOIP deserve special notice with respect to national security. Nation-state (and quasi-state) actors are adept at exploiting these technologies to further political, territorial, and financial objectives without debilitating concern about whether such activities violate another nation’s sovereign territory. NIST cautions in its fourth revision to SP 800-53:

In the few cases where specific technologies are called out in security controls (e.g., mobile, PKI, wireless, VOIP), organizations are cautioned that the need to provide adequate security goes well beyond the requirements in a single control associated with a particular technology. Many of the needed safeguards and countermeasures are obtained from the other security controls in the catalog allocated to the initial control baselines as starting points for the development of security plans and overlays using the tailoring process. There may also be some overlap in the protections articulated by the security controls within the different control families.25

The vulnerability of WAPs in national security contexts have been used for years to US advantage to intercept radio signals, identify insurgent and combatant locations, and disrupt communication channels and messages. For this discussion about hacking WAPs, however, we will look at examples of attacks against national governments friendly to the United States.

Russia’s attacks in 2012 on mobile phones in the Crimea appear to have been a precursor to physical strikes and perhaps an early warning that Russia was coming. By disrupting Internet service, Russia was able to deny citizen access to the Ukrainian government website. After Crimea’s annexation (March 18, 2014), attacks continued against public and private organizations in Poland and the Ukraine (and also included the European Parliament and the European Commission).²⁶ Reports suggest that Russia had started blocking mobile phone service about three weeks earlier, possibly by jamming wireless signals (phone and radio) using equipment maintained on board its navy ships that were in the Sevastopol port. A few days later (February 28, 2014), several offices of the Ukrainian Ukrtelecom offices were taken over kinetically by individuals who cut communications lines.²⁷ This example shows that the convergence of kinetic and cyberattack techniques can be effective for those seeking political and territorial gain as well as for those seeking financial and reputational gain.

The tactics in the Ukraine are similar to the one-two, cyber-to-physical punch Russia delivered to Georgia (summer of 2008), in which conventional assault (by land, sea, and air) followed three weeks after cyberattacks were launched against 54 Georgian websites related to communications, finance, and the government.²⁸ Both Georgia and the Ukraine were perhaps more vulnerable to sustained cyberattack than was Estonia during the attack it experienced in April 2007. At that time, Estonia had earned a reputation as the “most wired country in Europe.” More than 96% of its banking transactions were completed online,²⁹ for example, and its government operations model, according to then-IT director at the Estonian Defense Ministry Mikhel Tammet, was “paperless government.”³⁰ By virtue of its dense Internet coverage and communications network, taking itself offline during the cyber siege, and routing Internet traffic around (not through) Russian territory, Estonia weathered the three week attack well. At the same time, citizens were at a disadvantage with respect to obtaining timely news coverage about what was indeed happening.

As troubling as is Russia’s use of cyberwar tactics as a complement to conventional warfare tactics, the takedown of Ukrainian critical power infrastructure in December 2015 may be even more disturbing because of its implication for what the Russian-developed BlackEnergy malware (or other such sophisticated software regardless of its original source) is capable of doing outside Russia’s immediate geographical sphere of influence. Initially built as crimeware related to botnets and DDoS attacks (this Trojan Horse is related to a C&C attack against bank cards in the United States between 2010 and 2013³¹), it has since been refined to cripple ICS and SCADA systems via payload delivered in compromised MS Word or Excel documents. BlackEnergy’s upgrade includes a backdoor SSH utility, which provides permanent access for attackers.³² According to Kaspersky Labs, “The BlackEnergy APT group is active in the following sectors: ICS, energy, government, and media in Ukraine; ICS/SCADA companies worldwide; energy companies worldwide.”³³

The capability of taking a sovereign nation’s power utility infrastructure down is a game changer. Napoleon observed in the 19th century that “an army marches [or travels] on its stomach. The 21st century version might well be that “an army travels on its internet connectivity.”

Takeaways

 As part of disaster recovery planning, organizations should consider the impact of limited or no communications capability on their recovery efforts. From a personal perspective, when living in San Francisco, I identified with my daughter and friends where to meet after an earthquake if communications were out. Similar considerations should be taken for mission-critical personnel and functions, and priorities established for critical communications during emergencies.

 Globally, we need definitions about what constitutes “fair play” and what becomes an act of war or a crime against humanity. Essential electrical power and other utilities for hospitals and other medical facilities, for example, should be protected from wrongful acts by outside parties (even nation-states). “It’s time to start defining rules like ‘Don’t turn off the civilian power grid so hospitals and emergency services can continue’.”34

 We need effective, active, public-private partnerships to build defensive measures and resilience into our critical infrastructure industries. All levels of government must be engaged, including municipalities, to promote a cooperative, nonadversarial relationship with privately owned utilities.

 Promote more threat intelligence sharing throughout economic sectors using platforms like Structured Threat Information eXpression (STIX, “a structured language for cyber threat intelligence”) and Trusted Automated eXchange of Indicator Information (TAXII): international, free, and “community-driven technical specifications designed to enable automated information sharing for cybersecurity situational awareness, real-time network defense and sophisticated threat analysis.”35

 The best practices mentioned for other use case scenarios apply here as well:

 Administrative OS and network-based measures

 Security controls and vulnerability assessment/patch management systems

 Application control

 Whitelisting-based controls

 Cybersecurity awareness training (educating your staff) with particular mention about email-based spear-phishing.

Endnotes

---

¹Benjamin Mueller (June 2014), “The Laws of War and Cyberspace: On the Need for a Treaty Concerning Cyber Conflict,” London School of Economics Strategic Update 14.2. Retrieved from http://www.lse.ac.uk/IDEAS/publications/reports/pdf/SU14_2_Cyberwarfare.pdf.

²National Security Telecommunications Advisory Committee (22 May 2013), “NSTAC Report to the President on the National Security and Emergency Preparedness Implications of a Nationwide Public Safety Broadband Network,” p. 10, NSTAC. Retrieved from https://www.dhs.gov/sites/default/files/publications/npsbn-final-report-05.

³US Department of Homeland Security (December 2008), “National Incident Management System (NIMS),” DHS. https://www.fema.gov/pdf/emergency/nims/NIMS_core.pdf.

⁴https://www.fema.gov/national-incident-management-system.

⁵US Department of Homeland Security (February 2016), “Land Mobile Radio (LMR) 101,” DHS/Safecom. Retrieved from https://www.dhs.gov/sites/default/files/publications/LMR%20101_508FINAL.pdf.

⁶Lynette Luna (1 May 2005), “Unclogging the Grant Pipeline,” IWCE’s Urgent Communications. Retrieved from http://urgentcomm.com/mag/unclogging-grant-pipeline.

⁷National Telecommunications and Information Administration (n.d.), “Public safety,” NTIA Website. Retrieved from https://www.ntia.doc.gov/category/public-safety.

⁸Phil Goldstein (20 January 2016), “FirstNet’s RFP Could Lead to Spectrum Bonanza for Public Safety Wireless Vendors,” FedTech Magazine. Retrieved from http://www.fedtechmagazine.com/article/2016/01/firstnet-s-rfp-could-lead-spectrum-bonanza-public-safety-wireless-vendors.

⁹Nokia (2014), “LTE Networks for Public Safety Services,” Nokia Networks White Paper. Retrieved from networks.nokia.com/sites/.../nokia_lte_for_public_safety_white_paper.pdf.

¹⁰US Telecom (February 2016), “The Broadband Internet Economy is Thriving,” US Telecom White Paper. Retrieved from https://www.ustelecom.org/sites/default/files/files/USTelecom-White-Paper-1.pdf.

¹¹Ibid., p. 3.

¹²Natasha Lomas (19 January 2016), “FCC Urged to Rein in Broadband Providers on Privacy Grounds,” TechCrunch. Retrieved from https://techcrunch.com/2016/01/19/fcc-urged-to-rein-in-broadband-providers-on-privacy-grounds/.

¹³CyberStorm is a cybersecurity exercise initiative composed of several different phases, “a Homeland Security Exercise and Evaluation Program (HSEEP) Tier II exercise focusing on federal strategy and policy.” Participants include US Cabinet-level departments and states, international partners, and private sector companies. DHS webpage entitled “CyberStorm: Securing Cyber Space.” Retrieved from https://www.dhs.gov/cyber-storm.

¹⁴Findings mentioned in this chapter were contained in the US Department of Homeland Security’s “CyberStorm I: Final report” (12 September 2006), “CyberStorm II: Final report” (July 2009), “CyberStorm III: Final report,” (July 2011), and “CyberStorm IV: Final report” (June 2015). DHS. Retrieved from https://www.dhs.gov/publication/cyber-storm-final-reports.

¹⁵Ronald Timmons (February 2007), “Interoperability: Stop Blaming the Radio,” Homeland Security Affairs 3, Article 5. Retrieved from https://www.hsaj.org/articles/153.

¹⁶Michael Mandel (March 2016), “Long-Term U.S. Productivity Growth and Mobile Broadband: The Road Ahead,” Progressive Policy Institute Memo. Retrieved from http://www.progressisvepolicy.org/wp-content/uploads/2016/03/2016.03-Mandel_Long-term-US-Productivity-Growth-and-Mobile-Broadband_The-Road-Ahead.pdf.

¹⁷This is a summarized list. More thorough discussion of the mobile app vetting promise is in Steve Quirolgico, Jeffrey Voas, Tom Karygiannis, Christoph Michael, and Karen Scarfone (January 2015), “Vetting the Security of Mobile Applications,” NIST SP 800-163. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-163.pdf.

¹⁸The White House (6 July 2012), “Assignment of National Security and Emergency Preparedness Communications Functions,” Executive Order 13618. Retrieved from https://www.whitehouse.gov/the-press-office/2012/07/06/executive-order-assignment-national-security-and-emergency-preparedness-.

¹⁹This is needed because GSM and CDMA networks are being retired so the spectrum can be more effectively utilized by LTE.

²⁰Professional best practices do not preclude news reporters from being susceptible to the human proclivity to fill in knowledge gaps with unverified possibility or assumption that includes the belief of omnipotent federal government. This tendency can be used for leverage in marketing, propaganda, psyops, and other disinformation campaigns.

²¹For example, Virginia’s Fairfax County PSAP has approximately 15 people on staff during peak hours to handle calls from its 1.2 million residents.

²²National Security Telecommunications Advisory Committee, op. cit.

²³Ibid., p. 6.

²⁴Ibid., p. 14.

²⁵Joint Task Force Transformation Initiative (April 2013), “Security and Privacy Controls for Federal Information Systems and Organizations,” NIST SP 800-53. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf. The control families are access control (AC), audit and accountability (AU), awareness and training (AT), configuration management (CM), contingency planning (CP), identification and authentication (IA), incident response (IR), maintenance, (MA), media protection (MP), personnel security (PS), physical and environmental protection (PE), planning (PL), program management (PM), risk assessment (RA), security assessment and authorization (CA), system and communications protection (SC), system and information integrity (SI), and system and services acquisition (SA).

²⁶Owen Matthews (7 May 2015), “Russia’s Greatest Weapon may be its Hackers,” Newsweek. Retrieved from http://www.newsweek.com/2015/05/15/russias-greatest-weapon-may-be-its-hackers-328864.html.

²⁷Shane Harris (3 March 2014), “Hack Attack,” Foreign Policy. Retrieved from http://foreignpolicy.com/2014/03/03/hack-attack/.

²⁸David Hollis (6 January 2011), “Cyberwar Case Study: Georgia 2008,” Small Wars Journal. Retrieved from http://smallwarsjournal.com/blog/journal/docs-temp/639-hollis.pdf.

²⁹Jason Richards (n. d.), “Denial-of-Service: The Estonian Cyberwar and its Implications for U.S. National Security,” International Affairs Review. Retrieved from http://www.iar-gwu.org/node/65.

³⁰Stephen Herzog (Summer 2011), “Revisiting the Estonian Cyber Attacks: Digital Threats and Multinational Responses,” Journal of Strategic Security, Vol. 4, No. 2. Retrieved from http://scholarcommons.usf.edu/cgi/viewcontent.cgi?article=1105&context=jss.

³¹Owen Matthews, op. cit.

³²Dan Good (4 January 2016), “First Known Hacker-Caused Power Outage Signals Troubling Escalation,” ArsTechnica. Retrieved http://arstechnica.com/security/2016/01/first-known-hacker-caused-power-outage-signals-troubling-escalation/.

³³Kaspersky Lab (n. d.), “BlackEnergy Attacks in Ukraine,” Kaspersky. Retrieved from http://www.kaspersky.com/internet-security-center/threats/blackenergy.

³⁴Daniel Riedel (9 March 2016), “Why We Need to Take Ukraine BlackEnergy Seriously,” Federal Times. Retrieved from http://www.federaltimes.com/story/government/solutions-ideas/2016/03/08/ukraine-blackenergy-cyberattack/81477758/.

³⁵US-CERT website on information sharing specifications for cybersecurity. Retrieved from https://www.us-cert.gov/Information-Sharing-Specifications-Cybersecurity.