Such a scenario is not beyond the imagination. If a physical attack is possible, and a cyberattack is plausible, it would take little creativity to coordinate the two events, punching a hole in the center of response efforts.
Why is this possible? Ironically the steady improvements in emergency communication also have made those systems more vulnerable to attack. In short, it’s all about the Internet.
It starts with connectivity, with shared infrastructure controls, with intranet components and phone systems all increasingly routed through the Internet. “Everything these days is built out of Web technologies, even systems you would not expect to be connected to the Internet,” said Shuman Ghosemajumder, vice president of strategy at Shape Security in Mountain View, Calif.
Connectivity in turn creates ubiquity. Suddenly all our information assets are available through our physical assets: police cars with video recorders and fire trucks with their own Wi-Fi access points. “We have a lot of IT moving around in incident response,” said J.R. Cunningham, director of the state, local and education practice at security program provider Accuvant.
The company has successfully poked holes in that IT, for testing purposes, and Cunningham has concerns about the fundamental stability of the IT components that underlie emergency service systems. “These systems were not designed to be highly secure,” he said. “Generally they’ve evolved over time, with security often brought in as an afterthought.”
While the risk runs through any Internet-connected system, the threat may be particularly visible in the realm of 911. Where news coverage looks at cyberattacks on institutional networks, it often overlooks the threat to telephony, and yet that threat looms large in the emergency management world, where phone systems often are the link in the chain of incidence response.
“As our 911 centers move into a more fully digital world, those 911 centers are going to be vulnerable to those same attacks that have been plaguing other networks, whether they are financial or commercial,” said Neal Puff, senior security solutions architect for the public sector at Verizon Terremark.
For those looking to spur cybermayhem among emergency responders, 911 is an especially attractive target. First, because the emergency phone system offers a single entry point. An attack on a police station may disrupt that station, but a denial-of-service (DOS) assault on 911 could impact literally every emergency responder.
It goes deeper than this. Because 911 now connects to the Internet, an enterprising hacker could in theory get inside the system and feed it bad information, dispatching responders unnecessarily or diverting rescuers to the wrong destination. While a DOS could hold up response, this kind of insider attack — in which a hacker achieves total control over the system — could have more devastating consequences.