It was only a brief statement during last week’s FirstNet board meeting, but it is one that governors should heed as they prepare to decide whether to accept FirstNet’s deployment plan or to pursue the “opt-out” alternative, which requires the state to build and operate the radio access network (RAN) within its borders for the next 25 years.
“We have been very vocal that we are going to be unrelenting and unforgiving in our approach to an examination of cyber for states as they consider alternative courses,” FirstNet CEO Mike Poth said. “[State officials will] be able to dive deeply into that portal and see what the gold standard will be that they are going to have to match.”
Exactly what “unrelenting” and “unforgiving” would mean in terms of FirstNet action is unknown, but the intent of Poth’s statement seems very clear: FirstNet plans to ensure that cybersecurity policies are executed throughout all parts of the nationwide public-safety broadband network—whether built by FirstNet’s contractor or by a different vendor on behalf of an opt-out state—in a timely manner, without compromise.
This approach makes sense, given the vision that FirstNet should act as a single network that offers similar performance to first responder, no matter where they are located geographically. If a lone opt-out state were allowed to have substandard cybersecurity protections in its RAN, it could undermine cybersecurity efforts throughout the entire integrated FirstNet system.
On the surface, it is hard to imagine any opt-out state philosophically having an issue with updating cybersecurity protections for a mission-critical system like FirstNet. After all, governors want their public-safety communications networks to be secure, right? And state governments pay vendors to secure all sorts of networks—from public-safety LMR systems to IT computer networks—on a regular basis, so that’s not unique.
But there is a big difference: the level of security would not be determined by the state, but by FirstNet and its nationwide contractor.
For the past few years, perhaps the most compelling argument given for states or territories to pursue the opt-out alternative is the desire to have control over the deployment of public-safety broadband services within their jurisdictions.
Control is something that states are accustomed to having, particularly in the case of deploying statewide communications systems. Such projects are designed to meet state needs, and they are implemented on a timeline that works best for the state, given the logistical, political and financial circumstances at the time.
But that will not be the case for an opt-out state in the FirstNet scenario. While the state will get to design the initial deployment of the RAN—something that effectively will have to be approved by the FCC, NTIA and FirstNet—future upgrades will be dictated by FirstNet and its nationwide contractor.
If FirstNet determines that a new cyber threat exists, an opt-out state will be expected to implement any remedy and/or prevention tools at the same time as they are being implemented in the rest of the country. If the remedy is a software update that can be installed remotely over the network, it may not be a big deal. If the remedy requires a more labor-intensive intervention, things could get very complicated—and very expensive—in a hurry.
In fact, no one really knows what will be needed if FirstNet is hit with a cyberattack. The network will have the advantage of being designed with cybersecurity from the outset, instead of having it added as an afterthought, but no one can be certain what the reaction would be today—much less in 20 years, when both offensive and defensive capabilities certainly will have matured tremendously.