The Viking Cop has served in a law enforcement capacity with multiple organizations within the U.S. Executive Branch. He can be found on Twitter @TheVikingCop. The views reflected are his own and do not represent the opinion of any government entities. Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.
National Security Situation: Cyber vulnerabilities in regional-level Law Enforcement and Public Safety (LE/PS) communication networks which could be exploited by violent extremists in support of a physical attack.
Date Originally Written: April 15, 2017.
Date Originally Published: May 22, 2017.
Author and / or Article Point of View: Author is a graduate of both University and Federal LE/PS training. Author has two years of sworn and unsworn law enforcement experience. Author had been a licensed amateur radio operator and builder for eleven years.
Background: Currently LE/PS agencies in the U.S. operate on communication networks designed on the Association of Public-Safety Communications Officials, Project 25 (P25) standard established in 1995[1]. European and East Asian Countries operate on a similar network standard known as the Terrestrial Trunked Radio.
The push on a federal level for widespread implementation of the P25 standard across all U.S. emergency services was prompted by failures of communication during critical incidents such as the September 11th attacks, Columbine Massacre, and the Oklahoma City bombing[2]. Prior to the P25 implementation, different LE/PS organizations had been operating on different bands, frequencies, and equipment that prevented them from directly communicating to each other.
During P25 implementation many agencies, in an effort to offset cost and take advantage of the interoperability concept, established Regional Communication Centers (RCC) such as the Consolidated Communication Bureau in Maine, the Grand Junction Regional Communications Center in Colorado, and South Sound 911 in Washington. These RCCs have consolidated dispatching for all LE/PS activities thus providing the ability of smaller jurisdictions to better work together handling daily calls for service.
Significance: During a critical incident the rapid, clear, and secure flow of communications between responding personnel is essential. The ability of responding LE/PS organizations is greatly enhanced by the P25 standard where unified networks can be quickly established due to operating on the same band and the flow of information can avoid bottle necks.
Issues begin to arise as violent extremist groups, such as the Islamic State of Iraq and Syria (ISIS), have been attempting to recruit more technically minded members that will be able to increase the group’s ability to plan and conduct cyber operations as a direct attack or in support of a physical attack[3]. Electronic security researchers have also found various security flaws in the P25 standard’s method of framing transmission data that prove it is vulnerable to practical attacks such as high-energy denial of service attacks and low-energy selective jamming attacks[4][5].
This article focuses on a style of attack known as Selective Jamming, in which an attacker would be able to use one or more low-power, inexpensive, and portable transceivers to specifically target encrypted communications in a manner that would not affect transmissions that are made in the clear (unencrypted). Such an attack would be difficult to detect because of other flaws in the P25 standard and the attacks would last no more than a few hundredths of a second each [4].
If a series of Selective Jamming transceivers were activated shortly before a physical attack responding units, especially tactical units, would have minutes to make a decision on how to run communications.
Option #1: Push all radio traffic into the clear to overcome a possible selective jamming attack. This option would require all responding units to disable the encryption function on their radios or switch over to an unencrypted channel to continue to effectively communicate during the response phase.
Risk: The purpose of encrypted communications in LE/PS is to prevent a perpetrator from listening to the tactical decisions and deployment of responders. If a perpetrator has developed and implemented the capability to selectively jam communications they will likely have the ability and equipment to monitor radio traffic once it is in the clear. This option would give the perpetrator of an attack a major advantage on knowing the response to the attack. The hesitancy to operate in the clear by undercover teams was noted as a major safety risk in the after action report of the 2015 San Bernardino Shooting[6].
Gain: LE/PS agencies responding to an incident would be able to continue to use their regular equipment and protocols without having to deploy an alternative system. This would give responders the most speed in attempting to stop the attack with the known loss of operational security. There would also be zero equipment costs above normal operation as P25 series radios are all capable of operating in the clear.
Option #2: Develop and stage a secondary communications system for responding agencies or tactical teams to implement once a selective jamming attack is suspected to be occurring.
Risk: Major cost and planning would have to be implemented to have a secondary system that is jamming-resistant that could be deployed rapidly by responding agencies. This cost factor could prompt agencies to only equip tactical teams with a separate system such as push-to-talk cellphones or radio systems with different communications standards than P25. Any LE/PS unit that does not have access to the secondary system will experience a near-communications blackout outside communications made in the clear.
Gain: Responding units or tactical teams, once a possible selective jamming attack was recognized, would be able to maintain operational security by switching to a secure method of communications. This would disrupt the advantage that the perpetrator was attempting to gain by disrupting and/or monitoring radio traffic.
Other Comments: Both options would require significant additional training for LE/PS personnel to recognize the signs of a Selective Jamming attack and respond as appropriate.
Recommendation: None.
Endnotes:
[1] Horden, N. (2015). P25 History. Retrieved from Project 25 Technology Interest Group: http://www.project25.org/index.php/technology/p25-history
[2] National Task Force on Interoperability. (2005). Why Can’t We Talk. Washington D.C.: National Institute of Justice.
[3] Nussbaum, B. (2015). Thinking About ISIS And Its Cyber Capabilities: Somewhere Between Blue Skies and Falling One. Retrieved from The Center for Internet and Society: http://cyberlaw.stanford.edu/blog/2015/11/thinking-about-isis-and-its-cyber-capabilities-somewhere-between-blue-skies-and-falling
[4] Clark, S., Metzger, P., Wasserman, Z., Xu, K., & Blaze, M. (2010). Security Weaknesses in the APCO Project 25 Two-Way Radio System. University of Pennsylvania Department of Computer & Information Science.
[5] Glass, S., Muthukkumarasamy, V., Portmann, M., & Robert, M. (2011). Insecurity in Public-Safety Communications:. Brisbane: NICTA.
[6] Braziel, R., Straub, F., Watson, G., & Hoops, R. (2016). Bringing Calm to Chaos: A Critical Incident Review of the San Bernardino Public Safety Response to the December 2, 2015, Terrorist Shooting Incident at the Inland Regional Center. Washington: Office of Community Oriented Policing Services.