Why Zero Trust?

I was raised with the old adage that you had to “take the bad with the good.” Your heavy-duty pickup truck comes in handy at the lumber yard but makes you wince at the gas station. You may love a good three-alarm chicken wing at the bar, but you pay for it later. NG911 allows for greater data sharing and interoperability but introduces new cybersecurity risk factors. Ouch… that last one gave me a pit in my stomach. That’s a trade-off that we cannot abide.  

The threats from cybersecurity attacks are so prevalent today that it’s hard to trust anyone or any interface anymore. We cannot even afford to trust the networking that connects all the call processing and delivery systems. Instead, we must move to a security posture that every aspect of every system and technology is vulnerable to intrusion at all times. No more good/bad trade-offs. Or, in the tech world, what we call zero trust. 

For the longest time, our approach to cybersecurity was to build fortress-like walls around our IT systems. We treated them like any other critical infrastructure. Your city hall, courthouse, and police station use all kinds of physical security measures, from access control points to cameras and sensors to mail screening protocols. In IT, we likewise built perimeter “firewalls” to keep the bad guys at bay.   

With those security walls in place, we could then trust anyone on the inside to make use of our systems and share data. But times have changed, of course, in two ways in particular. First, work has changed. Our teams are spread out across multiple locations, and in the case of emergencies or natural disasters, we need the ability to bug out and work from remote locations. Second, we have the convention of the virtual private network (VPN), which relies on the unsustainable use of passwords. I come into the office in the morning, log in, I’m authenticated based on my entry of a username and password, and now I’ve established my credentials. I have access to whatever IT services to which I’m entitled. I’m trusted.  

Unfortunately, we have come to learn that such credentialing is not very reliable, as it relies on people, who are naturally fallible beings. We leave our passwords on stickies in our desks, store them on our phones, or we don’t immediately change a temporary password (“123456” or “password”). One research report estimates that upwards of 25 billion (billion with a “b”) passwords have been captured and circulated on the dark web. 

Over the years, we’ve added some clever tools, like location verification for VPNs (matching the known geography of a user to their IP address) and multi-factor or two-step authentication; but technology advances keep making it harder and harder to implement these tools. Consumers now have access to low-cost VPNs and encryption tools on their phones and laptops to protect their privacy, while multi-factor login verification has become a bit of an annoyance for users (believe me, I get an earful every day on this subject from my colleagues). 

Clearly, it's becoming harder and harder to rely upon such a trust-based approach to security. So, the IT world is now moving from approved trust to zero trust. What is zero trust exactly? Well, according to the National Institute of Standards and Technology: 

Zero trust [architecture] assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned). Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established. 

What does all that mean? It means every time you send me a login request, I am going to validate you, and every time you send me a transaction, I am going to check a certificate that is being passed back and forth via an algorithm…every…single…time. I am going to make you verify that your request is coming via a verified endpoint or that you are another verifiable application or service. Our systems are going to exchange this certificate every time, and we are going to trust nothing. Everything will be encrypted; everything will be untrusted. And we will, in fact, make sure that every transaction is without trust. 

What does all that mean? It means every time you send me a login request, I am going to validate you, and every time you send me a transaction, I am going to check a certificate that is being passed back and forth via an algorithm…every…single…time. I am going to make you verify that your request is coming via a verified endpoint or that you are another verifiable application or service. Our systems are going to exchange this certificate every time, and we are going to trust nothing. Everything will be encrypted; everything will be untrusted. And we will, in fact, make sure that every transaction is without trust.
 
We want to take such a fanatical approach, in part, because the perimeter of the Internet is infinite, and therefore the attack surface is infinite. And that has very real and substantial implications for public safety as we move from a locked down and hardened legacy infrastructure to a more internet-exposed NG911 method of communicating and exchanging information. 

Impact on the PSAP 

Some industry analyses pin a potentially elevated security risk of NG911 on the ESInet (Emergency Services IP Network), SIP (Session Initiation Protocol), and in essence, anything with the letters “I” and “P’ in it. But a protocol itself is not a source of risk as much as what that protocol allows you to do—open your systems up to the Internet and the bad actors who seek to do you harm. In isolation, ESInets are architected in the way that highly reliable and secure telecommunications networks are designed. They do not look as locked down as a traditional CAMA (centralized automatic message accounting) trunk, which is highly secure in that they are a physical direct line between the telco and the PSAP. But ESInets are essentially the IP version of a traffic-engineered network that originates in a data center and directly terminates at the PSAP. 

So, if we accept that ESInets themselves are not the primary NG911 security risk, where should we focus our attention then? Well, unfortunately, it’s so very tempting to poke holes into the fortresses that we build for public safety, as the Internet tempts users with everything from cloud-based software applications to trying to sneak in an online dinner order at the end of a hard shift. 

Allow me, please, to take you into the weeds a bit to introduce an IT term that explains how the tech world thinks and then why we have to look at solutions like zero trust. The concept I’m thinking about is something called “hairpinning.” Hairpinning describes a methodology in networking where instead of putting the cyber gates and hurdles at each point in an enterprise (i.e., at each station where someone requests access to the Internet), you run those requests through a main cyber hub out to the Internet and back again through the hub to the requestor. A hairpin turn for your data, so to speak. The intent was to save IT costs and management resources across the wide-area networks used by large and expansive enterprises.  

As things go in IT, that architecture was carried over as the industry started to design the cloud computing models that we use today. Old habits die hard. And the risk now is that you take this hardened communications infrastructure that you’ve designed for your secure PSAP, and you drill a proverbial hole in it to hairpin connections to the Internet. In the short term, this feels expedient, and you’re able to access the Internet and gain the benefits you want. However, the risk of this approach today is palpable. We would have created a crack in our walled fortress and exposed it to the faceless but ever-present cybercriminals throughout the world—beyond your state or jurisdiction footprint. 

The Internet is effectively the wild west of communications. As discussed, the attempts to build firewalls, web filters, and password protections don’t offer much comfort. So, you seek out some newfangled password or biometric techniques like voice or facial recognition, only to find that those solutions last just a year or two as the hackers find ways to spoof those systems with 3D/AI-enhanced “presentation attacks” that impersonate your trusted users. As such, your IT team may find themselves overwhelmed trying to stay ahead of the ever-increasing threat surface and the horde of cyber hackers halfway around the globe. And, if you are a smaller PSAP, you may be able only to employ the services of a part-time IT director to wage this battle.  

So, given we want all the benefits of NG911 and the various sources of information, and that we can’t police the Internet, then we need a way to route all the call traffic and web traffic based on what is in our control—the way in which we manage the data endpoints that are in our control. The zero-trust approach will likely start to show up in the call handling systems on your desktop, the cloud providers who store your incident recordings, and even email gateways.  

While many of the zero trust endpoints take the form of software code, we expect also for public safety to reexamine the use of computing hardware in the PSAP. Most commercial laptops or desktop servers were designed to make access to the Internet simple and easy, and yes, support an environment of trust. Instead, we should be looking at how to design hardware based on zero-trust principles.  

Take, for example, the Intrado Sonic EDGE appliance, a hardened, locked down, and tightly administered alternative to the telecommunicator call handling station. The zero trust features include a browser that runs in a containerized environment and peripheral ports that won’t automatically autoboot or run .EXE files on a UBS drive, preventing the introduction of malware. A walled fortress on the desktop. The more security engineered directly into the system, the less likelihood of human error.  

The Interoperability Dimension 

Beyond the data and Internet exposure aspect of NG911, the goal of greater inter-PSAP interoperability could theoretically create another dimension of security risk. The idea there would be that if one PSAP were infected with malware, a virus could spread more readily between linked communications centers than it would today, where PSAPs tend to be more digitally isolated. Network trust is traditionally segmented based on “zones” of access control. For example, a “demilitarized zone” of trust is an extra layer of security where interoperability may be facilitated, and tight controls are placed on all connections to the core of a network service. This approach places critical trust in the design, deployment, and ongoing management of our networks and their interconnection. This is simply no longer suitable for the degree of risk that the connection to the Internet currently represents.  

What might be as or more threatening to an interconnected public safety grid could be a scenario where the bad actors out there perceive a bigger target opportunity, in their view, of a fully implemented NG911 ecosystem. Unfortunately, with what appears to be the rise of nefarious nation-state bad actors, we should assume public safety will be on the list of critical infrastructure targeted for disruption. Another brutal truth that we must contest head-on by structurally defending cyber-attack surfaces with zero trust. 

Just as we would harden our physical infrastructure with concrete barriers and bullet-proof glass, we need to harden our information and communications environment by removing all forms of trust. Playwright Anton Chekhov was known for saying, “You must trust and believe in people or life becomes impossible.” In the Internet age, perhaps the opposite is true.