Is FirstNet secure enough for law enforcement?
Connecting state and local government leaders
Although California eventually decided to opt into the FirstNet national public-safety wireless broadband network, it raised concerns about the network's compliance with Criminal Justice Information Services requirements.
Although California eventually decided to opt into the FirstNet national public-safety wireless broadband network, the director of California’s Office of Emergency Services (CalOES) has raised concerns about FirstNet’s compliance with Criminal Justice Information Services (CJIS) requirements.
“AT&T’s core network is not presently Criminal Justice Information Services (CJIS) and California Law Enforcement Telecommunications System (CLETS) compliant,” states the Dec. 28, 2017, letter from CalOES Director Mark Ghilarducci to FirstNet CEO Mike Poth notifying FirstNet of California's decision to opt in. AT&T won the contract to build the country’s first nationwide public-safety network on March 17, and by the end of December, all 50 states had opted to use it.
The FBI’s CJIS policy provides standards for the creation, viewing, modification, transmission, dissemination, storage and destruction of criminal justice information such as fingerprints or criminal history. To be compliant with CJIS, providers must implement access controls such as multifactor authentication, encrypt data at rest and in motion, lock users’ sessions after a set period of inactivity, and monitor usage, including password changes.
“If law enforcement community is going to use this system, then it must be secure and meet the [the Justice Department's] security requirements,” Mitch Medigovich, deputy director of public-safety communications at CalOES, said in an email. “If the system is not compliant, then agencies will find another secure system.”
In an emailed response, an AT&T spokesman listed the many security features the $40 billion network will have, such as end-to-end FIPS 140-2-compliant virtual-private network solutions, radio, transport and network core encryption, and advanced physical and logical security protocols.
“As we have previously explained to California and will continue to work with them on the matter, the system was never designed to meet all the elements of the FBI’s CJIS Security Policy (CSP),” the spokesman wrote, “as many of these elements are the responsibility of individual criminal justice agencies or each state’s CJIS System Agency as required under the shared management philosophy of the CSP. ”
California is the only state that raised concerns about FirstNet’s compliance with CJIS, the spokesman added. “Others may have made their own determinations on how FirstNet can help to meet their CJIS compliance requirements. This shows that an entity’s compliance needs can vary from the state level down to the agency.”
AT&T recommended that California implement tools from NetMotion, a provider of mobile performance and analytics solutions that are in use at 80 percent of state law enforcement agencies nationwide. AT&T would charge users for this application.
The state took issue with that proposal. “We did not feel we should be charged extra,” Medigovich said. “If the agencies that are going to be using the system require it to be secure, we shouldn’t have to pay more.”
NetMotion officials cautioned that their solutions don’t translate to automatic CJIS compliance, which has no standardized approach. Although the company’s tools protect criminal justice information end to end, agencies still must customize the solution to meet their specific requirements.
“We do provide a substantial part of what is needed to be compliant [with CJIS], but you don’t just go deploy NetMotion and suddenly you’re CJIS-compliant,” the company's Vice Presidents of Products John Knopf said. “Every department has to read through the CJIS specification and implement that the way in which they need.”
If agencies do that, they can be CJIS-compliant regardless of the network, added Steve Fallin, Netmotion mobility product manager. “For instance, if you bought services from Sprint, Verizon, some other division of AT&T mobile … we’re going to support you and your security mission on those networks as well,” Fallin said. “From that perspective, the FirstNet offering that AT&T is putting together is just another network of the type that we’re very familiar with.”
California was the last state to opt in to FirstNet. In November 2017, it issued a request for proposals from vendors that would build and maintain the radio access network should the state opt out, but on Dec. 28, Gov. Edmund Brown announced, “While California remains concerned that the proposed plan does not address all our State’s needs, California is opting into the plan with the expectation that our concerns will be address throughout our partnership.”
“AT&T is committed to ensuring that our criminal justice and non-criminal justice FirstNet customers with a need to be CJIS-compliant are fully aware of the value-added services that the FirstNet ecosystem provides,” the spokesman said. “Our FirstNet Strategy and Policy Team stands ready to help such agencies fully understand the mobile device and network compliance requirements of the CJIS Security Policy and how the FirstNet ecosystem does or does not meet such requirements on its own or through the use of value-added or external services and solutions.”
Medigovich said the state continues to work with the company “to ensure a long-term partnership."