Cybersecurity Is Up To You

As professionals in the realm of emergency dispatch, it’s understandable that 911 has become our everyday background, nearly taking for granted the hundreds of infrastructure systems that hold up our lifesaving critical 911 service.

Public Safety Answering Points (PSAPs) and Emergency Communication Centers (ECCs) in the United States are fueled by over 105,000 calltakers,¹ each playing a part in answering 240 million emergency calls for help, annually.² Perhaps the large scope of public safety provides a sense of comfort for the most critical networks in the country, and yet the trust, confidence, and safety of 911 is not unbreakable.

As we move into the Next Generation 911 environment, we must consider our responsibility in preserving the center of gravity of all emergencies nationwide, our connection from the public to our first responders, and ultimately our sense of national security.

Importance of cybersecurity

Joe Wassel spent 28 years in the United States Air Force—12 years active duty and 16 in the reserve—focusing mainly on communications and cybersecurity throughout his career. From 2001–2008, he took on the role of a Civilian Director of Communications for the United States Secretary of Defense, focused on being connected, informed, and prepared for the largest possible threats against the largest government organization in the world—and with access to nuclear weapons.

With a larger perspective than just land, air, and sea, Wassel has long been focused on the only human-made domain that connects all the others: cyberspace.

“When we become vulnerable to cyberattack, all other domains fail,” Wassel said. “Think about life flight trying to fuel up before transport and the credit card doesn’t work. If you can’t get authorization from the pumps, your resources are grounded. Attackers don’t have to blow up the helicopter to disrupt your ability to respond to an emergency.”

In public safety, there is nothing quite as accessible as 911, a strength that also paints a target for disrupting the system and destroying the public’s trust in its capabilities.

“Cybersecurity is THE greatest threat to 911; these are words to live by,” Wassel said. “The wake-up call is that you do not have a capability if you do not have a counter measure. You can’t build things for a blue-sky day because we don’t live in a blue-sky world.”

When it comes to cybersecurity, preparation requires having the right answers to the worst questions in advance and not a fallback hobby of hoping for the best. Tackling real risks means creating your own arsenal for when (not if) things come crashing down from myriad causes such as natural disasters, maintenance/system disruptions or failure, and malicious attacks.

“It turns out that cybersecurity IS everything, but you still have to be able to sleep at night,” Wassel said.

That’s where the success and safety of each 911 communication center must focus on obtaining support and resources, planning and maintaining security measures, and anticipating evolving threats.

Support and resources

Innovative founding father Benjamin Franklin probably couldn’t have envisioned today’s 0’s and 1’s connecting the world when he coined the phrase, “An ounce of preparation is worth a pound of cure” in 1736. Yet this proverb resonates in the field of cyber warfare, where early efforts can prevent costly, significant damage later on.

A great first step for each communication center is utilizing resources provided by CISA, the U.S. Cybersecurity & Infrastructure Security Agency—an agency dubbed “America’s Cyber Defense Agency” and a resource hub for 911 centers.

Like your personal cyber bodyguard, CISA provides real-world case studies, response and recovery planning, cybersecurity awareness and training (checklists); protects networks from cyberattacks; assists with design and implementation; and performs risk assessments. You can report cyber incidents 24/7 at report@cisa.gov or 1-844-Say-CISA.³

For questions on myriad topics, SAFECOM and the National Council of Statewide Interoperability Coordinators (NCSWIC) provide a resource library of topics including best practices, planning tools, encryption processes, interoperability functions, impacts of new technologies, etc.⁴

Brandon Abley, Chief Technology Officer for NENA: The 9-1-1 Association, encourages each center to become familiar with NENA’s resources that are instrumental in developing standards addressing the technical and operational aspects of 911 and Next Generation 911 (NG9-1-1).

“You have to realize our 911 system is not just one system,” Abley said. “It’s thousands of PSAPs and ECCs statewide and hundreds of individual 911 systems originating from metropolitan, regional, and county bodies, etc. Anywhere you go, you can dial 911 and it connects you with the emergency line. Callers don’t think about it, but it only works because of the NENA standards.”

Consulting with CISA, the Federal Communications Commission (FCC), and a federal advisory committee along with dozens of volunteer experts, NENA has created a guidebook (and checklists) for security in 911. Additionally, they’ve developed a crosswalk with the National Institute of Standards and Technology (NIST) guidance that serves as a core reference for any enterprise in North America. This tool enables organizations to audit and build a cybersecurity framework (see adjoining Resources list).

NENA also provides resources for cybersecurity awareness. It hosts varied security sessions on threats and responses to help build defenses to your IT landscape, and provides strategies for a quick recovery.⁵ Of particular note are NENA’s standards and guidance on NG9-1-1 security, including NENA-STA-040, Security for Next Generation 9-1-1 Standard (NGSEC);⁶ NENA-REF-012, Next Generation 9-1-1 Security Audit Checklist Reference Document;⁷ NENA-REF-013, NIST CSF 2.0 Crosswalk Reference Document;⁸ and the upcoming NENA Security crosswalk to NIST 800-53 (rve.5)⁹ reference document.

But resources will only get you so far if you don’t have surrounding support.

Building relationships

“In this interconnected world, there are no islands,” Wassel said. “On a very bad day for 911, it takes only one person to take it all down. Yet it takes everyone working together to bring it back up. We don’t have anything without the network.”

The best scenario is for different divisions to work together—such as military and public safety—connecting with a united purpose to protect the system that sustains them all.

“People expect me to talk about technical aspects of cybersecurity such as firewalls, but the key to protecting this framework is understanding that humans are still in charge,” Wassel said. “We need three ships—leadership, partnership, and friendship—because information moves at the speed of trust.”

Connection is the key to building such trust. As a center, consider connecting with local county and state 911 teams, and don’t overlook your universities and schools, according to Wassel. They have classes, leadership labs, and incredibly capable people with credentials in operational experience and exposure.

Another resource few think of is your state’s National Guard. Their Chief Information Officer (J-6) manages command, control, communications, and computer (C4) systems, leading Information Technology and cyber requirements. They can provide specialized aid, particularly regarding your state’s specific regulations.

Planning and maintaining safety measures

When it comes to the operability and continuity of 911, there is no spare moment to have systems down, which is where each center must focus efforts on both redundancy and resiliency to continue providing emergency services without interruption.

Redundancy entails creating duplicates of critical components (hardware, software, network, data) or IT systems so that alternative resources are always available. The goal of redundancy is to eliminate single points of failure in your IT environment.¹⁰

Similarly, resiliency is about designing systems to anticipate, absorb, and recover from failures, through adaptive design, automated failover (switching to backup systems), and proactive chaos testing.¹¹

Wassel suggests the foundation of “PACE” planning, which stands for “Primary, Alternate, Contingency, and Emergency” communications plans to prepare for backup capabilities.

“If Primary is all you can afford (or prioritize), you need to rethink your model,” Wassel said. “These tools need to be updated, patched, replaced, and upgraded. You have to think about all aspects of multiple systems working together. Adding or subtracting can have unintended consequences that can bring the network down.”

Individual impact

Each person that touches a network has the potential to expose vulnerabilities, which is where training enters the picture.

“My opinion is that the weakest link in cybersecurity is the people that work for you,” Abley said. “They need awareness beyond the annual webinar and quiz. All the safeguards in the world cannot protect against the exposure introduced by the people who use these systems.”

For instance, emergency dispatchers may not understand that hackers can manipulate and gain access by simulating authority. With advancing AI becoming more convincing, it’s become a cat-and-mouse game of advancement and detection of these tools.

“In the realm of 911, we need to have the mentality that we are always under threat and at risk,” Abley said. “Just as you use SMS, passwords, and fingerprint checks to access your own bank account as part of your personal investment in that security, you need to have the same discipline for your center’s data.”

Cybersecurity really is up to you.

“You have to find the right echelon of training for each level of user,” Wassel said. “You can reach out to the industrial base of IT companies for them to come in and do assessments, join your team, test your systems, and test your people.”

The teams performing cybersecurity audits will find all sorts of vulnerabilities, especially when they first put the center to the test.

“You just don’t know how many holes are in your systems until they find them,” Abley said. “Ideally they are found by a professional, not an attacker.”

When all else fails, you’ll want an action plan that considers potential consequences and access limitations, outlining the resources and steps that will be needed to recover from a cyber event.

“Though having a plan doesn’t ensure things will always go according to plan, you’re better off having forged the relationships and resources to draft one,” Wassel said.

Types of threats

When you’re building the most important network for your data, connections, and resources, make no assumptions of resilience.

“You can’t say, ‘We don’t get tornadoes here,’” Wassel said. “‘I can’t see any evidence of hackers,’ or ‘They haven’t done anything on our network; they must not be here.’ That’s a false hope—a game face.”

Getting to know these dark shadows on the horizon will make you want to beef up your defenses.

Some cyber attackers seek to immediately disrupt or compromise the system. In the 911 realm, we particularly watch for Telephony Denial of Service (TDoS) attacks where malicious high-call volumes are designed to overwhelm and incapacitate the limited staff tasked with answering every call.

Server attacks are another concern, especially in the NG9-1-1 IP environment and with Real-Time Text (RTT) being deployed across the United States. As emergency communication centers integrate new features like 911 video streaming services and artificial intelligence components, these platforms create more capabilities to protect, requiring new safeguards.

One such safeguard is Next Generation Public Key Infrastructure (PKI) security functions as well as support for STIR/ SHAKEN, which help prevent server attacks and data breaches from unauthorized sources by verifying identities through digital certificates.

With STIR/SHAKEN, emergency dispatchers can expect to see a name and phone number and a visual indicator like a green check mark indicating a valid customer. A shady VOIP operator or spam caller shows a visual indicator like a red check mark—the first defense against impersonation attacks. This is the same mechanism used on your cell phone today.

Though not widely publicized, ransomware attacks are commonly dealt with quietly at nearly any institution (library, county, government, state), but these attacks are more detrimental in 911, which serves as an anchor to its community.

“Mercifully, most widespread 911 outages are accidents like a fiber cut somewhere,” Abley said. “But occasionally lines are compromised intentionally. You can’t be surprised. You have to exercise your restoration plans so that you can get back on your feet.”

Meanwhile, other attackers play the long game by infiltrating systems with stealthy persistence for future control. In the emergency services, data theft includes personal records, dates, times, addresses, response times, and exposure of weaknesses that can be exploited to breed chaos during a large-scale emergency.

Because of the large scope of cyber threats, centers should be cautious and mindfully create protections as they adopt new processes.

“Public safety never wants to be on the bleeding edge of technology,” Wassel said. “New technology must first be proven before implementing more at our fingertips. Only then is it good enough for our citizens.”

Individual roles

Though cybersecurity can be complex, you don’t have to be an expert to protect your agency. Often the basics can protect you from common chinks in your armor like changing your password, locking your computer, raising concern over unauthorized emails or messages, avoiding unsecure websites, committing to not plugging in unknown flash drives or devices, and verifying your web destinations.

“We each have an attack surface, a cyber footprint that creates vulnerability,” Wassel said. “You have to be aware of that without being crippled by it, choosing your path consciously.”

As you consider your cyber activity, overlay the reality of protecting the things that matter most to you in the real world.

“You avoid obvious dangers,” Wassel said. “For instance, in the Department of Defense (DOD), we haven’t used a thumb drive since 2010. Just as you wouldn’t go out at midnight in a rough part of the neighborhood, don’t consciously open yourself to cyber threats that are just as real.”

It’s important to remember that cybersecurity is not just the director’s responsibility. “It’s every single person in the organization, from the top administrators to the pop’n fresh dispatcher that just joined the team,” said Ty Wooten, IAED™ Director of Governmental Affairs. “Everyone has a role to play.”

Conclusion

“In the realm of 911, we already have to be at our best when things are at their worst,” Wassel said. “You can’t do that if you don’t have confidence of having prioritized, planned, and partnered. It’s a human endeavor to be in control of technical solutions.”

Cybersecurity is a multifaceted concern evolving along with advancements in technology, emphasizing the need for vigilance. As you fulfill your role as a first, first responder, consider the protection you provide the public, not only in answering each call but in preserving their connection to the emergency services.

Sources

1. “Public Safety Telecommunicators.” U.S. Bureau of Labor Statistics. 2025; Aug. 28. bls.gov/ooh/office-and-administrative-support/police-fire-and-ambulance-dispatchers.htm (accessed Feb. 3, 2026).

2. “911 statistics.” National Emergency Number Association. 2021; February. nena.org/page/911statistics (accessed Feb. 3, 2026).

3. “911 Cybersecurity Resource Hub: SAFECOM/NCSWIC resources for Emergency Communications Centers (ECCs).” Cybersecurity & Infrastructure Security Agency. U.S. Department of Homeland Security. cisa.gov/911-cybersecurity-resource-hub (accessed Feb. 3, 2026).

4. “SAFECOM Resource Library.” Cybersecurity & Infrastructure Security Agency. U.S. Department of Homeland Security. cisa.gov/safecom/safecom-resource-library (accessed Feb. 3, 2026).

5. “CIF Cybersecurity Sessions.” National Emergency Number Association. nena.org/page/cifcybersessions (accessed Feb. 3, 2026).

6. “NENA Standards and Documents.” NENA-STA-040, Security for Next Generation 9-1-1 Standard (NG-SEC). National Emergency Number Association. nena.org/page/standards#NENA-STA-040 (accessed Feb. 3, 2026).

7. “NENA Standards and Documents.” NENA-REF-012, Next Generation 9-1-1 Security Audit Checklist Reference Document. National Emergency Number Association. nena.org/page/standards#NENAREF-012 (accessed Feb. 3, 2026).

8. “NENA Standards and Documents.” NENA-REF-013, NIST CSF 2.0 Crosswalk Reference Document. National Emergency Number Association. nena.org/page/standards#NENA-REF-013 (accessed Feb. 3, 2026).

9. “Workspace.” National Emergency Number Association. dev.nena.org/higherlogic/ws/public/document?document_id=39057&wg_id=dd380f82- 5649-4548-8315-018f503e7b53 (accessed Feb. 3, 2026).

10. Lerch, C. “The Importance of Redundancy in Cybersecurity.” Delinea Blog. 2024; May. delinea.com/blog/redundancy-in-cybersecurity (accessed Feb. 3, 2026).

11. Mitton, L. “Redundancy vs. Resiliency in IT: What’s The Difference?” Splunk, a CISCO company. 2024; Sept. 4. splunk.com/en_us/blog/learn/redundancy-vs-resiliency.html (accessed Feb. 3, 2026).

NENA CYBERSECURITY RESOURCES

Provided by Brandon Abley

• Foundational work in security for NG911, NENA i3 standard (section 5): cdn.ymaws.com/www.nena.org/resource/resmgr/standards/NENA-STA-010.3f-2021_i3_Stan.pdf

• The NG-SEC standard, a comprehensive security framework for 911: cdn.ymaws.com/www.nena.org/resource/resmgr/standards/STA-040.2-2024_SecurityforNG.pdf

• NENA's cybersecurity audit checklist (companion document to NG-SEC) used in routine cybersecurity audits: cdn.ymaws.com/www.nena.org/resource/resmgr/standards/NENAREF-012.1-2025_NENASecu.pdf

• NENA crosswalk with NIST Cybersecurity Framework: cdn.ymaws.com/www.nena.org/resource/resmgr/standards/NIST_CSF_2.0_Crosswalk__NENA.pdf

• Policies for implementing the NG911 Public Key Infrastructure (PKI) described in i3 (developed with the NENA Core Services Committee):

   ο The PSAP Credentialing Authority Certificate Policy: ng911ioc.org/wp-content/uploads/2025/03/NG9-1-1-PKICP-v1.2_March2025.pdf 

   ο The PSAP Credentialing Authority Validation Policy: ng911ioc.org/wp-content/uploads/2022/02/NIOC-PCAValidation-Policy-v1.0-02-09-2022-CLEAN.pdf

• CSRIC VII Report on Security Risk and Best Practices for Mitigation in 911 Legacy, Transition and NG 911 Implementations. Sept. 16, 2020. fcc.gov/sites/default/files/csric7_report_secuirtyrisk-bestpracticesmitigationlegacytransitionalng911.pdf

CYBERSECURITY ESSENTIALS FOR 911 CENTERS: ROLE-BASED BEST PRACTICES

Provided by Ty Wooten, Based on CISA, NENA, and APCO cybersecurity guidance

Front Line Public Safety Emergency Dispatchers

• Verify unexpected requests—confirm through known channels before acting on email requests or clicking on unknown links

• Protect logins—use strong passwords and NEVER share accounts

• Treat systems like life-safety equipment—NEVER use personal USB devices, and always lock screens when away from the console

Supervisors

• Model and enforce cyber hygiene during coaching and shift briefings

• Own incident detection—know reporting processes and treat anomalies as operational incidents

• Integrate cybersecurity into operations and training

Management

• Establish a cybersecurity program aligned with CISA/SAFECOM and other best practices, including multifactor authentication

• Build resilience—maintain incident response and continuity of operations plans

• Invest in training, partnerships, and vendor governance