When, not if — that’s the be-prepared attitude that federal IT and security officials take toward continuity of operations planning.
Agencies are no strangers to calamity. Over the past 10 years, jumbo jets plowed into buildings, a Category 5 hurricane wiped out a major city and a deep-sea derrick dumped millions of barrels of oil into the Gulf of Mexico. In every instance, the federal government took part or led the response and has worked to provide mobile IT and communications infrastructures that can keep up with the demands of disaster recovery and continuity.
If September 11, Katrina and the Gulf spill have had any positive effect, it’s been in driving agencies to map out plans for keeping the lights on and the government running when disaster strikes. Increasingly, those plans rely on equipping employees with mobile communications tools, whether radios, smartphones, 3G tablets or wirelessly connected notebook computers.
The first task always is enabling first responders to communicate with one another and their counterparts in other agencies securely and reliably, says Mark McNulty, MSSI vice president for Motorola, which works on COOP initiatives with the departments of Homeland Security, Justice, Interior and Defense. A major hitch, he says, is that in a disaster, commercial communications networks often are unavailable, and different agencies may employ incompatible wireless technologies.
While some agencies, including the Homeland Security Department, have begun providing 3G smartphones to their employees who handle disaster response, others are looking toward emerging WiMAX technology, which is advantageous for COOP because its mobile broadband capabilities offer greater bandwidth than 3G. The bandwidth bump is helpful both for first responders and for supporting feds who might need to work from home or other remote locations for extended periods.
But as a horizon technology, WiMAX is not without its challenges, including availability and security.
Ready for Anything
“One challenge for federal agencies in these situations is access to the communications network, assuming it still exists and isn’t oversaturated with traffic,” McNulty explains. “You also need to enable communications among multiple levels of government responders, whether federal, state or local — many of which may be using different frequency bands, encryption algorithms and radio channels.”
McNulty says most agencies have standardized on mobile two-way radios that follow the Project 25 (P25) specification, which enables different communications systems to exchange voice and data securely over the same frequencies, and also supports legacy encryption technologies. Different agencies can also deploy wireless Ethernet bridges to bring deployable communications infrastructure into their internal networks in times of crisis, he adds.
“The DHS CIO has distributed systems and data over a large geographical area, with redundant systems for power, communication, security and services being used across the department,” says Larry Orluskie, the department’s director of communications. “The DHS CIO’s COOP program is to ensure that other components, which rely on IT services for national security and critical infrastructure protection, have their hosted systems and data ready and available for use as needed.”
But because WiMAX communications carry over ranges of miles, threats to communications can be almost anywhere within a metro area, says Karen Scarfone, a computer scientist with NIST’s Systems & Emerging Technologies Security Research Group. Agencies must take additional precautions, especially when they’re relying on commercial providers for WiMAX services.
“Whether you’re using a local area network, cell network or WiMAX, any time you’re going from your own internal network to an external network that’s not under your control you should assume it’s untrusted,” Scarfone says. “That means you should always encrypt sensitive data sent over that communications network.”
Protected and Continuous Access
Working with consultants from Booz Allen Hamilton, Scarfone created a set of security guidelines for WiMAX connectivity that was published in draft form by NIST last fall. The guidelines recommend using FIPS-140-validated encryption to protect communications. Some WiMAX networks have this capability built in, while others need to add it using technology such as virtual private network (VPN) tunnels.
“Organizations using a VPN blanket for all their WiMAX communications don’t need to worry about what the carriers are doing,” Scarfone points out. “A VPN can give you more direct control over your security without having to rely on a third party.”
Even then, agencies will need to build in contingency plans for when WiMAX or other wireless technologies are unavailable, notes Bill Roberti, a former Army colonel who heads up the public sector group for management consultants Alvarez & Marsal.
Roberti says he was in the air headed for New York City on Sept. 11, 2001, and on the ground in New Orleans when Katrina hit. In both instances, he says, wireless carrier networks were immediately overwhelmed and rendered useless.
“After Katrina, the Louisiana State Police had no way of getting in contact with the Orleans Parish Police,” he says. “You can’t just assume this technology will work in a crisis. You need to plan for these kinds of things on the front end. By the time you get into a disaster, it’s too late.”
Overall, though, Motorola’s McNulty says agencies are better equipped to handle catastrophes than they were 10 years ago.
“Across the government, everyone is thinking about continuity of operations and wanting to ensure that the problems of previous emergency situations are not repeated,” he says. “I believe the federal government is much better prepared than it was on 9/11 or during Katrina. It’s learned from its previous experience and is building that knowledge into the continuity of operations plans of today.”