(From the July/August Issue of PSC Magazine)

By Jeffrey Cohen

Mobile apps hold great potential to improve public safety. Apps are already being used by first responders for unit dispatch notifications, first aid instructions and an ever-increasing list of capabilities. APCO has engaged in several efforts to ensure that apps for public safety and emergency response are as safe and effective as possible, including launching an online app resource (www.appcomm.org), entering into a memorandum of understanding with FirstNet to collaborate on apps, and participating in mobile app hackathons, just to name a few. On June 2, APCO held a workshop in cooperation with the U.S. Department of Commerce and Public Safety Communications Research Program (PSCR) to address data security issues for apps designed to serve public safety.

The workshop was held at a U.S. Coast Guard facility in San Diego, Calif., and built upon a February 2014 workshop that is summarized in a National Institute of Standards and Technology (NIST) report entitled, “Public Safety Mobile Application Security Requirements.” The NIST report identified the need for the public safety community to provide developers with the security requirements for data being handled by apps. The premise was that mobile apps can be assigned different security requirements by identifying the types of data the apps handle, and examining how the data impacts public safety operations.

The workshop was attended by an especially engaged audience of public safety representatives, security experts and app developers. It began with educational presentations from NIST explaining how the attendees would use a NIST guide to evaluate the sensitivity of data, and from FirstNet offering a perspective of their efforts related to the development of the nationwide public safety broadband network (NPSBN). NIST’s “Guide for Mapping Types of Information and Information Systems to Security Categories” describes three security objectives: confidentiality, integrity and availability. In other words, the audience was instructed to consider three basic questions: 1) What happens if an unauthorized person gains access to the data? (confidentiality); 2) What happens if the data is no longer trustworthy? (integrity); and 3) What happens if the data stops being available? (availability). The severity of the consequences range from a potential loss of life to no impact at all. Whether data should be considered sensitive may depend upon factors that aren’t readily apparent to app developers. For example, consider an app that provides the location of an emergency. The location of car accidents might not be sensitive because accidents commonly occur in public view, but the location of a domestic violence incident might be considered highly sensitive because it raises greater privacy concerns. Public safety professionals recognize differences like this, which can help developers properly secure apps.

Given the complexity of public safety operations, part of the challenge is identifying the data types being used or contemplated for use within the context of a variety of situations. Thus, the workshop had attendees consider various use cases (chemical plant explosion, traffic stop, structure fire, etc.) and identify data that would be helpful in each scenario. Then the participants applied NIST’s evaluation guide to each data type and discussed the reasoning behind the assessment.

Several themes emerged during the workshop. First, as PSAPs and responders in the field are able to share more and higher quality data, operations can become safer and more efficient. This confirmed what we already knew, but as participants stepped through the public safety use cases, what emerged was a detailed vision of the more sophisticated response that will be possible with apps in the future.

Another major theme was that trustworthiness and reliable access are paramount concerns for public safety apps across a wide variety of data types and use cases. This highlights the importance of collaborative efforts between groups like APCO and NIST, the public safety community, app developers, and others to ensure that apps are safe and effective.
A more detailed summary of the workshop’s findings will be captured in an NIST Interagency Report with emphasis on the list of discovered data types and their corresponding security categorizations. This report will be shared with FirstNet to assist its efforts concerning public safety apps. If you’re interested in mobile apps and related-security issues, please contact us so we can include you in future updates. You can also assist by sharing information about the types of data you use, or would like to access, as well as any mobile apps that you already use in your public safety role.

JEFFREY COHEN is Chief Counsel and Director of Government Relations for APCO International. Reach him at cohenj@apcointl.org.