It was only a brief statement during last week’sboard meeting, but it is one that governors should heed as they prepare to decide whether to accept FirstNet’s deployment plan or to pursue the “opt-out” alternative, which requires the state to build and operate the radio access network (RAN) within its borders for the next 25 years.
“We have been very vocal that we are going to be unrelenting and unforgiving in our approach to an examination of cyber for states as they consider alternative courses,” FirstNet CEO Mike Poth said. “[State officials will] be able to dive deeply into that portal and see what the gold standard will be that they are going to have to match.”
Exactly what “unrelenting” and “unforgiving” would mean in terms of FirstNet action is unknown, but the intent of Poth’s statement seems very clear: FirstNet plans to ensure that cybersecurity policies are executed throughout all parts of the nationwide public-safety broadband network—whether built by FirstNet’s contractor or by a different vendor on behalf of an opt-out state—in a timely manner, without compromise.
This approach makes sense, given the vision that FirstNet should act as a single network that offers similar performance to first responder, no matter where they are located geographically. If a lone opt-out state were allowed to have substandard cybersecurity protections in its RAN, it could undermine cybersecurity efforts throughout the entire integrated FirstNet system.
On the surface, it is hard to imagine any opt-out state philosophically having an issue with updating cybersecurity protections for a mission-critical system like FirstNet. After all, governors want their public-safety communications networks to be secure, right? And state governments pay vendors to secure all sorts of networks—from public-safety LMR systems to IT computer networks—on a regular basis, so that’s not unique.
But there is a big difference: the level of security would not be determined by the state, but by FirstNet and its nationwide contractor.
For the past few years, perhaps the most compelling argument given for states or territories to pursue the opt-out alternative is the desire to have control over the deployment of public-safety broadband services within their jurisdictions.
Control is something that states are accustomed to having, particularly in the case of deploying statewide communications systems. Such projects are designed to meet state needs, and they are implemented on a timeline that works best for the state, given the logistical, political and financial circumstances at the time.
But that will not be the case for an opt-out state in the FirstNet scenario. While the state will get to design the initial deployment of the RAN—something that effectively will have to be approved by the, and FirstNet—future upgrades will be dictated by FirstNet and its nationwide contractor.
If FirstNet determines that a new cyber threat exists, an opt-out state will be expected to implement any remedy and/or prevention tools at the same time as they are being implemented in the rest of the country. If the remedy is a software update that can be installed remotely over the network, it may not be a big deal. If the remedy requires a more labor-intensive intervention, things could get very complicated—and very expensive—in a hurry.
In fact, no one really knows what will be needed if FirstNet is hit with a cyberattack. The network will have the advantage of being designed with cybersecurity from the outset, instead of having it added as an afterthought, but no one can be certain what the reaction would be today—much less in 20 years, when both offensive and defensive capabilities certainly will have matured tremendously.
Remember, a nationwide public-safety broadband network is unprecedented, so there is no “playbook” that can be used to make projections. Even if such a playbook existed, it may be of little use in the cybersecurity arena, which is a nascent sector that is evolving constantly in sophistication and innovation.
We don’t know the details of’s cybersecurity policies, but my guess is that remedies typically will be formulated and mandated at the FirstNet/contractor level, not by opt-out states. Opt-out states will be able to determine how fast a cybersecurity update is implemented within their borders, but I’m not sure that’s the kind of “control” that many opt-out proponents have envisioned.
These challenges are not just limited to cybersecurity; they are applicable to the entire network. FirstNet plans to have its network evolve with the latest and greatest wireless broadband technologies, and opt-out states must follow the same path.
As a result, the RAN in an opt-out state will not be a 4Gnetwork that remains static for 15 years or longer, as is the case with many statewide LMR networks. Instead, an upgrade to 5G technology could occur in the early 2020s, and some sort of 6G (maybe even 7G) technology will need to be deployed before the 25-year opt-out obligation expires.
What will the upgrades do and how much will they cost? There is some visibility about what 5G will look like, but the standards beyond that have not even been contemplated. It is reasonable to expect that each new generation of technology will require more sites to deliver greater data throughput, but any cost estimate would be little more than a wild guess. However, everyone agrees that these generational upgrades will not be cheap.
What also can be expected is that the network upgrade timeline will be determined by FirstNet and its contractor. Perhaps opt-out states and their contractors would have some input, but it is hard to imagine a scenario in which an upgrade would be delayed because an opt-out state/contractor was experiencing rough economic times and could not afford to make the network-upgrade investment.
Once again, having to follow a technology-upgrade timetable dictated by FirstNet and its contractor does not sound like the kind of “control” that representatives advocating an opt-out choice are describing.
As is the case with FirstNet at the national level, an opt-out state RAN deployment would be funded largely on the revenues generated by a state contractor selling network services commercially on a secondary basis. It’s a straightforward proposition in concept, but it is much more complicated on a practical level, because there is considerable uncertainty surrounding contracts with highly coveted enterprise customers.
FirstNet officials have stated that they have been talking with federal-government agencies about subscribing to the network on a nationwide basis. What’s not clear is whether an opt-out state would be entitled to any revenue from such subscriptions, but it is difficult to imagine that such agencies would be inclined to cut a separate subscription deal with each opt-out state.
A similar scenario exists with other large enterprises (who may or may not be deemed “public-safety entities”) with operations that span multiple states—for example, utilities, transportation companies, delivery firms and Native American tribal nations. If these large enterprises contract directly withor its contractor, the economic model for a contractor to build out an opt-out state will be impacted negatively.
Would the impact be so great that it would not be worth the contractor’s time to bid for the opt-out state contract? That’s for people much smarter than me to decide, but uncertainty about such key potential customer cannot help matters.
There is one other scenario that potential opt-out states should consider carefully. If FirstNet has a nationwide contract with a large enterprise, what obligations does the opt-out state have to help FirstNet meet the terms of that deal?
Let’s say the U.S. Forest Service—an entity that spends billions of dollars annually to fight wildfires—signs a nationwide subscription deal with FirstNet that includes certain service-level agreements. To provide the service level nationwide, FirstNet may need an opt-out state to invest more money into its RAN. And, because the new sites are located in the forest, there is little chance that opt-out state’s contractor will generate much commercial revenue from them.
How would an opt-out state—or its contractor—feel about funding additionalsites for its RAN that likely will not generate additional revenue for the opt-out state? My guess is that it would not be a popular topic of discussion. And similar scenarios can be conceived for federal or tribal lands, with the added complications of jurisdictional issues.
Now, it is possible that FirstNet and opt-out states could negotiate a business arrangement to address such matters, but that could take considerable legal resources and effort. It also would take time, which will not be on the side of a potential opt-out state. Remember, each governor will have only 90 days from the delivery of FirstNet’s state plan in which to make the opt-out decision.
Currently, three states have issued requests for proposals (RFPs), and sources indicate that as many as 10 more are considering taking similar action. Conducting such procurements makes sense from a due-diligence and preparation perspective—some argue that a completed RFP may be the only way a state can have any leverage during talks about the FirstNet state plans—but an entirely different set of criteria needs to be contemplated before any state or territory decides to pursue the opt-out alternative.
The importance of the FirstNet system to public safety cannot be overstated. With so much at stake, governors in the 56 states and territories should consider carefully all potential short-term and long-term ramifications before making their opt-out decisions. In this instance, a poor choice could result in first responders in the state having a subpar network, as well as possibly creating a very difficult operational and financial hardship in the state for 25 years.