Always-On, or Always at Risk?

The Case for Making Cyber Resilience Standard in Emergency Communications Infrastructure

The question facing public safety organizations in 2026 is no longer whether their systems will be targeted. Increasingly frequent attacks on critical infrastructure have shown public safety leaders that cybersecurity threats are inevitable, and they must be ready. Emergency communications infrastructure, once sheltered behind aging closed-circuit networks, is now in the crosshairs of sophisticated organizations ranging from geopolitical adversaries to criminal enterprises. The shift to IP-based next generation 9-1-1 (NG9-1-1) networks and infrastructure has expanded the attack surface, and cyber resilience has become a core operational competency that is as essential to public safety as the communications systems it protects.

The Escalating Threat Landscape in 2026

We only need to look at the data to understand the increased prevalence of public safety communications infrastructure as the primary target of cyberattacks. In Q1 2025, the telecommunications sector accounted for 28% of all distributed denial-of-service (DDoS) traffic globally — a 48% increase year-over-year. Ransomware attacks targeting emergency communication centers (ECCs) also doubled in 2024. A single TDoS attack that year disrupted operations across seven counties and 21 public safety agencies in Texas.

The attacker profile has also shifted. Geopolitical adversaries and criminal organizations now actively target public safety systems, recognizing the operational pressure on ECCs creates powerful leverage. These systems are intended to always be on, and taking systems offline for any period of time is not an option. AI has compounded the challenge with tools like WormGPT that create convincing phishing campaigns at scale, while voice cloning technology fabricates distress calls which consume emergency response resources, and DDoS-as-a-Service platforms have removed the technical barriers that once limited who could launch an effective attack – now, anyone can execute cyberattacks like a sophisticated professional.

In 2025, for example, U.S. secret service dismantled a large-scale telecommunications network in the New York tri-state area ahead of the United Nations General Assembly that had the capacity to overwhelm cellular infrastructure and block emergency communications, underscoring how real and immediate these threats have become.

Public safety agencies and authorities that delay adoption of critical cybersecurity capabilities and best practices become the biggest targets. A vulnerability at one under-defended ECC can serve as an entry point into neighboring networks and undermine an entire region’s security. Cybersecurity posture is also increasingly tied to grant eligibility, meaning agencies that deprioritize this area risk losing the funding needed to modernize cybersecurity posturing.

The ‘Nice to Have’ Era Is Over

Legacy 9-1-1 systems, built to operate on closed copper wire networks, presented a limited and well-understood risk profile. Their isolation was a security feature, although an unintended one at the time. NG9-1-1 has changed the threat landscape entirely. The same IP-based architecture that enables text-to-9-1-1, real-time video, and interoperable data sharing connects public safety systems to the broader internet and to vulnerabilities that come with it. Cloud interfaces, IP interconnects, and third-party integrations serve as entry points which did not exist before.

The outdated belief that smaller or specialized agencies are too obscure to attract sophisticated attackers is directly contradicted by the evidence. Ransomware operators have shifted focus precisely toward organizations with limited resources, where the combination of less mature defenses and high sensitivity to disruption maximizes their leverage. Public safety service disruptions erode public trust, failed emergency responses carry irreversible human costs, and the regulatory and reputational exposure following a breach can consume agency resources for years. The question is no longer whether agencies can afford to invest in cyber resilience, but whether they can afford not to.

The Cyber Resilience Framework for Public Safety Infrastructure

Forward-thinking agencies are building resilience into their operational fabric while leveraging AI across all three core pillars: zero trust security models, hybrid cloud architectures, and continuous monitoring with automated response.

Zero Trust Security Models

Zero trust replaces the assumption anything inside the network boundary is safe with a requirement for continuous verification. No user, device, or system is trusted by default. For ECCs, implementation begins with multi-factor authentication (MFA), the highest-impact control available and still surprisingly underutilized. Beyond MFA, conditional access policies evaluate login credentials before granting access to users, and administrative privileges are scoped to operational necessity – limiting access to the systems those roles must regularly leverage. Smaller agencies can immediately and easily start with MFA and network segmentation; larger agencies can layer in privileged access management and endpoint monitoring depending on the resources currently available. Zero trust is an architecture built incrementally in which every progressive step substantially reduces risk.

Hybrid Cloud Architectures

NG9-1-1 migration is inherently a move toward cloud-connected infrastructure. Hybrid architectures distribute workloads across on-premises and cloud environments, providing the scalability and continuity benefits of cloud computing while preserving local control and survivability. The most critical resilience benefit is geographic redundancy to ensure emergency call recording, dispatch data, and communications remain accessible even if a primary facility is compromised. Immutable backup configurations, following the 3-2-1 rule, provide a last line of defense against ransomware. Public safety agencies must also require security documentation from any cloud technology partners and treat vendor security management as a continuous obligation, not a one-time procurement check.

Continuous Monitoring and Automated Response

Real-time threat detection is now a baseline expectation, not an advanced capability. Security orchestration, automation, and response (SOAR) platforms enable predefined response playbooks that activate when threats are detected. These platforms are critical in environments where staff are specifically trained for emergency communications, not cybersecurity incident response. Threat intelligence sharing through Information Sharing Analysis Centers (ISACs) provides advance warning of emerging attack methods. No individual agency has full visibility into the threat landscape, but collective intelligence programs multiply the defensive value of every participant’s investment.

Building Resilience – A Path Forward

Cyber resilience is an ongoing commitment, not a one-time project. Priorities will vary by agency maturity, but the direction is the same.

Immediate Actions

Every agency should begin with a comprehensive cybersecurity posture assessment to understand what systems are at risk and where gaps exist. MFA deployment should follow as the first implementation priority. Immutable backup strategies should be established and tested before an incident can occur rather than after a breach takes place. Vendor security evaluations should identify third-party risks and set baseline requirements for all technology partners.

Medium-Term Investments

As foundational controls mature, agencies should move toward full zero trust architecture implementation, including network segmentation, conditional access policies, and privileged access management. Continuous monitoring platforms provide the real-time visibility required to detect and contain threats quickly. Staff training programs address social engineering, which is still one of the most prevalent attack vectors, and build a workforce that can recognize and report suspicious activity.

Long-Term Considerations

Quantum computing will eventually render current asymmetric encryption practices obsolete. NIST has been developing post-quantum cryptography (PQC) standards in anticipation; agencies procuring infrastructure today should ask vendors about PQC readiness. Supply chain security requires ongoing attention as vendors become increasingly targeted attack entry points.

At the federal level, sustained support is essential: extending the Cybersecurity Information Sharing Act, updating funding assessments to reflect the true cost of NG9-1-1 deployment and cybersecurity enhancements, and standardizing security frameworks. Grant programs should also continue to require demonstrated cybersecurity capabilities as a condition of eligibility.

Always-On Security, No Matter What

The public has no visibility into the cybersecurity posture of the agencies protecting them. They simply expect when they dial 911, someone will answer. Meeting that expectation in 2026 and beyond requires building, investing in, and continuously improving a cyber resilience capability worthy of trust.

Cyber resilience is not about building an impenetrable wall. Instead, it’s focused on ensuring critical public safety services remain always-on, always accessible, and always trustworthy regardless of what threat actors attempt. The convergence of a broader threat landscape, an expanded NG9-1-1 attack surface, and AI-enabled attack capabilities means the window for gradual security improvement is narrowing. Agencies that make cyber resilience a genuine operational priority now will be the ones their communities can rely on when it matters most.