Support for Police Use of National Institute of Standards & Technology (NIST)- approved AES Encryption Standard(s) in Voice and Data Communications
Submitted by: Communication and Technology Committee
Cosponsored by: Computer Crime and Digital Evidence Committee, Police Investigative Operations Committee
WHEREAS, when state and local first responders choose to use encryption, they must strike a balance between transparency of police operations that may build public trust, and a need at times to covertly operate to ensure operational security and protect call for service information about the citizens they serve. The use of encryption is a local decision, and this resolution is intended to recommend best public safety practices for land mobile radio (LMR) and data encryption when there is a decision to encrypt and that those encrypted communications be retrievable for later production as necessary; and
WHEREAS, when public safety requires secure voice and data communications to avoid the interception of information by nefarious actors, public safety LMR systems have used a variety of encryption methodologies for many years; and
WHEREAS, public safety previously used digital trunking LMR25 systems, which until recently provided a measure of security as digital communications could not be easily monitored; however, today, digital systems are easily monitored using radio service applications on mobile phones by anyone, anywhere; and
WHEREAS, police are charged with conducting investigations on police, criminal investigations involving undercover operations and surveillance, and investigations on other government employees who have access to public safety communications or who can be alerted by individuals “without a need to know” about a police investigation through access to unencrypted public safety communications known as “in the clear”; and
WHEREAS, public safety has a responsibility and obligation to the public to shield sensitive information collected from individuals from finding its way to criminal suspects, thereby compromising trust in police to keep “law enforcement sensitive” information secure. Securing data via encryption is a necessity; and
WHEREAS, public safety faces cybersecurity attacks such as ransomware, which brings to the fore a need and public demand to secure police information via encryption. Both public safety voice and data files need protection from these type of attacks, which threaten to compromise confidentiality of public safety sensitive information and disclose it into the public domain by nefarious actors; and
WHEREAS, in 2001, the National Institute of Standards &Technology (NIST)26 retired support of the Data Encryption Standard (DES) encryption methods and replaced DES with support of Advanced Encryption Standard (AES). AES is a cryptographic cipher that uses a block length of 128 bits and key lengths of 128, 192, 256 bits, or more depending upon application. Project 25 (P25) standards, the recognized public safety grade LMR standards, recommend use of AES as the LMR encryption standard. NIST continues to update a suite of standards and modify data encryption standards for data at rest and data in transit. NIST AES standards will evolve to mitigate the use of greater computing power, which allows decryption of data communications and information by nefarious actors; and
WHEREAS, if public safety LMR radios are capable of only accepting one crypto key, AES 25627 is the choice to allow interoperability with other federal, state, and local agencies; and
WHEREAS, state and local first responders procure most of the LMR and data communications equipment and are responsible for appropriate storage, and the International Association of Chiefs of Police (IACP) has long provided guidance on best practices regarding communications and technology issues, consistent with that history, public safety agencies are encouraged to require NIST- recommended standards appropriate for their application using AES in all requests for information (RFIs) and requests for proposals (RFPs); therefore, be it
RESOLVED, that the IACP strongly urges public safety agencies choosing to encrypt voice and data communications to choose the NIST-recommended AES suite for their future evolved encryption schemes, and require AES encryption standards appropriate for their application in all RFIs and RFPs; and be it
FURTHER RESOLVED, that the IACP strongly recommends public safety agencies adopt the AES 256 standard for police LMR operations and where appropriate, for use on Federal Communications Commission (FCC)-licensed channels specifically set aside for encrypted interoperability; and be it
FURTHER RESOLVED, that IACP recommends international agencies adopt appropriate similar interoperable national encryption standards when AES are unavailable or impractical for their use.
26 See Morris J. Dworkin et al., Advanced Encryption Standard (AES), Federal Information Processing Standards 197 (Washington, DC: National Institute of Standards and Technology, 2001); see Security and Privacy Controls for Information Systems Management, Rev. 5, NIST Special Publication (SP) 800-53 (2020); Digital Identity Guidelines, NIST SP 800-63 (2020); and Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, Rev. 2, NIST SP 800-171 (2020) for specific and updated encryption standards across voice and data systems, networks and platforms.
27 SAFECOM, FPIC, and NCSWIC, Guidelines for Encryption in Land Mobile Radio Systems (Arlington, VA:Cybersecurity and Infrastructure Security Agency, rev. 2020).