Before the Call · Exercise #039 — Nine Days Without CAD

1Opening

On January 21, 2024, the Bucks County Department of Emergency Communications in Ivyland, Pennsylvania, discovered its computer-aided dispatch system was offline. The cause was a ransomware attack. The culprit, identified days later, was Akira — a ransomware-as-a-service operation active since March 2023 that had already hit governments, hospitals, and financial institutions across multiple countries. Akira accounted for roughly 12 percent of all ransomware incidents globally in January 2024.

Bucks County is not a small operation. The center serves a population of about 650,000 people and handles 911 calls for more than 130 police, fire, and EMS agencies. When the CAD went down, so did the in-vehicle mobile data terminals in patrol cars and fire apparatus, the alert apps that notify firefighters of active calls, station printers, and access to the National Crime Information Center and Pennsylvania's Commonwealth Law Enforcement Assistance Network. Dispatchers lost their map overlays, their unit tracking, their pre-planned response templates, and their ability to digitally log incidents in real time.

What they did not lose was their phone system, their radio, and their training. For nine days, Bucks County dispatchers ran their center by hand — pen, paper, and spreadsheets. They received 911 calls, sorted which companies should respond, and relayed dispatch information over the radio the way centers operated before CAD existed. Fire chiefs reported slowdowns and friction. Nobody reported a catastrophic failure of emergency response.

2Dispatch Timeline

What the comm center saw, and when. Color coding indicates the operational dimension.

Jan 21 — Day 1

CRITICALBucks County Department of Emergency Communications CAD system goes fully offline. Ransomware attack confirmed. Phone and radio systems remain operational. Dispatchers immediately shift to manual fallback: pen, paper, and spreadsheets. MDTs in field units go dark. Station alert apps stop functioning. Station printers go offline. Access to NCIC and CLEAN databases cut.

Jan 21–22 — Day 1–2

DISPATCHDispatchers manually sort responding companies for each call — a process normally automated by CAD. Information that would display on an MDT screen is relayed verbally over the radio. Fire companies report that dispatches are slower due to the manual process. County spokesperson confirms the outage but provides no timeline for restoration. Attorneys advise county staff not to discuss details publicly.

Jan 22–23 — Day 2–3

COMMSFederal law enforcement, including the FBI, begins investigating. Pennsylvania National Guard cyber units deploy to assist with response and restoration. Forensic and legal consultants brought in. County confirms no indication that other county systems have been compromised beyond the CAD environment.

Jan 24–28 — Day 4–8

WARNINGNo timeline for restoration provided to partner agencies. Fire chiefs describe slowdowns but characterize the situation as manageable. Police departmental data systems, which run separately from the county CAD, remain operational. Akira group officially identified and disclosed to law enforcement partners.

Jan 29 — Day 9

COMMSRestoration begins. County confirms Akira ransomware as the attack vector. Notifies state and federal partners. No ransom paid, no negotiation entered, no evidence that data was copied or extracted from the CAD system.

Jan 30 — Day 9 PM

ESCALATIONPartial restore. Core CAD functionality restored. Dispatchers use automated dispatch system for first time since January 21. NCIC and CLEAN database access restored. Alert apps, station printers, and in-vehicle MDTs still not fully functional. County announces it rebuilt from its own backups without paying the ransom.

3The Dispatch Picture

The center's director, Audrey Kenny, told the public and partner agencies plainly: "If you call us for an emergency response, our dispatchers will get you the help you need." The county refused to pay the ransom. Refused to negotiate. Rebuilt from its own backups with help from the Pennsylvania National Guard, federal law enforcement, and forensic consultants. A forensic investigation found no evidence that any data had been extracted from the CAD system. Core functionality was restored on January 30 — nine days after the attack began. Full restoration of all connected systems took longer.

The Bucks County attack did not happen in isolation. Between 2016 and 2018 alone, cybersecurity firm SecuLore Solutions documented 184 cyberattacks on public safety agencies and local governments, with 911 centers directly or indirectly targeted in 42 of those cases. The pattern is consistent: PSAPs are targets because they are critical infrastructure, often underfunded for cybersecurity, and frequently running legacy systems with known vulnerabilities. The entry points vary — weak passwords, unpatched systems, phishing, vendor access — but the result is the same: CAD goes dark, and someone has to figure out how to keep the phones answered and the units moving.

This exercise is not primarily about cybersecurity. It is about what happens in your comm center on day one, day three, and day nine when your CAD is a black screen and your job is still to get help to people who are calling for it.

"It basically brought us to our knees."— IT Manager, Henry County, Tennessee, describing the 2016 ransomware attack on that county's 911 center — one of the first in the country

4Where Judgment Mattered

Manual fallback is a trained capability, not a theoretical one. Bucks County ran for nine days without CAD because their staff knew how. The first 10 minutes of a CAD-down event are the most disorienting because every habitual workflow breaks simultaneously. The screen that organizes everything is dark. Centers that have practiced this can describe a specific, workable process. Centers that have not tend to describe a process that works for one or two calls before it breaks down under volume.

If your most recent new hire has never dispatched without CAD, that is a training gap. They will figure it out — but slower, with a real margin for error during the learning curve. Schedule a two-hour manual dispatch drill at low-volume period. Run calls with CAD screens off. Debrief on friction points; those are your training priorities.

The CAD-down protocol cannot live inside CAD. A protocol stored on a CAD-connected computer or a shared drive that's part of the same network being encrypted is not accessible when you need it. The protocol needs to be physically present in the center — printed, laminated, in a binder on the wall — with phone numbers that don't depend on a system that just went down.

Mass notification to partner agencies is the second-order CAD-down problem. When CAD goes down, you need to reach every chief, every shift supervisor, every unit in the field to tell them what works, what doesn't, and the alternate procedures. At 3 AM. With your CAD-integrated alerting system also offline. The contact tree must exist outside CAD, in a physical format the shift supervisor can access immediately.

Loss of NCIC/CLEAN is an officer safety issue. An officer running a license plate during a CAD-down event has to assume no information is coming back. That requires immediate communication through alternative channels to every officer in the field — not just a CAD note. Bucks County had to push that out to 130+ agencies.

Operational notification and public information are two different communication tracks. Legal counsel is often correct that public statements during an active investigation can compromise it. Partner agencies still need to know what's down, for how long, and what the alternate procedures are. Operational notifications go to partner agency leadership immediately and continuously. Public information goes through PIO with legal review. They run in parallel, not sequentially.

The decision not to pay ransom requires nine days of operational manual capacity. The Bucks County decision was correct and successful. But it required a backup infrastructure, a trained staff, and an attorney-pre-positioned legal stance. Without those three preconditions, refusing to pay is a decision that can't actually be made.

"It basically brought us to our knees" was Henry County, Tennessee in 2016. Eight years later, Bucks County dispatchers said the same thing about a much larger-scale version of the same problem. The pattern across PSAP attacks is consistent: the technology is breached through a gap in the human system around it. Former employee accounts not deprovisioned. Vendor access not monitored. Phishing emails clicked by untrained staff. Software patches deferred for downtime.

The "manageable" margin is not infinite. Bucks County got to day nine without a reportable failure. That is a credit to training and people. Manual dispatch works differently at different call volumes, under different staffing conditions, with different staff experience. The assessment changes when cumulative fatigue affects judgment, when an MCI arrives that scaled tracking can't handle, when the only dispatcher who knows manual procedures calls in sick on day six. How thick is your margin?

5Discussion Questions

No right answers. Tap a question to expand the analysis. Use one or all — whatever fits your time.

1The first 10 minutes of a CAD-down eventYour CAD goes offline right now. Walk through the first 10 minutes. Who does what, in what order, and what does a call look like when it comes in?▾

This question is designed to surface whether your fallback procedures are practiced or theoretical. The first 10 minutes of a CAD-down event are the most disorienting because every habitual workflow breaks simultaneously. Callers keep calling. Units keep moving. The radio keeps going. But the screen that organizes all of it is dark.

Walk your team through it literally: who picks up the call? How does that person record the address, the call type, the caller name? Where does that information go next? Who determines the appropriate response? How do they know which units are available if unit status is not displaying? How does dispatch information get to field units whose MDTs are also dark? How do you track what has been dispatched and what has not?

The answers reveal your gaps. Centers that have practiced this can describe a specific, workable process. Centers that have not practiced this tend to describe a process that works for one or two calls before it breaks down under volume. The Bucks County team did this for nine days. That does not happen without prior training on the fallback.

Manual dispatch procedures exist at virtually every center on paper. The question is whether they have been practiced to the point where staff can execute them under stress, at volume, without coaching. Tabletop exercises where staff describe the procedure are not the same as actually running calls manually for two hours.

Recommended action: schedule a two-hour manual dispatch drill at low-volume period. Have dispatchers run calls with CAD screens turned off, using only phone, radio, and paper. Debrief on friction points. Those friction points are your training priorities.

2Multi-system mass notification when CAD also took out alertingThe Bucks County attack also took out MDTs, station alert apps, station printers, and NCIC/CLEAN access. These are four separate capabilities your field units rely on. How does your center communicate a change in any one of these to 130 partner agencies simultaneously and in real time?▾

This is a mass notification problem disguised as a technology problem. When CAD goes down, you need to reach every chief, every shift supervisor, and every unit in the field to tell them what is still working, what is not, and what the alternate procedures are. At 3 AM. With your CAD-integrated alerting system also offline.

Bucks County had to notify law enforcement, fire, and EMS chiefs across 130+ agencies that NCIC and CLEAN access were lost — meaning officers in the field running a license plate had to assume no information was coming back. That is a significant officer safety issue that required immediate communication through alternative channels.

Questions for your team: What is your current contact tree for mass notification to partner agency leadership? Is it in CAD, which would also be offline? Is it in a physical binder? Does your shift supervisor have phone numbers for key contacts in a format that does not depend on the system that just went down? How do you confirm receipt?

The contact tree must exist outside the system being attacked. A printed, laminated, physically-in-the-center contact list with current phone numbers is the minimum. Cellular contact lists on dispatcher phones are a second line if the primary system is encrypted. Email contact lists that require login to a network that may also be compromised are not a fallback.

3Public communication posture during an active cyber investigationThe county's attorneys advised staff not to speak about the incident during the active investigation. Partner agencies received very limited information for the first several days. What is the right communication posture during a CAD-down event, and who makes that call?▾

There is a real tension here. Legal counsel is right that public statements during an active cybersecurity investigation can compromise the investigation, reveal attack vectors to other threat actors, or create liability. At the same time, partner fire and EMS agencies operating without MDTs and without NCIC access need to know why, for how long, and what the alternate procedures are. Those two needs are not the same communication.

The answer most well-prepared centers settle on: separate the operational notification (what is down, what the fallback is, who to call with questions) from the public information (what is being said to media and the public). Operational notifications go to partner agency leadership immediately and continuously. Public information goes through the PIO with legal review. These run in parallel, not sequentially.

Who in your center has the authority to authorize operational notifications to partner agencies during a cybersecurity incident? Is that authority clearly documented, and does it survive a situation where your agency director is unreachable at 2 AM?

The pre-incident decision matters more than the in-crisis decision. If the operational/public communication split is documented as policy before the event, the shift supervisor can execute it without having to wake up legal counsel. If it isn't documented, the default is silence — and silence to partner agencies during an active CAD-down event is its own operational failure.

4Backup infrastructure and the nine-day questionThe county refused to pay the ransom and rebuilt from backups. That took nine days. What does your center's backup infrastructure look like, and do you know how long restoration would take?▾

The decision not to pay the ransom was correct and ultimately successful. But it required nine days of manual operation. For some centers, nine days of manual dispatch at full call volume would be manageable. For others, it would be operationally catastrophic. The difference is almost entirely determined by two things: the quality of the backup infrastructure and the depth of the manual fallback training.

Ask your IT department: when was the CAD last backed up? Where are those backups stored, and are they isolated from the primary network (so ransomware that encrypts your CAD cannot also encrypt your backup)? How long would restoration take? Has that restoration ever been tested?

What is the county or agency attorney's guidance on ransom payment — is there a pre-established position, or will that decision be made in crisis by people who have never thought about it before?

The Pennsylvania National Guard deployed to help Bucks County. Does your state have an equivalent capability, and do you know how to request it? Cyber Guard units exist in most states but request pathways vary by jurisdiction.

Air-gapped backups are the structural defense. A backup that lives on the same network being attacked is encrypted with everything else. Backups must be isolated — physically or logically — from the primary network, and tested for restoration on a schedule that is itself documented and audited.

5When does "manageable" stop being manageable?A fire chief in Bucks County said the manual fallback "certainly was creating a hassle" but did not believe public safety was severely impacted. On what day does that assessment change, and what would change it?▾

This is the hardest question in the exercise. Manual dispatch works. PSAPs did it for decades before CAD existed. But it works differently at different call volumes, under different staffing conditions, and with different levels of staff experience in manual procedures.

The experienced dispatcher who worked before CAD existed handles a manual shift differently than the three-year dispatcher who has never dispatched without a computer. The institutional knowledge of how to run a center on paper exists in some staff and not in others. As experienced staff retire, the manual capability erodes silently.

The assessment changes when cumulative fatigue among dispatchers begins to affect judgment. It changes when a mass casualty incident arrives and the manual tracking system cannot scale. It changes when a dispatcher who is the only one on shift who knows the manual procedures calls in sick on day six. It changes when a partner agency makes a decision based on absent NCIC information that results in a bad outcome.

Bucks County got to day nine without a reportable failure. That is a credit to their training and their people. But the margin matters. How thick is your margin?

6The human entry point — how PSAP attacks actually happenThe Henry County, Tennessee attack in 2016 was traced to a weak password left by a deceased former system administrator. The Baltimore attack in 2018 came from a firewall left open during maintenance. What do these entry points have in common, and what do they tell you about your center's most likely vulnerability?▾

Both entry points are human and procedural failures, not technical ones. The best firewall in the world does not protect against a technician who leaves it open. The strongest encryption does not stop an attacker who has valid credentials. The pattern across PSAP attacks is consistent: the technology is breached through a gap in the human system around it.

Former employee accounts not deprovisioned. Vendor access not monitored. Phishing emails clicked by staff who have not been trained to recognize them. Software patches deferred because the center cannot afford downtime for maintenance.

For your center specifically: what happens to system access when an employee leaves? Does your IT have a documented offboarding procedure that includes credential revocation? When was the last time someone audited who has remote access to your CAD system and whether all of those access grants are still appropriate? Does your CAD vendor have remote access, and when was that access last reviewed?

These are not glamorous questions. They are the questions that determine whether your center becomes the next entry in the historical pattern. The technology side gets attention because it's expensive and visible. The human/procedural side is where the actual breaches happen.