Emergency call handling (ECH) systems, the backbone of our public safety agencies’ operations, are increasingly under attack. A recent report from the Public Safety Threat Alliance (PSTA) reveals a concerning trend of escalating cyber threats impacting 911 networks across the USA.
The growing number of attacks
The frequency of attacks on emergency call handling systems has significantly increased in the past year, rising from once every 74 days in 2024 to an average of once every 60 days in 2025. This surge has led to substantial operational disruptions, with downtime ranging from one week to 25 days.
The consequences of these cyberattacks against PSAPs (Public Safety Answering Points) can be severe, including increased 911 wait times, degraded audio quality and in the worst cases, the complete disablement of ECH networks. In many instances, agencies in neighboring counties have been forced to handle emergency calls while 911 call centers were down or disrupted.
Attack methods and targets
The PSTA report highlights the most frequently observed attack methods against call handling systems in 2025. Ransomware continues to be a dominant threat, with 100 percent of emergency call handling attacks observed in 2024 and 2025 involving ransomware and exclusively targeted against US agencies.
While pre-2024 attacks largely impacted the American Midwest, 911 compromises after 2024 primarily occurred in the Southern US. Additionally, the average population size of ECH systems impacted by attacks decreased from 112,353 in 2024 to 56,903 in 2025. This suggests that threat actors are increasingly targeting smaller agencies.
The evolving threat landscape in 2025
The report shows that financially motivated extortion groups, such as INC Ransomware and Blacksuit, are likely to continue threatening ECH systems throughout the remainder of 2025 and beyond. These groups have a history of disrupting 911 systems and have claimed responsibility for 13 cyberattacks against public safety agencies this year. While Blacksuit has been a significant threat, a recent multinational federal law enforcement takedown is expected to disrupt its activities moving forward.
Cyber attackers are using basic yet effective techniques to gain initial access to municipal and law enforcement networks and then moving laterally into protected emergency call handling environments. This includes tactics like phishing emails designed to look like they originate from trusted sources, abuse of stolen credentials like usernames and passwords, brute-force attacks and exploiting unsecured remote services like Virtual Private Networks (VPNs).
These attacks often affect other crucial systems, like radio communication and CAD systems, in addition to ECH systems. This forces agencies to deal with significant interruptions to their critical communications systems, impacting their ability to efficiently carry out operations.
Essential mitigations for public safety
While the threats are significant, public safety agencies can successfully detect and stop compromises before widespread encryption and/or data exfiltration occurs by taking some basic precautions. The PSTA report emphasizes the importance of employing effective security strategies to reduce the risk and impact of cyber threats and makes a number of recommendations for PSAPs to protect themselves, which align with CISA’s Cybersecurity Performance Goals (CPGs), including access control, network segmentation and detection and response.
Join the Public Safety Threat Alliance (PSTA)
The PSTA provides critical threat intelligence to help public safety organizations stay ahead of these evolving cyber threats. By sharing information within the community, we can collectively enhance awareness and readiness.
To access the full “2025 Cyber Threats to Emergency Call Handling” report and gain valuable insights to protect your community, we encourage you to join the PSTA today.
