One of the main holdups with system-wide encryption for any agency is key management. The hot-headed know-nothings who go to these "planning" and "assessment" meetings often don't understand the technical limitations associated with going "fully secure".
On a APCO-16 system (SmartZone 3.x and 4.x), every subscriber radio and DIU3000 (for dispatch consoles and interconnects) requires manual key-variable management. This means some lacky from the radio shop--or trained personnel, has to manually key a radio every time a new radio/device is added, a radio loses keys or whenever a key-variable is changed. This takes TOO LONG and cannont be done in real time. It's also a major headache and accounts of hundreds and hundreds of ongoing maintenance hours.
For small surveillance cells or special purpose units (ERU, SWAT, drugs, vice, major crimes, etc) this isn't that big of a deal. Many of these groups don't require communications with dispatch either--and if they do, they can use a secondary talkgroup, or simply go clear voice.
Why must all of this be done manually? Because APCO-16 systems don't support Over-The-Air-Rekeying (OTAR), which is pretty much essential for system-wide encryption and security.
Move into full Project-25 trunks...(ASTRO25 from Motorola). The infrastructure supports OTAR. Radios are programmed with Shadow Keys which are used to secure the data involved during the rekeying process. It's all automated. Manual user intervention is rarely required unless some retard in the field does a key erasure by fiddling with certain keypad sequences.
While full-time encryption may seem like the bomb, it comes with some very serious safety problems.
To ensure operational security, the administrators may program the radios for forced secure mode. This means they cannot transmit in the clear on a given talkgroup, regardless of the position of the encryption switch.
Let's say the user accidentially dumps their keys. Now they are unable to contact dispatch, and dispatch is unable to hear them, as their radio will not allow transmission to occur because the programming is secure-strapped and the key is missing. (An error tone presents.)
Most systems that are encrypted system-wide have an emergency work-around. The emergency button (aka help, panic, whatever) is programmed that so when activated, the radio will go into clear mode for the duration of the emergency.
The smart way to implement system-wide encryption would be to utilize the secure-select switch, so users can go to digital/clear mode if required. The only problem is that there are far too many users who aren't aware they're transmitting in the clear, and can compromise an entire secure net because of bits and pieces of information they give up while operating in the clear. It all boils down to user training.
Hopefully this posts helps people understand a litlte bit about the secure issues...
