Commissioners OK Emergency Alert NPRM 4-0 With Minor Tweaks
The FCC approved 4-0 Thursday an NPRM that proposes new rules to make the emergency alert system and wireless emergency alerts more secure. Chairwoman Jessica Rosenworcel said the rulemaking is one part of the FCC’s current focus on making systems more secure. FCC officials said, as expected (see 2210250057), there were only minor changes over what Rosenworcel proposed, FCC officials said.
The NPRM proposes that EAS participants be required to report unauthorized access of their EAS equipment, systems and services within 72 hours of when they knew or should have known of a breach and seeks comment on whether to require the same standard for unauthorized access to WEA systems and equipment. The NPRM also proposes to require EAS participants and participating carriers to certify annually they have put in place a cybersecurity risk management plan and to require carriers to transmit sufficient authentication information to ensure only valid alerts are displayed on consumer devices.
Commissioner Geoffrey Starks thanked his colleagues for agreeing to a few tweaks he proposed, including that reports would be presumed to be confidential. “It is important that providers view us a partner on national security,” he said: “To be so, we need to ensure that we are doing our part to protect their networks when they share information with us.” The NPRM will also now seek comment on whether the FCC should require plans to follow the National Institute of Standards and Technology’s risk management or cybersecurity frameworks, he said.
Starks cited data from the nationwide EAS test in August 2021, which found that more than 5,000 EAS participants were using outdated software or equipment that no longer supported regular software updates. The FCC has also revealed “that an appreciable number of EAS participants were unable to participate in testing due to equipment failure," he said.
Commission Republicans supported the thrust of the NPRM.
The NPRM rightly proposes holding EAS participants accountable for failing to deliver alerts or preventing delivery of fraudulent alerts, said Commissioner Nathan Simington. “The Federal Register is full of prescriptive cyber rules and regulations, but I think that far too many of these well-intentioned efforts have devolved into box checking compliance exercises divorced from the supposed goal of preventing attackers from taking down our hijacking systems or technology systems for nefarious purposes,” he said.
“Manufacturers, developers and IT administrators work in competitive markets and have myriad demands on their time,” Simington said: “The best way to make sure they focus on security is to hold them accountable for their failures to do so in the same way we hold careless carmakers, drivers, doctors and construction companies accountable for harmful mistakes.”
“We need this alerting system to be ready to go at a moment’s notice,” said Commissioner Brendan Carr. “We need it to be accurate, and we need people to have high confidence that they can act based on the information they receive,” he said.
The FCC’s focus on security will help ensure “the public can trust the warnings they receive,” Rosenworcel said. “This is important because the Department of Homeland Security recently determined that some of this alerting infrastructure is susceptible to serious security vulnerabilities,” she said: “While some patches have been released to fix these flaws, not everyone has installed them. We are committed to fixing that here and now.”
“As America’s First Informers, NAB members share the FCC’s goal of improving the reliability and security of EAS,” emailed an NAB spokesperson in response to a question about the commissioner comments. “NAB is reviewing the NPRM and looks forward to working with the Commission to ensure that the proposed new requirements are appropriate, effective and flexible.”
The number referenced by Starks comes from the agency’s report on the 2021 nationwide EAS test, which showed large participation gaps among low-power FM and low-power TV broadcasters. The LPTV Broadcasters Association didn’t comment, but LPFM group REC Networks mentioned low participation by that service in an ex parte filing in September. “The LPFM participation in previous NPTs [National Periodic Tests] have been between 40 and 50 percent, which I do not find acceptable,” said the filing, which also cites a lack of awareness of EAS among LPFMs and the high cost of upgrading software and EAS equipment as affecting participation. Some LPFMs may be using “vintage” EAS equipment, REC told the FCC.
Since the legacy EAS system can be activated on one station by another station’s alert message, smaller broadcasters with outdated equipment could make larger stations with more reach vulnerable, said Ken Pyle, partner-exploit director at cybersecurity firm Cybir. Pyle alerted the Federal Emergency Management Agency to the vulnerabilities announced in August. EAS manufacturer Digital Alert Systems said the problem is being addressed with software updates.
“We applaud @FCC's @JRosenworcel for her leadership on shielding our Emergency Alert System against cyberattacks,” Public Knowledge tweeted: “This critical infrastructure enables communication with the public during natural disasters and emergencies, making it a vital service to protect from bad actors.”
“Since 2012, consumers have received over 70,000 Wireless Emergency Alerts that warn the public about life-threatening events and provide critical information when it’s needed most,” CTIA said: “The wireless industry thanks the FCC for recognizing that WEA is a strong, life-saving tool and is committed to ensuring the continued reliability and security of this vital emergency alerting system.”