Wireless Carriers, Broadcasters Question Need for EAS Security Rules
Broadcasters and wireless carriers urged the FCC not to impose proposed new rules designed to make the emergency alert system and wireless emergency alerts more secure. Industry said cybersecurity requirements would be difficult to implement and are unnecessary. FCC commissioners approved an NPRM 4-0 in October (see 2210270058). Comments were posted Tuesday in docket 15-94.
The notice proposed that EAS participants and participating carriers be required to certify annually that they have in place a cybersecurity risk management plan and that carriers transmit sufficient authentication information to ensure only valid alerts are displayed on consumer devices.
“The FCC’s proposal does not appear to recognize that WEA systems and functions are necessarily integrated into providers’ wireless network services, management, and architecture,” CTIA said. Alerts rely on “existing provider infrastructure and architecture” and “existing cyber risk management plans already address and protect WEA,” the group said: “This reality makes it difficult to segregate WEA systems and functions to create a bespoke cyber program tailored to WEA.” CTIA said proposed rules thus “do not appear to reflect a risk-based approach that looks at documented or anticipated risks to WEA” or “consider how WEA operates and how it relies on providers’ commercial networks.”
The point of origin of the alert is the greatest vulnerability in EAS, not the alerts themselves, ATIS said. The NPRM cites the false missile alert that created panic in Hawaii in early 2018 (see 1801160054 and 1803160042), ATIS said: “This particular incident was not the result of either a technical or security vulnerability, but of a failure in the alert origination practices for the alerting agency, and it demonstrates areas of possible improvement.”
“The far-reaching proposals in the Notice are unnecessary and will not meaningfully enhance the operational readiness or security of EAS,” NAB said: “The Notice presents only scant evidence of EAS equipment failures and new EAS security threats, and thus does not justify the myriad measures proposed.” Even if the FCC were to establish a threat, “the proposed reporting, certification, and cyber management obligations are far too complex and costly for many EAS Participants to implement, especially small and mid-sized broadcasters,” broadcasters warned.
The approach “for the latest round of ‘enhancements’ creates an enormous unfunded mandate that exponentially increases the financial, time and liability burdens on EAS Participants to an extent that broadcasters cannot simply absorb,” said a joint filing by state broadcaster associations: “As broadcasters have repeatedly reminded the FCC in connection with its assessment of annual regulatory fees, broadcasters do not have a subscriber base onto which they can pass costs.”
The FCC’s proposed authentication requirements “would create more problems than they would solve,” AT&T warned. The Hawaii missile false alert “was the result of an error by the Alert Originator with additional failures in the process and policies to recognize and respond to the error, in this case the Hawaii Emergency Management Agency” and wouldn’t have been prevented by the proposed requirement for authentication between the network and the handset, AT&T said. The requirements focus on handsets, and in 2020 the global smartphone replacement cycle was 43 months, the carrier noted: “Oftentimes, when a consumer replaces their wireless device, their old devices are recycled and stay in the market until they are forced into obsolescence by network transitions, such as the recent 3G sunset. It would likely take close to a decade for nearly all devices currently in use to cycle out of the market, and only then would the proposed authentication system be fully effective.”
The Rural Wireless Association said it doesn’t oppose requirements but warned that smaller carriers will need more time than the 12 months after publication of an eventual order proposed in the NPRM. The FCC estimates that small providers will need less than 10 hours to develop or update current plans, RWA said. “It is not simply a matter of taking a … provider’s incident response plan for natural and manmade disasters and converting it to a cybersecurity risk management plan or taking a ‘cookie cutter’ template and filling in the blanks,” the group said: “Cybersecurity is far more complex, as the potential sources of breach are substantially more numerous and vary depending on the type and size of the [carrier] networks.”