A public draft of proposed EAS rules being circulated by the FCC would require EAS participants, including broadcasters, to certify annually that they have implemented a cybersecurity risk management plan for their EAS system.
If adopted, the new rules would require broadcasters to report incidents of unauthorized access of its EAS equipment within 72 hours of when it knew or should have known the incident occurred. According to the Notice of Proposed Rulemaking (NPRM) being considered, this would bolster the security of the nation’s public alert and warning systems.
The proposal to strengthen the operational readiness of EAS equipment would require broadcasters to employ “sufficient security measures to ensure the confidentiality, integrity, and availability of their respective alerting systems.”
The draft NPRM is not a final adopted action, but it shows the commission is giving tentative consideration for the changes, which could be approved at the FCC’s Oct. 27 monthly meeting.
[Related: “FCC Gives the OK to More EAS Improvements“]
FCC Chairwoman Jessica Rosenworcel has been pushing for a more solid EAS foundation: “It is critical that these public safety systems are secure against cyber threats, which means that we must be proactive.”
The FCC says there have been several occasions of cyber attacks on EAS equipment. Notably, a 2013 attack on equipment at TV stations in Michigan, Montana, Utah, New Mexico and California notified viewers of a “zombie attack” hoax.
The commission says that the hack could have been prevented had the EAS participants involved changed manufacturer default passwords on their EAS equipment, installed firewalls, or taken other appropriate security measures.
In addition, in 2020 hackers compromised the EAS systems of an EAS participant in Jefferson County, Wash., and caused the transmission of false EAS alerts describing a fake Radiological Hazard Warning that affected approximately 3,000 homes.
The FCC has previously warned broadcasters their EAS equipment connected to the Internet were potentially vulnerable to IP-based attacks due to inadequate network security or unsecure device settings. At the time the commission urged them to secure their EAS equipment by installing current security patches, and using firewalls.
Most recently, on August 1, 2022, FEMA issued an advisory on a potential vulnerability in certain EAS encoder/decoder devices that have not been updated to most recent software versions.
[Related: “Digging Into FEMA’s Notice on EAS Vulnerabilities“]
The FCC draft also addresses the overall operational readiness of EAS equipment. Currently, broadcasters and cable providers may continue operations for a period of 60 days despite having defective EAS equipment that preclude their participation in EAS. The FCC notes that, according to the last nationwide EAS test report, “an appreciable number of EAS participants were unable to participate in testing due to equipment failure — despite advance notice that such test was to take place — suggesting that equipment failures are not addressed by EAS participants as swiftly as reasonably possible and that more needs to be done to improve EAS operational readiness.”
The FCC also addresses the security of Wireless Emergency Alerts (WEA) in the public draft and is likely to require wireless providers to take steps to ensure only valid alerts are displayed on consumer devices.
If adopted, the new rules would clearly increase compliance and the amount of effort and paperwork on behalf of broadcasters, according to observers. The FCC says in the draft: “We believe that EAS participants will, on average, require 10 hours annually to initially draft a plan and then update the plan and submit their certification annually.”
The commission says it expects to consider the economic impact and alternatives for small entities following the review of comments filed in response to the NPRM, including costs and benefits analyses.
“We believe that the benefits of this proposal outweigh the costs. However, we [expect to] seek comment on any measures that the commission could take to reduce burdens on EAS participants if it were to take further steps to promote the operational readiness of EAS equipment,” according to the FCC document.
If the commissioners vote “yes” this week then a comment period will commence 30 days after the date of publication in the Federal Register.