Cybersecurity risk management of EAS is on the mind of the FCC, but the potential for new requirements on broadcasters has the radio industry and others casting a wary eye.
The FCC’s Notice of Proposed Rulemaking (NPRM) on EAS cybersecurity would require broadcasters to patch vulnerabilities in EAS gear, eliminate outdated software and install proper firewalls in EAS encoder/decoder devices to protect against cyber threats.
The plan to limit IP-based threats to the EAS system comes with additional obligations for broadcasters, including steps to report incidents of unauthorized access to EAS equipment within 72 hours and annually certifying they have a cybersecurity risk management plan.
The National Association of Broadcasters (NAB) says the cybersecurity measures in the ongoing proceeding are well-intentioned but create compliance issues for broadcasters.
In a meeting with representatives of the FCC’s Public Safety and Homeland Security Bureau earlier this month, the NAB and other EAS stakeholders pointed to scant evidence of previous cybersecurity incidents or EAS equipment failures to justify “the far-reaching proposals” in the NPRM.
The attendees, who also included representatives from the NTCA – Rural Broadband Association, and ACA Connects, expressed concern that “many of the proposals in the notice would impose extensive burdens on EAS participants, especially small and medium-sized entities, and that the proposals fail to take meaningful account of the size or resources of smaller EAS participants.”
[Related: “EAS Rules Modifications Put Broadcasters on the Clock to Comply“]
NAB at the meeting also expressed concerns that the proposed requirement to create and implement a cybersecurity risk management plan “lacks clarity.” A so-called “sufficient” plan for a small or medium-sized entity may not be sufficient for a larger company, NAB said.
“We further explained that most EAS participants have minimal in-house cybersecurity expertise, if any, and would find it daunting to create such a plan based on the broad, open-ended guidance set forth in the notice.”
Thus, holding EAS Participants accountable for “negligent security practices” or a “failure to sufficiently develop or implement a risk management plan” would be misplaced.
In addition, the NAB told the FCC that broadcasters are regulated entities, and “any additional FCC obligation to formally certify as to the sufficiency of one’s cybersecurity risk management plan, under threat of FCC enforcement, would demand costly engineering, corporate, and legal review,” none of which was reflected in the FCC’s cost-benefit analysis of the proposed obligation, the trade association said.
The FCC might have even been premature in its proposed plan to tamp down the threat against EAS equipment of stakeholders, NAB said in the meeting. “We noted that Congress designated the Cybersecurity and Infrastructure Agency (CISA) as the lead federal agency regarding cybersecurity incident reporting in the recently enacted Cyber Incident Reporting for Critical Infrastructure Act of 2022,” which gave the government agency the discretion to develop the rules needed to implement the act.
“Therefore, it would be premature and counter-productive for the commission to create a potentially duplicative or contradictory cyber-related incident reporting scheme before CISA completes its proceeding. We also noted that certain aspects of the FCC’s proposed reporting policies are vague and subjective, and likely to lead to unnecessary over-reporting of cyber-related issues,” NAB says.
The EAS cybersecurity NPRM also proposed new policies for the timely repair of faulty EAS equipment, something the NAB says is largely beyond the control of EAS participants. “(T)he FCC plays no role in repairing EAS equipment,” NAB says.
The NAB urged the commission to pro-actively provide more outreach and education to EAS participants regarding the maintenance and security of EAS, especially tailored guidance for those entities that may be most vulnerable to cyber threats.
NAB concluded: “We stated our belief that such an approach would be much more effective than merely imposing more regulatory obligations on the entire universe of EAS participants.”
Comments in the EAS cybersecurity proceeding (PS Docket No. 22-329) can be reviewed at the FCC website.
