Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now


NAB Thinks EAS Cybersecurity Proposal Oversteps

“Well-intentioned, albeit unjustified, solutions in search of a problem”

The FCC wants to minimize IP-based threats to the Emergency Alert System in the United States and improve operational readiness of participants. But it is getting pushback from broadcasters who worry that a new mandate will create compliance issues and be a burden on short-staffed radio stations.

The commission has been increasingly concerned about bad actors gaining access through various internet-connected EAS devices and planting information that could cause widespread panic. Malicious pranksters have exploited the warning system in recent years, including the famous Zombie Attack hack that ended up with multiple TV stations across the Midwest warning of impending doom from dead folk.

The FCC says broadcasters need to do more to patch vulnerabilities in EAS gear, eliminating outdated software and installing proper firewalls in EAS encoder/decoder devices, to protect against cyber threats.

The notice of proposed rulemaking in October includes a proposed requirement for broadcasters and cable operators to report incidents of unauthorized access to their EAS equipment within 72 hours. EAS participants would also be required to annually certify that they have a cybersecurity risk management plan.

The commission says EAS devices and supporting systems need be monitored and audit logs regularly reviewed looking for unauthorized access. And it asks that broadcasters check with their EAS equipment manufacturer if they are unsure how to proceed with periodic security updates.

The National Association of Broadcasters, in comments filed just prior to the holiday break, said navigating the EAS rule changes would create compliance issues for radio and television broadcasters. The proposed measures “amount to well-intentioned, albeit unjustified, solutions in search of a problem,” NAB told the commission.

In addition, the NAB says it agrees with the Federal Emergency Management Agency that the FCC presents only scant evidence of EAS failures and new EAS security threats, and thus does not justify the myriad of measures proposed in the NPRM.

“For example, based on a relatively meager number of equipment-related problems that arose during the 2021 Nationwide EAS Test, the FCC proposes an entirely new regulatory regime for the repair of malfunctioning EAS equipment, in place of the currently effective one,” NAB wrote. “The FCC’s approach also introduces new pitfalls, including the potential for new (and unnecessary) enforcement actions against EAS participants for repair delays due to circumstances beyond their control.”

The NAB says “the commission grounds its expansive, expensive proposals in fairly scant evidence of a widespread or persistent problem.”

Instead of foisting more regulations onto broadcasters, the NAB urges the commission to take a proactive leadership role in assisting EAS participants better ensure the security of their EAS systems. It reminds the FCC that EAS is an unfunded government mandate in which broadcasters voluntarily participate.

The association even goes a step further by recommending the FCC amend its rules with a minor policy change to enhance EAS security.

“Specifically, NAB requests that the FCC amend its rules as needed to allow EAS participants to use virtualized, software-based, solutions in place of certain hardware-based elements of their EAS system. Such an approach would allow broadcasters to better align their EAS operations with nearly all other components of broadcast operations which are moving towards advanced, virtualized technology.

“This voluntary option would also facilitate the rapid resolution of EAS defects, speed the implementation of software patches designed to enhance security, and improve alert monitoring, among other benefits.”

The NAB urges the FCC to consider and approve the new proposal within the current proceeding.

Joint comments from a consortium of state broadcast associations mostly echo the concerns of NAB: “The approach set out by the FCC in the NPRM for the latest round of (EAS) enhancements creates an enormous unfunded mandate that exponentially increases the financial, time and liability burdens on EAS Participants to an extent that broadcasters cannot simply absorb,” the group commented.

Meanwhile, National Public Radio told the FCC that the EAS proposal would create costly obligations for stations without clear public benefits.

“Some of the proposed rules would be especially burdensome for noncommercial public radio stations — stations that already provide consistent and trusted emergency alerting service despite significant staffing and monetary constraints,” NPR wrote.

“Our primary concerns relate to new costs … because the burdens of the proposed rules far exceed any possible benefits.”

Since current rules already require stations to ensure their equipment is properly installed and operational, and the 2021 nationwide EAS test showed a 97 percent readiness level, NPR says the commission’s current rules are working.

NPR also asserts requiring broadcasters to report unauthorized access to their EAS systems would be burdensome and objects to any requirement with a subjective “should have known” standard.

“Noncommercial stations should not be penalized for reporting an incident once they become aware of it because by some measure, the stations should have known about the incident earlier,” NPR told the FCC.

And the proposed cybersecurity risk management plans would be costly and difficult to prepare for noncommercial stations, NPR states.

The FCC proposal is the latest in a recent string of EAS rule adoptions meant to strengthen the public warning system in this country. The commission this fall passed measures to make alerts from broadcasters more informative and easier to understand by the public, particularly deaf people and others with disabilities. The deadline for EAS participants to implement new Common Alerting Protocol alert poling and prioritization rules is Dec. 12, 2023.

Reply comments on the cybersecurity issue are due on or before Jan. 23. File comments and read others at the FCC website under PS Docket No. 22-329.