You can watch the FCC roundtable discussed in this story at the bottom of this page.
If China or Russia were to seek to induce societal panic in the United States, they could do so by hijacking internet-connected EAS equipment with bogus emergency warnings, according to homeland security experts. Therefore, the Federal Communications Commission says, protecting and improving the security of the Emergency Alert System and Wireless Alert System are priorities.
The commission this fall partnered with the Cybersecurity and Infrastructure Security Agency or CISA to host a public roundtable on strengthening that cybersecurity. It included stakeholders from around the public warning ecosystem.
“Maintaining the security and operational readiness of EAS and WEA is essential,” Chairwoman Jessica Rosenworcel said. “These are essential systems that function in emergencies, and the public must trust the warnings they receive.”
Mandatory reporting
Seeking to protect EAS from cyberattacks, the FCC has a notice of proposed rulemaking (PS Docket No. 22-329) that would apply new risk management and reporting requirements to entities that relay alerts, including broadcasters.
“The new rules would help ensure the reliability, readiness and resilience of these critical alerting systems we all count on,” Rosenworcel said.
The FCC proposes to require participants to patch vulnerabilities in EAS gear, eliminate outdated software and install proper firewalls in encoder/decoder devices. It also would require broadcasters to report incidents of unauthorized access to EAS equipment within 72 hours.
Broadcasters have cast a wary eye at these proposals. NAB told the FCC that the measures are well intentioned but would create compliance issues and impose burdens on small and medium-sized broadcasters. It favors “more outreach and education over new mandates” and pointed to “scant evidence of previous cybersecurity incidents.”
However, representatives of CISA say mandatory reporting would provide security experts with critical data about what is being exploited as well as any mitigating factors.
“An early heads up on weaknesses allows others to protect themselves from similar attacks, and give hardware and software developers the tools to improve products and services,” said Todd Klessman, CISA’s rulemaking team leader for the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA, which became law in 2022.
There have been several notable hacks of EAS equipment of broadcasters that were mentioned during the roundtable. One resulted in the broadcast of a zombie attack EAS alert in 2013 by several TV stations.
The commission says more needs to be done because alerting systems are such desirable targets for bad actors. It also acknowledges that keeping the alerting infrastructure protected is a massive job.
“20,000 end points”
Wade Witmer, deputy director of FEMA’s Integrated Public Alert and Warning System Division, told the roundtable that one of the challenges is the sheer number of participants.
“That makes EAS unique and makes it more susceptible to cyber threats. The number of senders right now in the United States, those local agencies authorized to send alerts, is 1,500 to 1,600. But when you consider the realm of broadcast, it’s remarkable. There are well over 20,000 end points between radio and TV, each with EAS equipment that is overseen by maybe just one person across multiple stations,” Witmer said.
He said broadcasters face the same threats as any entity connected to fiber, and that no entity is too small to suffer a cyberattack.
Harold Price, president of Sage Alerting Systems and a roundtable panelist, said Sage is improving its software and beginning to build in the ability for users to gain better insight into who might be attempting to gain access.
“In all we are trying to build EAS systems with a reduced threat surface — limiting the reason why broadcasters would ever put an EAS device on an unprotected network and limiting the number of people who can access EAS equipment,” he said.
Price reminded the FCC that the majority of radio stations are small businesses with small staffs and limited IT resources.
“We are working to raise the awareness and give them the tools to manage their EAS systems,” he says. Price urged FCC to take a more proactive role in education and training.
“A rulemaking saying that broadcasters have to have a plan and follow it is all well and good. But time has to be spent in presenting clear and effective language to make it relevant and relatable to small radio operators who do not have the resources and the time to learn it.”
Ed Czarnecki, VP at Digital Alert Systems, said the challenge of having a large number of EAS participants is made greater by their disparity in size.
“The majority of issues we hear about are with small broadcasters and LPFMs, not the major broadcast corporations.” Small broadcasters, he said, simply don’t have the money to pay for alerting infrastructure. Compliance costs, while relatively small, are always going to be a challenge for them.
Czarnecki, like Price, asked the commission for plain-language guidance. “Some of these smaller broadcasters likely have a staff of one or two people with very limited IT skills. That means they will likely need to hire outside help to handle some of the compliance, which will add to the costs.”
Several CISA representatives said the agency has a variety of resources for small business including cost-effective measures for protecting assets. Many of those resources are designed to be understandable to small business owners, they said.
Kenneth Chew, unit chief of the FBI’s Cyber Division, said public warning systems deployed by broadcasters are a high-value target. “Cyber mischief makers and adversaries alike,” he said, have their sights set on disrupting the nation’s communication systems.
Another panelist agreed. “Worry over fake alerts is the top concern of public warning experts in this country. False alerts would kill the credibility of IPAWS and other public warning systems,” said Nick Narine, program manager for the public warning division at New York City Emergency Management. “You don’t want the public questioning: ‘Hey, is this real?’”
Brian Scott, a deputy assistant in the Office of the National Cyber Director, said it’s critical that EAS participants not rely on outdated firmware and software. He noted that prior to its invasion of Ukraine, Russia conducted a cyberattack against that country’s satellite communications that interrupted services. He said precautions are complicated by the intermingling of providers with customers and the broad reach of communications and ISP entities and their interdependencies.
Growing dependence
Broadcast architecture connected to the internet isn’t the only potential digital highway that is susceptible to hackers. Public warning stakeholders at the roundtable said the cellular WEA system has its own vulnerabilities.
Steven Hayes, director of North American standards for Ericsson, said a potential red flag in WEA is a “false base station.” The terminology refers to hardware and software that allow for passive and active attacks against mobile subscribers over radio access networks. The tool attacks vulnerabilities in mobile systems including 3G, 4G and 5G networks.
Hayes cited research in 2018 by the University of Colorado. It concluded that presidential alerts could be spoofed by attackers and in theory sent to all capable cellphones within a given area, such as a packed sports stadium or small city. The study concluded that fake alerts in densely populated cities could potentially result in “cascades of panic.”
Michael George, an associate administrator for FEMA’s Office of National Continuity Programs, said the public’s reliance on cellphones “is a societal change” that must be factored into the country’s long-term alerting capabilities.
FEMA’s Witmer, too, noted the growing role of cellphones for alerting. “The public perception of how and when they want to be alerted is changing. There is a growing dependency by the public on their cellphones, and … the information they receive there is much more personalized from their perspective than the same information displayed on TV or broadcast on radio. It’s becoming the preference for receiving alerts.”
Panelists pointed out that the FCC has a proposed rulemaking addressing some of the cybersecurity concerns for WEA. But Christopher Oatway, associate general counsel at Verizon, stressed a need for “harmonization of rulemaking” within the FCC. He said there were four separate proposals before the commission dealing with alerting security.
You can watch the roundtable below, or click here.
