Unanimous Approval Expected for FCC Emergency Alerting Cybersecurity NPRM
A draft NPRM on proposals to increase cybersecurity requirements for wireless emergency alert and emergency alert system participants is expected to be unanimously approved at Thursday’s FCC commissioners' meeting, with few changes from the draft version, industry and FCC officials told us. The item seeks comment on proposals including cyberattack reporting rules and requirements that participants certify cybersecurity plans. No changes have been made so far, though a few tweaks are possible before the vote, officials said. Experts said they expect the agency to take likely costs of any new rules into consideration.
While the EAS and WEA “are strong, we must remain vigilant and proactive to ensure they remain so,” said an FCC fact sheet on the draft NPRM.
“More needs to be done to improve EAS operational readiness,” said the draft NPRM, citing results from the last nationwide EAS test in 2021 showing “an appreciable number” of participants -- 565 out of 19,000 -- were unable to take part in the “testing due to equipment failure despite advance notice that such test was to take place.” The 2021 test report also shows over 5,000 of the TV and radio broadcasters expected to participate in the test didn’t file test reporting forms, many of them low-power FM and low-power TV stations. The draft seeks comment on requiring participants to report defective equipment, on shortening the 60-day requirement to have EAS equipment repaired, and on the possible monetary costs that might come with such policies.
The draft NPRM also includes a proposal to require broadcasters to notify the FCC of cybersecurity breaches, and references some cybersecurity events involving EAS, including an August Federal Emergency Management Agency warning about vulnerabilities in EAS equipment built by Digital Alert Systems that were publicly demonstrated at a hacker convention (see 2208050053). Those vulnerabilities can be addressed through software updates to EAS equipment, but not all participants are regularly performing those updates, said both Digital Alert Systems Vice President Ed Czarnecki and Ken Pyle, partner-exploit director at cybersecurity firm Cybir, in separate interviews. “It’s a symptom of an overall relaxed cybersecurity posture within the business,” said Czarnecki.
Pyle, who found the vulnerabilities and demonstrated them at hacker event DEFCON 2022, believes as long as something as important as the EAS depends on user-driven updates for security, it will be vulnerable. “This is a critical infrastructure problem,” he said. Since EAS includes the legacy daisy chain system wherein stations are triggered to retransmit EAS alerts by other stations broadcasting those alerts, smaller broadcasters with fewer resources to maintain their systems can make other broadcasters vulnerable, he said. Stricter FCC cybersecurity requirements are needed, said Pyle. A vulnerability Pyle discovered in 2019 has already been corrected, and a more-recent vulnerability revealed in August is being addressed similarly, Czarnecki said. Regular cybersecurity reporting requirements could be burdensome for smaller broadcasters, industry officials said.
A report on those vulnerabilities from the Cybersecurity and Infrastructure Security Agency is expected to be released soon, industry officials said. FEMA “encourages broadcasters to keep their EAS equipment up to date with the most recent software versions and security patches, protects their assets with appropriately configured network firewalls and regularly monitor their log files for unauthorized activity,” emailed a FEMA spokesperson.
Current FCC rules require EAS participants to notify the FCC by email within 24 hours of a false alert, but the draft NPRM proposes requiring them to report any incident of unauthorized access to EAS equipment within 72 hours via the network outage reporting system. “We believe that it would be in the public interest to strengthen this rule in view of the increasing threats that cyber attacks pose to EAS networks and equipment,” said the draft item. The FCC “could use the proposed notifications to work with providers and other government agencies to resolve an equipment compromise before the compromise is actually exploited to cause false EAS transmissions in at least some instances,” the draft item said.
The item also proposes requiring participants to certify they “created, updated, and implemented a cybersecurity risk management plan” and said implementing the requirement would cost participants a total of $21 million. “We believe the benefits of our rule to the American economy, commerce, and consumers are likely to significantly and substantially outweigh the costs of the proposed certification requirement,” the item said.
WEAs
Only CTIA has weighed in on the WEA proposals since the item circulated, asking the commission to take costs into consideration as it considers new rules (see 2210210064). CTIA warned that “developing new cryptographic standards to enable authentication capabilities would require a much larger investment of time and resources” than the draft contemplates. The group declined further comment Tuesday.
Participating carriers and equipment makers “have dedicated considerable resources toward the success and security of the WEA system and, as the Commission recognized in the Draft Alerting Security NPRM, the program remains strong,” CTIA said. “WEAs are promptly delivered to devices, as demonstrated in the 2021 nationwide WEA test and more recent state and local tests,” the group said: Participating carriers “routinely review their systems to ensure that WEA delivery is secure and reliable.”
Improving WEAs is “largely uncontroversial as a core concept, though there may be some disagreements around the edges regarding the specifics,” said Jeffrey Westling, American Action Forum director-technology and innovation policy. “Considering this is just at the NPRM stage, I doubt we will see any major changes before the item is approved,” he said: “If the commission is undervaluing the costs of new security measures that the NPRM proposes, I suspect we will see a robust record detailing the differing views before this gets to a final order."
“Evaluating the cost-benefits trade-offs of additional security is always a tough prospect,” but the commission is right to take on the question, said Joe Kane, Information Technology and Innovation Foundation director-broadband and spectrum policy. “Thinking ahead to potential security vulnerabilities in these systems is important to ensure they're ready when needed,” he said.
“As natural disasters are on the increase, we need a robust emergency alert system,” said Recon Analytics’ Roger Entner: “The key is to right-size the system.”
It’s “entirely appropriate” for the FCC to “consider, on an ongoing basis, whether further changes should be implemented to ensure that the EAS and WEA systems are secure and up-to-date,” emailed Randy May, Free State Foundation president. “It is also appropriate that in evaluating any proposed changes, such as enhanced cybersecurity measures and new authentication requirements, that the commission undertake a rigorous cost-benefit analysis, as it is required to do,” he said: “The commission’s draft notice indicates that it will do so, and I don’t have any reason to doubt that this will be the case as the proceeding moves forward.”