Industries Concerned About Cybersecurity Alerting Burdens
Broadcasters, wireless companies and alerting equipment manufacturers are concerned about the potential costs of increasing cybersecurity regulations on emergency alerting participants and the burden of potentially duplicated reporting requirements across multiple federal agencies, they told the FCC and the Cybersecurity and Infrastructure Security Agency Monday at a public roundtable event on alerting cybersecurity. The event included local government public safety agencies, the FBI and cybersecurity companies and featured discussion of potential threats to alerting infrastructure and the need for transparency around cyberattacks alongside potential regulatory burdens. “WEA is a voluntary program,” said CCIA General Counsel Angela Simpson. “There is a straw that will break the proverbial camel’s back at some point.”
Many smaller alerting participants -- such as low-power FM and TV stations -- have one or two employees, and don’t have the resources to allocate to keeping track of cybersecurity best practices, said Ed Czarnecki, Digital Alert Systems vice president-global and government affairs. “They wouldn’t know where to go to report a cybersecurity incident,” he said, pointing out that representatives of the low power broadcast industry were “noticeably absent” from the event. The widely used National Institute of Standards and Technology Cybersecurity Framework is “incomprehensible” to people who haven’t “spent a lifetime” in cybersecurity, said Harold Price, Sage Alerting Systems president. “These aren’t uneducated people, these are people who are busy in a field that isn’t this,” he said. “I'm not so sure that Americans are not more resilient than sometimes we give credit,” responded Billy Bob Brown, CISA executive assistant director-emergency communications.
Smaller entities that are part of the U.S. alerting infrastructure need to be vigilant and prepared for cybersecurity threats because they are attractive targets for both noncriminals and U.S. political adversaries, said Eric Goldstein, CISA’s executive assistant director-cybersecurity. Recent annual federal threat assessments say that during a geopolitical conflict, China would direct cyberattacks on U.S. infrastructure “to sow societal chaos,” Goldstein said. “To undermine the very fabric of our communities, there's no target that would have a more significant impact on the psyche of the American people than the public safety community,” he said. NTIA Telecommunications Policy Specialist Kathryn Basinsky said that smaller entities are increasingly the ones being targeted for ransomware and other cybercrimes. “It doesn’t necessarily make sense to bolt the front door if you’re leaving the side door open,” said Stephen Hayes, Ericsson North America director-standards.
A cyberattack that compromised the wireless emergency or broadcast emergency alert systems could potentially be used to send out false information, or keep public safety officials from transmitting actual emergency information, said Sean Letona, chief of CISA’s Cybersecurity Division. The consequences of an attack can also be expensive -- Center for Internet Security General Manager Curtis Dukes said MGM suffered a cyberattack that cost the company in the realm of $100 million in recovery and lost business. Czarnecki said a large cable company incurred over $1 million in costs investigating and correcting an issue that had caused the nationwide EAS test in 2021 to be broadcast in one market without audio. An actual cyberbreach would likely have worse consequences, he said.
Agencies have to balance the burdens of cybersecurity regulations and work together to prevent duplication among the various reporting requirements, said Verizon Associate General Counsel Chris Oatway. The FCC is considering four different cybersecurity reporting requirements that would apply to carriers, Oatway said. “There's a need to explore harmonizing the different cybersecurity requirements,” he said. “Any way we can reduce complexity on reporting helps us all,” said Mike Kelley, E.W. Scripps chief information security officer. Transparency about cyberattacks is key in preventing future ones and staying aware of potential threats, said Goldstein. The current practice of shaming entities when they suffer a breach only helps cybercriminals, he said. "When a partner in the pub safety community has an intrusion, we need to hear about it."
Video of Monday’s event will be part of the record in docket 15-94 of the FCC’s ongoing proceeding on proposals to safeguard emergency alerting against cyberattacks, FCC officials said (see 2301240045).