The Federal Communications Commission on Oct. 27 voted to approve a notice of proposed rulemaking that aims to shore up the cybersecurity and operational readiness of the Emergency Alert System (EAS) and Wireless Emergency Alerts.
The EAS – and its associated wireless emergency alerts – functions as a national public warning system most often used by state and local authorities to deliver urgent and emergency information to the public. The alerts often involve weather conditions and AMBER alerts, but the system also has the capability for the president to address the public during a national emergency. The alerts are delivered on television, radio, and wireless devices.
Under the rules proposed by the FCC, EAS system participants would have to report to the FCC within 72 hours of any unauthorized use of their EAS equipment. “This would allow the Commission to work with participants and other government agencies to resolve an equipment compromise before it is exploited to send false alerts,” the agency said.
The proposed rules would also require EAS participants to annually certify that they have a cybersecurity risk management plan in place, “and implement sufficient security measures for their alerting systems,” according to the FCC.
Finally, the rules would require EAS participants to guard against false emergency alerts by transmitting “sufficient authentication information to ensure that only valid alerts are displayed on consumer devices,” the agency said.
The FCC will solicit public comment on the proposed rules and after that process is completed, will vote on whether to adopt the new rules.
FCC Chairwoman Jessica Rosenworcel said that in addition to making sure that EAS participants have a cyber risk management plan in place, the proposed rules would also seek to ensure that participants have installed the most recent security patches on their systems.
“This effort will help ensure the function of these essential systems in emergencies and that the public can trust the warnings they receive,” she said.
“This is important because the Department of Homeland Security recently determined that some of this alerting infrastructure is susceptible to serious security vulnerabilities,” Rosenworcel said. “While some patches have been released to fix these flaws, not everyone has installed them. We are committed to fixing that here and now.”
EAS is maintained on a collaborative basis by the FCC, the Federal Emergency Management Agency (FEMA), and NOAA’s National Weather Service (NWS) component. The FCC’s role focuses mainly on technical standards for EAS participants, procedures to follow if the system is activated, and testing protocols.