WASHINGTON, January 18, 2023 – Participants to the national public warning system claim that the Federal Communications Commission’s October rulemaking to improve its security and operational readiness will unduly increase resource and monetary burdens on participants.
The national warning system is composed of the Emergency Alert System, which transmits important emergency information to affected areas over television and radio, and the Wireless Emergency Alert System, which delivers that information to the public on their wireless devices. Participation in the system is voluntary for wireless providers, but radio and television broadcasters are required to deliver Presidential alerts via the EAS.
In the Notice of Proposed Rulemaking, the FCC sought comment on ways to strengthen the operational readiness of the warning system by requiring EAS participants to report compromises of equipment and WEA participants to annually certify to having a cybersecurity risk management plan in place. It further asked that commercial mobile service providers “take steps to ensure that only valid alerts are displayed on consumer devices,” citing several instances where false alerts were given following a system hack.
Measures are unnecessary
Participants argued that such measures are unnecessary in reply comments to the Commission.
The proposals in the Notice are “unnecessary and will not meaningfully enhance operational readiness or security of EAS,” stated the National Association of Broadcasters in its comments, claiming that the Notice “presents only scant evidence of EAS equipment failures and new security threats, and thus does not justify the myriad measures proposed.”
Furthermore, NAB claimed, the notice fails to present a clear rationale for how the Commission’s heightened situational awareness would improve EAS readiness.
ACA Connects, a trade association representing small and mid-sized telecom and TV operators, added that the Notice identifies only two EAS security breaches in the past ten years, which, as the company said, is “hardly an epidemic.”
Participating mobile service providers have cyber risk management plans in place already, making any separate cyber certification requirement for WEA unnecessary and likely to cause fragmentation of service-specific plans, claimed wireless trade association, CTIA.
Increased participant burden
The Federal Emergency Management Agency, which is responsible for national-level activation and tests of the systems, stated in its comments that it is concerned about the potential increased burden placed upon participants.
EAS participants voluntarily and at no cost provide state and local alerts and mobile service providers voluntarily participate in WEA without compensation. FEMA argued that some stakeholders may “have difficulty justifying additional resources necessary to comply with increasing regulation.”
The proposed reporting, certification, and cyber management obligations are far too complex for many EAS participants to implement, stated NAB, claiming that the Commission’s estimation of costs are “wildly unrealistic,” not considering additional hires such a plan would require.
Mobile provider AT&T added that requirements for updating cybersecurity plans would divert valuable resources from the ongoing, broad cybersecurity efforts that participants engage in daily. The proposed authentication would inhibit the timely release of critical emergency alerts without completely eliminating false WEA messages, it continued.
The Center for internet Security, however, supported the FCC’s proposed actions, claiming that it moves forward with “critically important” measures to protect the nation’s alert systems from cyber threats.