WASHINGTON—FCC Chairwoman Jessica Rosenworcel is proposing action to bolster the security of the nation’s public alert and warning systems, the Emergency Alert System and Wireless Emergency Alerts delivered to the public through alerts on their televisions, radios, and wireless phones.
“The Emergency Alert System and Wireless Emergency Alerts are used every day across the country to warn the public about severe weather, missing children, and other crises — and to help save lives,” said Chairwoman Rosenworcel. “It is critical that these public safety systems are secure against cyber threats, which means that we must be proactive. The draft proposals shared today will help ensure that our national alerting systems work as intended during emergencies and the public can trust the warnings they receive.”
If adopted by a vote of the full Commission, this Notice of Proposed Rulemaking would seek comment on:
- Ways to improve the operational readiness of the Emergency Alert System, including the amount of time that broadcasters, cable providers, and other EAS participants may operate before repairing defective EAS equipment;
- Requiring EAS participants to report compromises of their EAS equipment;
- Requiring EAS participants and the wireless providers that participate in Wireless Emergency Alerts to annually certify to having a cybersecurity risk management plan in place, and to employ sufficient security measures to ensure the confidentiality, integrity, and availability of their respective alerting systems; and
- Requiring wireless providers to take steps to ensure that only valid alerts are displayed on consumer devices.
The Notice of Proposed Rulemaking would seek public comment on these matters and related questions about improving alerting security.
The commission’s action comes after the Department of Homeland Security issued a warning to states in August to update and secure their EAS systems, particularly those that provide connection to proprietary devices. Ken Pyle, a partner at security firm Cybir, told KrebsOnSecurity that he had purchased used EAS equipment from ebay and found security holes in a device manufactured by Digital Alert Systems, which said it issued a security advisory in August to customers still using the EAS encoder to update the firmware.
EAS hacks have occurred with frightening regularity over the past decade, including a zombie attack warning in Montana and Michigan in 2013—which was rerun in Indiana in 2017—a radiological hazard warning in 2020 and perhaps the most famous false alert, the warning of a nuclear attack in Hawaii in 2018.