FCC adopts cybersecurity rules for the Emergency Alert System, opens further review

The Federal Communications Commission on June 25 adopted rules requiring operators of Emergency Alert System equipment to take specific cybersecurity steps, and opened a broader proceeding on changes to both EAS and Wireless Emergency Alerts.

Disney fight dominates FCC’s June meeting as emergency alert overhaul passes quietly

The commission approved the measure as a report and order and further notice of proposed rulemaking, identified as FCC 26-38.

Chairman Brendan Carr and Commissioners Anna Gomez and Olivia Trusty voted to approve. Carr and Trusty issued separate statements.

The order applies to EAS participants, the broadcasters, cable operators and other providers that transmit alerts to the public. It requires them to secure the equipment that supports their programming stream by changing default passwords and using strong passwords, promptly testing and installing security patches issued by equipment manufacturers, and using a firewall or comparable network segmentation practice to limit remote access to authorized devices and users.

The agency tied the requirements to past incidents in which attackers gained access to broadcast EAS equipment. Carr cited a 2023 case in which a cyberattack produced a false alert warning of a zombie attack.

“It was the effect of a cyber attack where bad actors were attempting to get into broadcast stations’ EAS equipment,” Carr said. He said the case underscored the need for the agency to maintain what he described as basic cybersecurity measures.

Gomez, who supported the item, said the agency had warned about the vulnerabilities for years before requiring action. She said the order moves the agency away from voluntary commitments.

“Emergency alerts save lives,” said Gomez, commissioner at the FCC. She said the order closes documented security gaps that have been used to insert false content into broadcasts despite repeated agency warnings since 2020.

Advertisement

What the further notice proposes

The accompanying further notice of proposed rulemaking seeks comment on a set of additional changes to EAS and WEA. It proposes requiring the authentication of all alerts before they are transmitted, and establishing universal alert identification numbers to detect and block duplicate alerts.

The notice also addresses the geographic accuracy of alerts. It proposes eliminating outdated WEA geotargeting exceptions that can cause alerts to reach the wrong areas, and expanding EAS geotargeting to allow delivery by polygon, the method used for wireless alerts. It seeks comment on ensuring that wireless alerts are sent to people who enter an alert area after an alert has been issued, until the emergency ends.

The notice raises two proposals aimed at making alerts effective regardless of language. It seeks comment on requiring the display of a symbol matching the type of emergency, and on improving earthquake alerts through a text-to-speech announcement or a unique attention signal. Gomez said the agency is seeking comment on text-to-speech functionality for earthquake alerts in English, Spanish and other languages, and credited the chairman’s office with adding the question to the item.

The notice further proposes to allow EAS participants to use software-based solutions instead of dedicated equipment, and to retire the 90-character version of WEA messages, which the agency said alerting authorities have described as too short to carry actionable information.

Statements from the commissioners

Trusty described a recent visit to the Nebraska Emergency Management Agency during the state’s wildfire season as an illustration of how alerts move from state officials to broadcasters, cable operators and other providers.

“As cybersecurity threats continue to evolve, EAS participants must take appropriate steps to safeguard the infrastructure that supports the delivery of lifesaving alerts,” said Trusty, commissioner at the FCC.

At a press conference after the meeting, Carr said the agency had no new requirements to announce beyond the proposals in the further notice, and pointed to the software-based proposal as a potential cost factor for broadcasters.

“Historically, EAS was governed by expensive, bespoke pieces of equipment, and it was therefore costly,” Carr said. He said a move toward software could reduce those costs, and that the agency would review comments on the issues raised in the proceeding.

The proceeding is filed under PS Docket Nos. 25-224, 22-329, 15-91 and 15-94. Comment deadlines will be set after publication in the Federal Register.