FCC Proposes to Strengthen EAS and WEA Against Cyber Security Attacks and to Promote EAS Operational Readiness
At its October 27, 2022, Open Meeting, the Federal Communications Commission ("FCC" or "Commission") adopted a Notice of Proposed Rulemaking ("NPRM") proposing rule changes aimed at improving the operational readiness and security of the national Emergency Alert System ("EAS") and Wireless Emergency Alerts ("WEA") programs. Specifically, the NPRM proposes rule changes that would require EAS participants to: (1) report and promptly repair defective EAS equipment; (2) submit timely and detailed reports concerning unauthorized access to EAS equipment, as well as communications systems and services that could affect the provision of EAS alerts; and (3) create and implement regularly updated cybersecurity risk management plans. The NPRM proposes to extend the same unauthorized access reporting and cybersecurity risk management plan obligations to WEA participants, and to require WEA participants to transmit sufficient authentication information to allow mobile devices to present WEA alerts only if they come from valid base stations. Finally, the Commission proposes to amend language to clarify that those participating in WEA on a voluntary basis must nonetheless comply with all applicable FCC rules. Comments and reply comments are due 30 and 60 days, respectively, after publication in the Federal Register.
1. Promoting Operational Readiness of EAS Equipment
Noting that an "appreciable number" of EAS participants were unable to participate in the last nationwide EAS test due to equipment failures, the NPRM seeks comment on how to improve the operational readiness of EAS. The NPRM seeks comment on whether its current rule, which allows EAS participants to continue operations for a period of 60 days despite having defective EAS equipment, is effective, or whether the Commission should require EAS participants to report and promptly repair defective equipment and subsequently report repairs to the Commission. It asks for feedback on the timing and content of such notifications and the extent to which notices should be afforded confidential treatment. The Commission also asks how it might reduce other burdens on EAS participants, including eliminating certain existing recordkeeping obligations.
2. Improving Awareness of Cyber Attacks Impacting EAS Equipment
The FCC's current rules require every EAS participant to notify the Commission within 24 hours after discovering that it has transmitted or otherwise sent a false alert to the public. The NPRM proposes to require, in addition, that an EAS Participant report any incident of unauthorized access of its EAS equipment, whether or not it has resulted in a false alert, to the Commission via the FCC's Network Outage Reporting System ("NORS") within 72 hours. It also proposes to require EAS Participants to report any incident of unauthorized access to any aspect of its communications systems and services that could affect their provision of EAS (including firewalls and VPNs). The NPRM seeks comment on the details of these reporting proposals and alternative solutions and seeks additional information on EAS security concerns as well as past incidents of unauthorized access.[1] The NPRM also inquires whether participating Commercial Mobile Service ("CMS") providers should be required to report incidences of unauthorized access to their WEA systems or services and if the these proposed reporting rule changes to EAS should apply to WEA or if WEA should be subject to different requirements.
Proposed Effective Date: The NPRM additionally seeks comment on when these requirements should go into effect, proposing 30 days after publication in the Federal Register, but inviting comment on other factors that may determine when alternative readiness requirements should go into effect.
3. Protecting EAS and WEA Security through Cybersecurity Risk Management Plans
Noting observed lapses by EAS participants in implementing available improvements to the security of their EAS equipment and software, the NPRM proposes that each EAS participant certify to creating, implementing, and annually updating a cybersecurity risk management plan. The plans would be required to address how the provider identifies cyber risks, the controls used to mitigate those risks, and how such controls are applied effectively to their operations in order to ensure the confidentiality, integrity, and availability of EAS. The plans would address not only the security of EAS equipment, but also the security of all aspects of an EAS participant's communications systems and services. Among other things, the FCC proposes that each plan include security measures that address changing default passwords prior to operation, timely installation of security updates, use of firewalls or other segmentation practices, multifactor authentication, and secure disposal of end-of-life equipment. The NPRM proposes that EAS participants' security measures are expected to include commonly accepted best practices, which they could meet by structuring their plans to follow an established cybersecurity framework (i.e., the National Institute of Standards and Technology (NIST) Risk Management Framework or the NIST Cybersecurity Framework).
The NPRM also seeks comment on whether the Commission should require participants to conduct and report the results of network security audits or vulnerability assessments. Additionally, it asks whether participants should be required to implement incident response plans that describe the procedures used to respond to an ongoing cybersecurity incident, establish cybersecurity trainings for employees, and keep records of their implementation of baseline security controls.
The NPRM similarly proposes to require participating CMS providers to certify to creating, annually updating, and implementing cybersecurity risk management plans. The Commission seeks comment on this approach and whether any WEA-specific features require a different strategy than that applied to EAS. The proposed plans would include information about the security controls sufficient to ensure the confidentiality, integrity, and availability of wireless information alerts, demonstrated by implementing controls like the Cybersecurity and Infrastructure Security Agency ("CISA") Cybersecurity Baseline or appropriate Center for Internet Security ("CIS") Implementation Group. The FCC proposes to require similar baseline security measures as it proposes be applicable to EAS participants and asks whether participating CMS Providers require alternative approaches to best secure WEA alerts. The NPRM also asks whether other categories of communications service providers (i.e., services that support 911 calling) should also be required to implement cybersecurity risk management plans.
Proposed Effective Date: The NPRM proposes that the implementation of these cybersecurity risk plans go into effect within 12 months after publication in the Federal Register of OMB approval of final rules, allowing sufficient time for EAS participants and participating CMS providers to develop and implement the necessary security controls. The FCC asks whether it should provide small businesses operating as EAS participants and participating CMS Providers an additional 12 months to comply with this requirement, allowing a 24-month implementation period after publication of OMB approval in the Federal Register.
4. Displaying Only Valid WEA Messages on Mobile Devices
Recounting the panic and confusion caused by a false ballistic missile alert sent by the Hawaii Emergency Management Agency, to avoid false alerts the NPRM proposes to require participating CMS providers to transmit sufficient authentication information to allow mobile devices to present WEA alerts only if they come from valid base stations. The FCC suggests that participating CMS providers can do so by either authenticating the alert or the base station itself, such as by transmitting a unique identifier or an encryption key. The NPRM seeks comment on the feasibility of collecting and transmitting authenticated information and if this should be a prerequisite to labeling devices as WEA-compatible. It also asks whether implementation of these approaches would affect the ability of non-service initialized WEA-capable mobile devices, SIM-less WEA-capable mobile devices, or mobile devices no longer associated with a CMS provider to receive WEA alerts, and for recommendations of steps the FCC could take to mitigate such drawbacks.
Proposed Effective Date: The NPRM proposes that CMS providers transmit sufficient authentication information from valid base stations 30 months after publication of these rules in the Federal Register. The FCC estimates that Participating CMS Providers will require 12 months to publish relevant standards; another 12 months to develop, test, and integrate software upgrades consistent with those standards; and an additional six months to deploy the technology.
5. WEA Infrastructure Functionality
The NPRM seeks to refresh the record on its 2016 proposal to remove certain language from the WEA rules to eliminate any ambiguity that may exist concerning the need for those CMS providers that voluntarily participate in WEA to comply fully with the technical transmission requirements. Specifically, it proposes to delete language stating that WEA functionality is "dependent upon the capabilities of the delivery technologies" and "defined and controlled by each Participating CMS Provider." The FCC finds this language confusing and unnecessary.
Proposed Effective Date: The NPRM proposes to remove this language from the WEA infrastructure and mobile device rules 30 days after publication in the Federal Register.
Please let us know if we can provide any additional information or answer questions concerning the Commission's NPRM.
[1] The FCC defines "unauthorized access" to EAS equipment, communication systems and services as "any incident involving either remote or local access to EAS equipment, communications systems, or services by an individual or other entity that either does not have permission to access the equipment or exceeds their authorized access." NPRM ¶ 18.