By: Andrew Regitsky
In a Notice of Proposed Rulemaking (Notice) in Docket 22-339 released on October 27, 2022, the FCC proposed to “bolster the operational readiness and security of the nation’s public alert and warning systems, the Emergency Alert System (EAS) and Wireless Emergency Alerts. These systems warn the public about emergencies through alerts on their televisions, radios, and wireless phones.” Industry comments are due 30 days after the Notice appears in the Federal Register. While almost everyone is familiar with the EAS, Wireless Emergency Alerts (WEAs) are less well known.
WEA is a tool for authorized federal, state, local, tribal, and territorial government entities to geographically target alerts and warnings to WEA-capable mobile devices of Participating CMS [Commercial Mobile Service] Providers’ subscribers. The Warning Alert and Response Network (WARN) Act establishes WEA as a voluntary system in which CMS providers may elect to participate and gives the Commission authority to adopt “relevant technical standards, protocols, procedures and other technical requirements . . . necessary to enable commercial mobile service alerting capability for commercial mobile service providers that voluntarily elect to transmit emergency alerts.” Pursuant to this authority, the Commission has adopted requirements to prescribe WEA capabilities, WEA testing, and WEA election procedures. While participation by wireless providers is voluntary, those that offer the service must adhere to the technical and operational requirements established by the Commission. (Notice, at para. 6).
FCC Chairwoman Jessica Rosenworcel emphasizes the importance of this Notice:
We demonstrate that today with a rulemaking that would require Emergency Alert System and Wireless Emergency Alert participants to have a cybersecurity risk management plan in place and to ensure they have installed the most recent security patches. We then seek comment on other ways to improve the operational readiness of these systems, including reporting breaches to the agency. This effort will help ensure the function of these essential systems in emergencies and that the public can trust the warnings they receive. This is important because the Department of Homeland Security recently determined that some of this alerting infrastructure is susceptible to serious security vulnerabilities. While some patches have been released to fix these flaws, not everyone has installed them. We are committed to fixing that here and now. (Notice, Statement of Jessica Rosenworcel).
The Commission specifically proposes the following:
Protect against cyberattacks by requiring Emergency Alert System participants, such as broadcasters and cable providers, to report incidents of unauthorized access to their Emergency Alert System equipment to the Commission within 72 hours. This would allow the Commission to work with participants and other government agencies to resolve an equipment compromise before it is exploited to send false alerts.
Promote security by requiring Emergency Alert System participants and the wireless providers that deliver Wireless Emergency Alerts to annually certify that they have a cybersecurity risk management plan and implement sufficient security measures for their alerting systems.
Guard against false alerts by requiring participating wireless providers to transmit sufficient authentication information to ensure that only valid alerts are displayed on consumer devices.
The Notice also seeks industry comments on the effectiveness of the agency’s current requirements for ensuring that EAS equipment is ready to transmit alerts, and whether there are any alternative approaches that improve readiness. In addition, it refreshes the record on the Commission’s prior proposal to clarify that the agency’s Wireless Emergency Alert functionality requirements are not optional for wireless providers that voluntarily choose to deliver those alerts.
It is important to note that the FCC estimates that it would cost mobile providers that participate in the Wireless Alert System about a $14.5 million one-time cost to update the WEA standards and software necessary to comply with this requirement. This includes approximately a $814,000 cost to update applicable WEA standards and approximately a $13.7 million cost to update applicable software.
The Notice does not include a proposed time schedule for implementing its proposed rules. However, with an order expected in 2023, we could be looking at a 2024 effective date.