The Massachusetts Broadcasters Association, in combination with the state broadcasters associations of all 50 states, the District of Columbia, and Puerto Rico, filed Joint Comments arguing against the FCC’s proposed imposition of new EAS cybersecurity monitoring and reporting obligations and harsh enforcement policies on EAS Participants like broadcasters until the FCC has at least undertaken a number of other steps to improve the safety and security of EAS.
In its Notice of Proposed Rulemaking (“NPRM”), the FCC indicated that the most recent National EAS Test revealed a large number of EAS Participants were unable to receive and/or retransmit the test due to equipment failure and that 5,000 EAS Participants reported using outdated software or equipment that no longer supported regular software updates.
Based on this, the FCC proposed that EAS Participants (1) report any EAS equipment outage to the FCC and repair the equipment according to an ill-defined “reasonably prompt and diligent” performance standard; (2) adopt cybersecurity plans covering “all communications systems and services” that might affect the ability to provide EAS alerts, including constantly monitoring the cybersecurity threat landscape and upgrading cybersecurity plans on an ongoing basis in response to new threats; and (3) report to the FCC any unauthorized access to EAS equipment or any communications systems or services affecting the ability to provide EAS alerts within 72 hours of when the station knew or should have known of the unauthorized access.
The Joint Comments also urged the FCC to work with EAS device manufacturers to incorporate features like (1) modifications that automatically require password updates, (2) integrated firewalls and multifactor authentication, and (3) alerts for software patches and updates. The Joint Comments also recommended the FCC explore more secure alternatives to the public Internet for transmitting EAS communications. Finally, the Joint Comments argued that the FCC should retain the current rule that allows broadcasters to take broken EAS equipment out of operation for a period of 60 days without Commission notice or authorization, work with broadcasters to develop cybersecurity plans or incident reporting protocols rather than place that full burden on broadcasters without guidance on what the FCC will find satisfactory, and reject the punitive enforcement stance outlined in the NPRM.
In the Matter of Protecting the Nation’s Communications Systems from Cybersecurity Threats, PS Dockets 22-329, 15-94 and 15-91 (filed December 23, 2022).