At its regular monthly open meeting last week, the FCC adopted an Order meant to enhance the security of the Emergency Alerting System. Citing past hacks of the system that have resulted in false EAS alerts being transmitted to the public by broadcast stations, the FCC proposed in 2022 that broadcasters adopt a comprehensive cybersecurity plan with an annual filing requirement detailing how risks were managed and controlled (see our article here). The Order adopted this week did not go that far, but it did adopt a mandatory three-point plan to secure not only EAS equipment at a station, but also to secure the entire program chain to ensure that bad actors can’t access station programming to insert false emergency information or other malicious content.
While the first two requirements of the mandated plan should be relatively simple for broadcasters to quickly implement, the third may require some outside help – and the FCC has given broadcasters only a short time to implement this requirement. The Order requires implementation within 60 days of the date that the Order is published in the Federal Register (see the just-released FCC Erratum correcting the Order to reiterate that the effective date will be 60 days after Federal Register publication). As Federal Register publication should come soon, the Order requires quick action by broadcasters. Let’s look at the new obligations.
The first obligation is straightforward – the broadcaster must adopt strong password security to ensure that access to their program chain is not easily compromised. This includes the obligation to change default passwords prior to the use of any equipment or software that has access to the station’s programming chain. The FCC requires that passwords have a “minimum of 15 characters, not use dictionary words (because they can be cracked through brute force), and not be reused for other accounts, equipment, applications, and services” used by the broadcaster. In other words, the password should be unique to the equipment used in the program chain. As an alternative, the FCC suggests other steps to verify the user’s identity through the use of passcodes or other “look-up secrets” verified on other devices or other redundant verification systems.
The Commission also notes that stations need to take care to update passwords whenever there is any reason to believe that a password has been compromised. For instance, when an employee who has access to passwords for programming equipment or systems leaves the employment of the station, the passwords should be updated. This is true not only to protect EAS but, as we set out in our article here dealing with a significant indecency fine possibly caused by a former employee aware of gaps in a station’s security, to avoid other unwanted or inappropriate content making its way onto the broadcast airwaves.
The second obligation is also one that should be relatively straightforward. The FCC requires that broadcasters quickly install updates or patches to their EAS equipment. The FCC noted that reports from the 2023 Nationwide EAS test found that about 23% of EAS equipment was “either using outdated software or operating equipment that was no longer supported with regular software updates.” Broadcasters will need to promptly review software and hardware patches and get them installed to make sure that identified security risks cannot be exploited to give bad actors access to station’s program chain or EAS systems.
The final requirement is the one to which some broadcasters may need to devote more time and resources in order to come into compliance. The FCC will require that broadcasters put all EAS and programming equipment connected to the Internet behind a network firewall, or that they use other “comparable network segmentation practices” to limit remote access to these systems. Basically, EAS systems need to be isolated from “general‑purpose business networks so that unauthorized external access is not possible.”
While various broadcast groups argued that specific security practices were too costly for many small broadcasters, the FCC stated that it is also true that small operators are most likely to not have robust security practices and thus they are the most vulnerable to cybersecurity attacks. The FCC concluded that the “minimal requirements” adopted in this Order are needed to make sure that all broadcasters have at least some security practices in place.
These measures must be put into place quickly. The FCC expressed its view that the first two requirements should be easily implemented. While the Order recognizes that the obligation for a firewall may take smaller stations that don’t already have such systems in place more time to find an appropriate vendor, “we do not expect that this will be burdensome or time-consuming for EAS Participants to identify because firewalls are widely recognized as a basic and cost-effective cybersecurity safeguard appropriate even for organizations with limited resources.” Given the risks involved, it was the FCC’s conclusion that these changes need to be quickly implemented.
The Order also included a Further Notice of Proposed Rulemaking looking at future changes to EAS, including proposals to require more authentication of EAS alerts, and to allow broadcasters to use software-based EAS systems as proposed by the NAB (see our note here on that proposal). We will provide more information when the comment dates on this Further Notice are set. But, for now, broadcasters should concentrate on quickly adopting these new security measures to secure EAS.


