FCC approves new rules for securing emergency alert systems

The Federal Communications Commission on Thursday approved new rules aimed at protecting emergency and wireless alert systems from cyber threats. 

Under the rules passed 4-0 by the Commission, the operators of public warning systems will be required to report breaches within 72 hours.

The systems are used to share information, typically via radio, television and satellite broadcasters, about everything from severe weather and natural disasters to missing children. Alerts are issued by local, state and federal authorities and shared across the networks of participants. 

“This requirement would allow the Commission to work with participants and other government agencies to resolve an equipment compromise before it is exploited to send false alerts,” James Wiley, deputy chief of the agency’s Cybersecurity and Communications Reliability Division, said at the meeting. 

The rules also require participants to annually certify that they have a cybersecurity risk management plan in place and install the most recent security updates to systems. 

In comments in support of the rules, Commissioner Geoffrey Starks said testing by the agency’s Public Safety and Homeland Security Bureau this August found more than 5,000 devices relied on by system participants used outdated software.

That represents roughly a fifth of the emergency alert system participants in the U.S. and territories as of last December, according to figures previously shared with The Record by the agency. 

In August, the FCC and FEMA issued cybersecurity warnings to operators of emergency alert systems ahead of a DEF CON presentation by Cybir researcher Ken Pyle on vulnerabilities in the technology.

Alert systems have been compromised in the past, including an incident in 2020 when the system of a local cable provider in Washington state was hacked to spread false news about a radiological emergency, and in 2013 when multiple systems connected to local broadcasters in Montana and Michigan were used to spread claims of a fake zombie apocalypse. 

While it might be easy to dismiss false alerts of a zombie outbreak as a prank, breaches of emergency alert systems could be used to cause mass panic — as happened in Hawaii in 2018 when an employee error sent out a missile warning that went uncorrected for 38 minutes.