FCC advances EAS cybersecurity rules after station hacks
Carr’s FCC is drawing a narrow mandate around alerting gear, which makes the politics easier and the compliance questions messier.
TL;DR
The Federal Communications Commission advanced rules at its June 25 meeting requiring Emergency Alert System participants to change default and compromised passwords, test and install security patches, and segment remote management access before operating EAS-related equipment. Broadcasters and their contractors are in the enforcement path. The draft leaves useful work for counsel and engineers: existing-system deadlines, “remotely managed equipment,” and “authorized users” still need clean boundaries.
The Federal Communications Commission is moving from reminders to requirements for Emergency Alert System security. The draft order would require EAS participants to change default passwords, use strong passwords, change passwords believed to be compromised, test and install manufacturer security patches and firmware updates, and use a firewall or comparable segmentation practice to limit remote management access to authorized devices and users.
That is not a sweeping communications-sector cyber regime. It is a short list of controls aimed at the equipment chain that can put false alerts on air or prevent real ones from going out. The agency’s stated trigger is practical: compromises of radio stations in Houston and Richmond that affected live emergency alerts, plus prior FCC warnings that did not stop successful attacks.
The political fact is also part of the story. This is the first major cybersecurity rulemaking from FCC Chair Brendan Carr’s Trump-era commission, despite Carr’s preference for national-security measures over network-security mandates. The way through that tension is scope. The order does not cover Wireless Emergency Alerts, and it does not try to turn every broadcaster into a full cyber-regulated utility. It says, in effect, if you operate equipment that participates in national alerting, the default password cannot still be there and remote management cannot be open to the world.
For practitioners, the hard part is less the three controls than the edges. The draft applies to EAS equipment, studio transmitter link equipment, and “any remotely managed equipment” that routes, processes, or inserts content into the participant’s programming stream. That phrase will matter to engineers mapping actual broadcast environments, to primes supporting station operations, and to counsel deciding what evidence proves compliance before operation. The same goes for “authorized users” in the segmentation requirement. A rule can be narrow and still create a lot of inventory work.
The missing operational facts are the effective date and the compliance deadline for existing EAS participants. New operation can be tied to a pre-operation requirement. Legacy broadcast environments are where the FCC’s enforcement theory will meet old gear, vendor support contracts, and remote access practices that grew up because someone had to keep the station running at 2 a.m.
Published ·Deep Fathom