At each of the last two of the FCC’s recent regular monthly open meetings, the Commission addressed EAS issues that affect broadcasters. In one case, it adopted new rules that will, among other things, require that broadcasters use on-air the “IPAWS” internet-delivered emergency message in the CAP format, if the broadcaster receives the alert in both the CAP and traditional over-the-air formats. The second action starts a rulemaking to look at imposing on broadcasters an obligation to secure their EAS systems from hacking and other electronic intrusions – and to regularly report to the FCC about what they are doing in connection with such security measures. Let’s look in a little more depth at these actions (which we have previously briefly summarized in our weekly updates, here and here).
At its September 29 open meeting, the FCC adopted a Report and Order with the announced intention of making emergency alerts delivered over television and radio stations more informative and easier to understand by the public, particularly people with disabilities. The updated rules require broadcasters, cable systems, and other Emergency Alert System participants to transmit the Internet-based version of alerts when available (those transmitted through the internet based Integrated Public Alert and Warning System, “IPAWS,” using the Common Alerting Protocol or “CAP” protocol) rather than transmitting the legacy over-the-air “daisy chain” version of alerts which often contain less information or have lower quality than that of CAP-delivered alerts. As noted by the FCC, the CAP format allows for more information, including video clips (for TV), augmented warning information, and even foreign-language versions of alerts to be transmitted – information not available from alerts that are transmitted over-the-air.
The new rules recognize that the legacy system may transmit alerts more quickly than IPAWS. When a station receives an over-the-air alert, it must wait at least 10 seconds to determine if a CAP alert has been sent through the IPAWS system and, if it has, the station should rebroadcast the CAP alert rather than the one received over the air. The FCC noted that National Weather Service alerts are not yet sent via IPAWS. Also excluded are Presidential alerts, as a real Presidential alert would likely contain live audio content, not currently supported by IPAWS. Nevertheless, the FCC decided that the number of alerts sent by other authorities justified the implementation of the requirement for internet-delivered alerts from these other originators now.
Presumably, equipment manufacturers will be updating their system to poll IPAWS before inserting into over-the-air programming any alert that is received through the legacy EAS system. Broadcasters must be in compliance one year after the rules become effective (some cable systems will have a longer transition period). The effective date is triggered by publication of the Order in the Federal Register, which occurred today, setting the effective date as December 12, 2022. That means that broadcasters will be required to implement these new rules by December 12, 2023. This one-year period will provide a transition period for EAS participants to implement some of the required technical changes.
The updated rules will also replace the technical jargon that accompanies certain alerts, including test messages, with plain language clearer to the public. For instance, instead of calling an alert an “Emergency Action Notification,” it will be called a “National Emergency Message.” A “National Periodic Test” will be called a “Nationwide Test of the Emergency Alert System.” Read the Report and Order for more details on these changes.
More recently, at the FCC’s October 27, 2022 regular monthly open meeting, the FCC adopted of a Notice of Proposed Rulemaking that proposes a number of steps designed to strengthen the security of the Emergency Alert System, as well as the system for Wireless Emergency Alerts (“WEA”). The Commission noted several breaches and other security concerns that have been identified in EAS, from the hacking of TV stations that, in 2016, resulted in three TV stations broadcasting alerts of a zombie attack, to more recent warnings of identified vulnerabilities in the systems. The NPRM seeks comment on ways to strengthen the operational readiness of EAS and WEA, including, among other things, requiring EAS Participants (including broadcasters) to report to the Commission incidents of unauthorized access of EAS equipment within 72 hours of when it knew or should have known that the incident occurred. As we noted here, the FCC already requires notification when a false alert is actually broadcast – this new requirement would require notice to the FCC of any unauthorized access to a station’s EAS, whether or not a false alert was heard by the public. The FCC also proposes that EAS Participants submit an annual cybersecurity certification that demonstrates how the participant identifies the cyber risks that it faces, the controls it uses to mitigate those risks, and how it ensures that these controls are applied effectively. Comments and reply comments on these and other proposals raised by this NPRM will be due 30 days and 60 days, respectively, after the NPRM is published in the Federal Register.
These two actions signify the seriousness with which the FCC takes EAS compliance. These were unanimous, bipartisan decisions, looking at how to ensure that EAS gets the word about emergencies out to the public accurately and securely. But these actions also represent additional obligations for broadcasters – first to update their systems to implement the CAP-first alerting requirement, and second the possibility of regular reporting to the FCC about cybersecurity measures taken to protect EAS systems (measures that broadcasters will need to be sure that they are in fact implementing). Watch for more details about these changes in the EAS requirements.