The industry association proposes more outreach and training versus new mandates
Cybersecurity risk management of EAS is on the FCC’s mind, but the potential for new requirements on broadcasters has the radio industry and others casting a wary eye.
The FCC’s Notice of Proposed Rulemaking (NPRM) on EAS cybersecurity would require broadcasters to patch vulnerabilities in EAS equipment, eliminate outdated software, and install proper firewalls in EAS encoder/decoder devices to protect against cyber threats.
The plan to limit IP-based threats to the EAS system comes with additional obligations for broadcasters, including steps to report incidents of unauthorized access to EAS equipment within 72 hours and annual certification that they have a cybersecurity risk management plan.
The National Association of Broadcasters (NAB) says the cyber security measures in the ongoing proceeding are well-intentioned but create compliance issues for broadcasters.
At a meeting with representatives of the FCC’s Public Safety and Homeland Security Bureau earlier this month, NAB and other EAS stakeholders pointed to scant evidence of past cybersecurity incidents or EAS equipment failures to justify “the far-reaching proposals” in the NPRM.
The participants, which also included representatives from the NTCA – Rural Broadband Association and ACA Connects, expressed concern that “many of the proposals in the notice would impose significant burdens on EAS participants, particularly small and medium-sized entities, and that the proposals fail to meaningfully consider the size or resources of smaller EAS participants.”
[Related: “EAS Rules Modifications Put Broadcasters on the Clock to Comply“]
NAB also expressed concern at the meeting that the proposed requirement to create and implement a cybersecurity risk management plan “lacks clarity.” A so-called “adequate” plan for a small or medium-sized entity may not be adequate for a larger business, NAB said.
“We further explained that most EAS participants have minimal, if any, internal cybersecurity expertise and would find it daunting to create such a plan based on the broad, open-ended guidance provided in the notice.”
Holding EAS participants responsible for “negligent security practices” or a “failure to adequately develop or implement a risk management plan” would be misplaced.
In addition, NAB told the FCC that broadcasters are regulated entities and “any additional FCC obligation to formally certify the adequacy of one’s cybersecurity risk management plan, under threat of FCC enforcement, would require costly engineering, corporate and legal review” , none of which are reflected in the FCC’s cost-benefit analysis of the proposed obligation, the industry association said.
The FCC might even have been premature in its proposed plan to mitigate the threat to EAS equipment from stakeholders, NAB said at the meeting. “We noted that Congress designated the Cybersecurity and Infrastructure Agency (CISA) as the lead federal agency for cybersecurity incident reporting in the recently enacted Cyber Incident Reporting for Critical Infrastructure Act of 2022,” which gave the government agency the authority to develop the necessary rules. to implement the law.
“Therefore, it would be premature and counterproductive for the Commission to create a potentially duplicative or contradictory cyber-related incident reporting plan before CISA completes its proceedings. We also noted that certain aspects of the FCC’s proposed reporting policies are vague and subjective and likely to lead to unnecessary over-reporting of cyber-related issues,” says NAB.
The EAS cybersecurity NPRM also proposed new policies for the timely repair of faulty EAS equipment, something NAB says is largely outside the control of EAS participants. “(T)he FCC has no role in repairing EAS equipment,” NAB says.
NAB called on the Commission to proactively provide more outreach and training to EAS participants regarding the maintenance and security of EAS, particularly tailored guidance for those entities that may be most vulnerable to cyber threats.
NAB concluded: “We stated our belief that such an approach would be much more effective than simply imposing more regulatory obligations on the entire universe of EAS participants.”
Comments in the EAS Cybersecurity Proceedings (PS Docket No. 22-329) can be reviewed on the FCC’s website.
[See Our Business and Law Page]