Public broadcasters told the FCC last month that proposed rules changes for Emergency Alert System participants would cause unnecessary strains on noncommercial radio stations.
The FCC said in an October Notice of Proposed Rulemaking that the proposed changes aim to strengthen the cybersecurity and reliability of the EAS. The rules would require EAS participants to report to the FCC within 72 hours any incidents of unauthorized access to their emergency alert equipment. Broadcasters would also have to implement a risk-management plan and “implement sufficient security measures for their alerting systems,” the FCC said in an October news release.
In the NPRM, the FCC said that a 2021 test found that more than 5,000 EAS participants were using outdated software or equipment. An “appreciable number” of participants could not complete the test because of equipment failure, despite receiving notice in advance of the test.
But NPR said in its comment that the test showed that “almost all EAS Participants already are compliant.” The network asked the FCC to “weigh the intended benefit of the proposed rule in this instance against the hardship that will be exacted on nonprofit public radio stations.”
NPR also argued that the FCC’s rules already do “an excellent job ensuring EAS readiness” and that new rules are mostly unnecessary.
In separate comments, NPR, Native Public Media and the National Federation of Community Broadcasters said that while they support the FCC’s efforts to increase EAS security, the proposed rules would be too costly and would require more resources than are available to many stations.
In its comment, NPR wrote that the “burdens of some of the proposed rules far exceed any possible benefits.” For small and noncommercial stations in particular, “reasonable efforts to ensure that station EAS equipment is functional and protected should be sufficient for regulatory purposes.”
High consultant costs cited
Native Public Media wrote that its members “have neither the resources, nor the expertise to shoulder that responsibility properly” and that the FCC should provide resources for its members and other small licensees to meet the proposed requirements.
NPM took issue with the FCC’s estimate that drafting a risk-management plan and certifying it annually will take a station 10 hours. The commission “significantly underestimated the effort that will be required for small entity broadcasters to develop the expertise necessary for such a project,” NPM said. Instead, stations would have to rely on outside consultants, which would “likely cost tens of thousands of dollars.”
The 72-hour reporting requirement would also require “a description of the vulnerabilities exploited and the techniques used to access the device, identifying information for each actor responsible for the incident.” NPM said it supports expediting the reporting of incidents of unauthorized EAS access but that the FCC should not require “further assessment or investigation regarding who was responsible for the incident. … NPM members and other small entity broadcasters simply do not have the expertise or resources to conduct cybersecurity investigations, let alone within a 72-hour window.”
Adopting the rules would shift the responsibility of securing the EAS to small community radio stations, “which is not reasonable,” NFCB wrote in its comment.
NFCB said that if it adopts the new rules, the FCC should provide funding for stations with limited resources to meet the requirements, among other measures to support broadcasters.
“Any effort by the Commission to impose mandatory cybersecurity requirements on community NCE radio stations in this proceeding would have the inevitable impact of diverting already severely limited resources away from the core mission of serving their communities,” NFCB wrote.
Reply comments are due to the FCC by Jan. 23.
Unfortunately, while the FCC’s heart is not in a bad place, what they’re proposing is a “the beatings shall continue until morale improves” approach by punishing those who try to be compliant, and ignore those who either don’t give a damn or hide their noncompliance.
I’ve submitted my own comments here, if you are so inclined to read them.