Industry Comments Oppose EAS, WEA Security Rules

Monday in docket 15-94. “As demonstrated throughout the record, the Commission should not adopt the cybersecurity proposals in the NPRM,” said CTIA: Participating carriers “implement WEA-specific technical standards and have robust cyber risk management plans that cover WEA operations, making the proposed certification requirement unnecessary.” The Competitive Carriers Association agreed with CTIA that the record is clear. “Instead, the Commission should promote the success and security of the WEA program in other ways including through collaborative multistakeholder security improvement processes,” CCA said: “Imposition of onerous new regulatory burdens that make WEA less flexible, more difficult, and disproportionately more costly for smaller and regional carriers to administer may potentially undermine participation in the WEA program.” USTelecom also urged a light-handed approach by the FCC. “Rather than create a new regime, the Commission should find ways to achieve its goals within the context of a harmonized, whole-of-government approach, in coordination with the Department of Homeland Security Cybersecurity and Infrastructure Security Agency and other government partners, as well as industry,” USTelecom said. The group noted CISA is already looking at when incidents should have to be reported: “Additional requirements, at this time, before the dust has settled, risk further fragmenting reporting requirements across the federal government, frustrating the Commission’s interest in working with its federal partners.” Opposition wasn't unanimous. The FCC won’t impose a significant burden on providers by requiring annual security certifications, said the Center for Internet Security. “The required risk management plan consists of nothing more than implementing [security standards] in a timely manner as part of normal operations,” the center said: “There is essentially no cost associated with implementing these controls, and a requirement for annual self-certification to the FCC would likely involve at most an on-line submission or completion of a two-page template with check-off boxes.” Broadcasters and cable companies also raised concerns. “It is imperative … that any changes to the EAS rules are proportionate to the needs of the EAS ecosystem and consistent with evolutions in broadcast infrastructure,” said Gray Television: “Gray shares the concern of several commenters that many of the proposals in the NPRM are not justified and could prove counter-productive by imposing unnecessarily burdensome obligations on broadcasters. At the same time, Gray wholeheartedly endorses the proposal of the National Association of Broadcasters (NAB) to permit EAS Participants to virtualize certain elements of their EAS operations.” As comments show, “the Commission should take care when creating any new EAS monitoring or reporting requirements to ensure that the new rules are clearly necessary and that EAS Participants continue to have sufficient time to evaluate any potential issues regarding failure of, or unauthorized access to, their EAS system and facilities,” said Altice USA: “Any new rules also should allow the greatest possible flexibility in cybersecurity policies and practices so that Participants can tailor them to the unique needs of their networks.”