The Federal Communications Commission is well aware of the potential damage from fake emergency alerts, and it's hoping to minimize the threat with policy changes. The agency has proposed rules that would require stricter security for the Emergency Alert System (EAS) and Wireless Emergency Alerts. Participants and telecoms would have to not only report EAS breaches within 72 hours, but provide yearly certifications that they both have "sufficient" safeguards and a risk management plan.
The proposed rules would also require phone carriers to send authentication data ensuring that only legitimate emergency alerts reach customer devices. The FCC is similarly looking for comments on the effectiveness of the current requirements for transmitting EAS notices, and suggestions for "alternative approaches" with improvements.
The proposal comes three years after University of Colorado researchers warned that it was easy to spoof FEMA's presidential alerts, with no way to verify the authenticity of the broadcasts. And while the 2018 Hawaii missile alert was the result of an error rather than a hack, it underscored the risks associated with false warnings. Even at small scales, a fake alert could reach tens of thousands of people, possibly leading to panic and reduced trust in real messages.
It's not certain if the proposals are enough. The 72-hour window may help prevent some false alerts, but not all of them — that's plenty of time for a hacker to both breach an emergency system and send fake messages. It's likewise unclear if the FCC would update its security requirements to keep up with evolving threats. Even so, this shows that the Commission is at least aware of the dangers.