In February 2013 an unknown prankster hacked into a Montana television station’s Emergency Alert System and used a computerized voice to warn viewers of an imminent “zombie apocalypse.”
Officials at the station quickly moved to calm the situation by broadcasting a message on air and on its website, assuring startled viewers the alert was a fake.
While it was the first and only known time the federal EAS infrastructure has been hacked, the “zombie” alert revealed security vulnerabilities in the system. Since then, officials at the Federal Emergency Management Agency and the Federal Communications Commission’s Public Safety and Homeland Security Bureau have moved to harden EAS distribution points against potential breaches that could disrupt system, according to Jamie Barnett, former chief of public safety and homeland security at the FCC.
While EAS has been around for about 60 years, its systems now “are much more digital,” said Barnett, who left the FCC in 2012 and is a partner in Venable LLP’s cybersecurity practice. “When I was at the FCC there was concern that somebody could hack these systems. There is no digitized system that can’t in some way be hacked.”
EAS security technology is updated “all the time,” he added. “It’s really hard to defeat this technology. It’s designed to work if there’s no power and if there’s no communications other than these broadcast signals.”
As part of preparation for a nationwide EAS test conducted Wednesday, FCC and FEMA officials urged EAS participants — television and radio stations, cable operators, and satellite companies — to upgrade EAS software and firmware to the most recent versions. The event was the first nationwide test of the EAS system since 2011.
The latest test, which came at 2:20 p.m. EDT, was designed to assess the reliability and effectiveness of EAS, with a particular emphasis on testing FEMA’s Public Alert and Warning System, the integrated gateway through which common protocol-based EAS alerts are disseminated to EAS participants. The test message clearly stated in English and Spanish that the alert was only a test of EAS. Lasting less than a minute, it included both audio and the text of the test message, which was used to populate a video crawl.
FEMA officials said the test was intended to have little impact on the public with only minor disruptions of radio and television programs. Cell phone and other FEMA alerting capabilities were not tested during this event.
The test provided an opportunity to evaluate measures that the FCC adopted to address issues identified after the 2011 test. Prior to that test, there was no system for assessing EAS performance, according to Barnett.
“We set up something called the EAS Test Reporting System,” he said. “All the participants have a certain amount of time in which to report how well their system did and then the FCC aggregates that data and looks at the propagation patterns.”
Barnett said that assessments of the 2011 test showed there were issues affecting 10 to 20 percent of the national system, mostly local equipment problems, lack of coverage in some areas, and procedural and training snags.
One lesson learned was that there needed to be more primary entry points in the system, or “master” stations from which the EAS signal propagates to other systems in the region, Barnett said. At the time of the 2011 test, there were only one or two PEPs in each state.
“It was determined that we needed a lot more [PEPs], and FEMA, which administers the test program, agreed, so there are now a lot more primary entry point stations,” Barnett said. “The coverage and the propagation should be better this time. When all the information comes in through the reporting system, we should be able to see that. It think this test will show great improvement.”
Assessing the results of 2016 EAS test will take “a while,” he said. “There are thousands of stations out there. When we conducted the test in 2011, it took almost a year and a half to come up with [the report].”
For yesterday’s test, all EAS participants were required to register with ETRS and file two preliminary reports, including one on the day of the test. They are required to file the detailed post-test data sought under ETRS before Nov. 14.