Emergency Alert Systems Face New FCC Cybersecurity Standards
June 9, 2026
A draft order circulating at the Federal Communications Commission would impose the first mandatory cybersecurity requirements on Emergency Alert System (EAS) participants in the system's history. The Commission is scheduled to vote on the order at its June 25, 2026 open meeting. If adopted, broadcasters and other EAS participants would be required to meet a defined baseline of security controls, and the agency is separately seeking comment on broader changes that would represent the most significant overhaul to EAS and Wireless Emergency Alerts (WEA) in decades. (FCC, 2026)
The proposal doesn't exist in a vacuum. It follows years of documented EAS compromises, repeated FCC warnings that went unheeded, and a growing recognition that critical communications infrastructure is only as secure as its most vulnerable participant. For businesses, the story goes well beyond broadcast regulation. It illustrates how foundational cybersecurity hygiene failures persist across industries, and what happens when they do.
What the FCC Is Proposing
The draft order stems from a year-long review of the nation's alerting architecture. The Commission concluded that EAS and WEA remain effective but identified opportunities to make both systems more resilient. The proposed changes fall into two categories: mandatory cybersecurity controls that would take effect immediately upon adoption, and a broader modernization inquiry seeking public comment.
The mandatory cybersecurity requirements focus on three areas. First, EAS participants would be required to change all default passwords on EAS equipment before deployment, use strong credentials, and replace passwords if a compromise is suspected. Second, the rules would require prompt installation of security patches, firmware upgrades, and software updates. Third, participants would need to deploy firewalls or comparable network segmentation practices to limit access to authorized users and devices. Notably, these rules would extend beyond EAS hardware to cover studio-transmitter link equipment and other remotely managed systems capable of inserting content into a station's programming stream. (The Desk, 2026)
In a statement accompanying the draft, FCC Chairman Brendan Carr described the goal as protecting alerting systems from hijacking by both cybercriminals and foreign adversaries (Radio World, 2025).
On the modernization side, the FCC is exploring alert authentication requirements to prevent spoofed or fraudulent alerts, expanded geotargeting capabilities that would allow more precise geographic targeting than the current county-based framework, standardized emergency symbols for different alert types, and a potential shift from dedicated hardware to software-based EAS implementations. The Commission stopped short of recommending that the traditional daisy-chain architecture be phased out, noting that legacy EAS continues to provide valuable redundancy. (TV Technology, 2026)
Why This Became Necessary
EAS compromises are not a new phenomenon. In 2013, hackers accessed the alert systems of multiple television stations across Montana, Michigan, Wisconsin, and New Mexico and broadcast a fabricated emergency warning claiming that bodies of the dead were attacking the living. The intrusions were traced to attackers exploiting a straightforward weakness: broadcasters had never changed the factory-default login credentials on their alert equipment. (Inside Radio, 2026) In 2017, an Indiana radio station was hit with a near-identical attack using the same fabricated audio from four years earlier, again through unpatched, internet-connected hardware. (Krebs on Security, 2022)
More recently, the FCC flagged a string of intrusions targeting studio-to-transmitter link equipment. Attackers exploited unsecured broadcasting devices, including equipment manufactured by Swiss firm Barix, to replace legitimate programming with attacker-controlled audio that included EAS alert tones followed by offensive content. Affected stations included a Houston sports radio outlet and a Virginia public radio affiliate. (The Register, 2025)
The FCC's draft order puts the stakes plainly: a compromised EAS participant doesn't just expose its own audience to false information. Because of how legacy EAS architecture works, a false alert originating at one participant can propagate through the system to other participants, multiplying its reach. (Federal Register, 2025)
The Business Cybersecurity Lesson
Default passwords. Unpatched firmware. Internet-connected equipment without network segmentation. The FCC's list of required remediations reads like a CISA advisory on foundational security hygiene, because it is. CISA has documented repeatedly that the use of default credentials is among the top weaknesses exploited by threat actors across U.S. critical infrastructure, stating directly that "the use of widely known default passwords is unacceptable given the current threat environment." (CISA, 2023)
Broadcasters are not unique in struggling with these fundamentals. Across manufacturing, healthcare, legal, and professional services, the same patterns appear: equipment deployed with factory credentials intact, firmware update cycles that lag months or years behind published patches, and network architectures that treat operational systems as if they were isolated when they are not (CISA, 2023). The EAS incident history is simply a public, documented record of what happens when those gaps go unaddressed in a high-visibility environment.
The FCC's framing is also instructive for any organization managing networked devices at scale. The Commission observed that the entire alerting system is only as secure as its weakest participant (FCC, 2026). In a business context, that translates directly to the supply chain, the vendor ecosystem, and the internal network. A single unpatched device or unchanged default credential can serve as the entry point for a compromise that spreads far beyond its origin.
For organizations already navigating compliance frameworks, this development is also worth tracking as a regulatory signal. The FCC's move toward mandatory cybersecurity controls for communications infrastructure aligns with broader federal momentum, including the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requirements that CISA is implementing for entities across critical sectors. (Federal Register, 2025) Minimum baselines are becoming a floor, not a ceiling.
Where to Start
The controls the FCC is mandating for EAS participants are controls that any organization should already have in place. Default credential changes before deployment, a consistent patch and update program, and network segmentation that limits access to systems capable of affecting operations are cornerstones of any functional security posture. If your organization isn't certain whether these are implemented consistently across your environment, a risk assessment is the logical starting point.
STACK's cybersecurity team works with organizations across industries to identify and close gaps before they become incidents. If the EAS story feels familiar in any way, it may be worth finding out why.