Congressional staff report resurrects zombie event, with embellishments

One of the endearing qualities about zombies is their resilience: knock them down and they’ll get back up again, and again, and again. They’re also quite the attention-grabbers.

It’s not surprising, then, that government concern about zombies surfaces and re-surfaces from time to time to jar the sleepy citizenry out of its complacency. Example: A recent staff report out of a Congressional committee (about the “Federal Government’s Track Record on Cybersecurity and Critical Infrastructure) which revisits a zombie incident from last February to make a point.

As with most zombie tales, however, the report is not entirely accurate.

The report is critical of the government’s performance overall. It tells of “significant breaches in cybersecurity”, “confidential cybersecurity plans . . . left unprotected”, sensitive data “stolen by a malicious intruder”. It’s enough to send one screaming to one’s fall-out shelter for the duration.

One paragraph in the 19-page report stood out to some of us here in the CommLawBlog bunker (to which, of course, we had immediately repaired).

According to the report, the numerous security failures it describes “aren’t due to poor practices by the private sector”. Rather, they were “real lapses by the federal government”, including this one, which we quote verbatim from the report:

Last February, hackers reportedly broke into the national Emergency Broadcast System, operated by the FCC as the federal government’s tool to address Americans in case of a national emergency. The hackers caused television stations in Michigan, Montana and North Dakota to broadcast zombie attack warnings. “Civil authorities in your area have reported that the bodies of the dead are rising from their graves and attacking the living,” an authoritative voice stated in the hacked broadcast message, while the familiar warning beep sounded. “Do not attempt to approach or apprehend these bodies as they are considered extremely dangerous.”

There are several problems with this treatment of the zombie incident in question.

First, of course, the “Emergency Broadcast System” (a term which the report puts in bold face type) technically hasn’t existed since 1997, when it was replaced by the “Emergency Alert System” (EAS).

Second, while the EAS and its infrastructure are mandated and regulated by FCC rules, it’s not accurate to say that the EAS is “operated by the FCC”. The EAS consists of a vast network of private communications facilities interconnected through EAS equipment privately owned and maintained at each such facility. The system can be activated by the President or various state or local officials in times of emergency. (The authority to activate the system at the national level has been delegated not to the FCC, but to FEMA.The National Weather Service is involved as well.) Once the system is activated, it’s up to the non-governmental participants in the system to make it work.

Third, and most important, the zombie attack alert referenced in the report was not the result of hackers breaking into any emergency system operated by the FCC. Rather, the alerts appear to have been the result of separate hacks into the privately-maintained EAS equipment at three separate TV stations. According to one theory, those stations hadn’t bothered to reset the passwords to their Internet-accessible EAS gear from the factory-issued settings, making it relatively easy for hackers to gain access to the gear and work their little prank. The day following the hack, the FCC reminded all EAS participants of the need to secure their equipment from this kind of attack.

It’s true that many, possibly most, of the cybersecurity problems noted in the report may properly be laid at the feet of government officials or agencies. We can’t say for sure. But we are confident that the zombie hack was not one of those. So let’s be fair to the FCC: If anybody was asleep at the switch last year, it was not the FCC but rather the EAS participants who apparently hadn’t exercised rudimentary Internet safety protocols.

We take this opportunity to remind all EAS participants of the importance of securing their equipment against this kind of hack. Appropriate use of passwords, firewalls and similar conventional protections should keep hackers and their faux zombie alerts at bay. We make no such promises, however, when it comes to real zombies.