US internet emergency powers shutdown orders

FCC Hardens the Emergency Alert System Against Hackers — But Leaves the President's 1934 Shutdown Power Untouched

A unanimous FCC order patches Emergency Alert System hacking flaws, but the 90-year-old law giving the president control over it remains unexamined.

Securing the Alert System People of Internet Research · US 3-0 FCC vote to adopt order Commission voted unanimously to ap… 60 Days to compliance Broadcasters must implement passwo… 4 Dockets consolidated in order The Report and Order spans PS Dock… 1934 Year of war-powers statute Section 706 (47 U.S.C. § 606) stil… peopleofinternet.com
Securing the Alert System People of Internet Research · US 3-0 FCC vote to adopt order 60 Days to compliance 4 Dockets consolidated in … 1934 Year of war-powers statu… peopleofinternet.com

Key Takeaways

A Narrow Fix for a Real Problem

On June 25, 2026, the Federal Communications Commission voted 3-0 to adopt cybersecurity rules for the Emergency Alert System (EAS), the network of equipment inside radio and TV stations, cable headends, and satellite providers that carries presidential, state, and local alerts. The order, consolidated across four proceedings — PS Docket Nos. 25-224, 22-329, 15-91, and 15-94 — requires EAS Participants to replace default passwords with strong ones, promptly test and install manufacturer security patches, and place EAS equipment behind a firewall or comparable network segmentation (FCC Fact Sheet, DOC-422171A1). Compliance is due 60 days after the order publishes in the Federal Register (Broadcast Law Blog).

The trigger was concrete, not hypothetical. In late 2025, hackers compromised Barix studio-to-transmitter link devices at stations in Texas and Virginia — including Houston's HTX Media, whose 97.5 FM feed was hijacked mid-broadcast to play a fake EAS tone followed by obscene audio (The Register). The equipment had been left with factory-default credentials and no network isolation. That is the textbook failure the new rules target, and it is a legitimate one: an alert system the public has learned to distrust is an alert system nobody heeds when it matters.

Steelmanning the Order

The strongest case for the FCC's approach is that it is narrowly tailored to the actual failure mode. Regulators didn't reach for a sweeping new certification regime; they codified three widely-recognized, low-cost cybersecurity hygiene practices — strong passwords, patching, network segmentation — that any competent IT department applies as a baseline. FCC Chairman Brendan Carr framed it as reducing "opportunities for bad actors to exploit weaknesses in alerting equipment," and the National Association of Broadcasters, which represents the stations bearing the compliance burden, endorsed the outcome, with President Curtis LeGeyt calling it a set of "reasonable safeguards" (NAB statement). When the regulated industry's trade group calls a mandate reasonable rather than fighting it, that is meaningful evidence the rule is calibrated correctly, not the product of agency overreach.

The companion Further Notice of Proposed Rulemaking, which asks for comment on mandatory alert authentication and a universal alert ID to block duplicate or spoofed alerts, is a heavier lift and deserves more scrutiny before it is finalized — smaller broadcasters have previously told the Commission that cybersecurity mandates without templated compliance paths fall disproportionately on stations without in-house IT staff. But as a proposal-stage notice open for comment, it is exactly the kind of measured, evidence-gathering process regulation should follow, not a fait accompli.

The Question the Order Doesn't Touch

What the cybersecurity order does not address — and was never designed to — is who has lawful authority to activate, override, or silence this same infrastructure, and under what constraints. That authority predates the FCC's cybersecurity docket by nine decades. Section 706 of the Communications Act of 1934, codified at 47 U.S.C. § 606, gives the president sweeping "war powers" over every station and device capable of emitting electromagnetic radiation in the United States. Upon a presidential proclamation of "war or a threat of war" or a "state of public peril or disaster or other national emergency," the president may suspend or amend the rules governing any station, order the closing of any station, or authorize a federal department to take over its use or control outright, subject only to "just compensation to the owners" (47 U.S.C. § 606, Cornell LII).

That statute has no modern statutory definition of "national emergency," no sunset clause, and no judicial-review mechanism written into its text — just the proclamation requirement and a compensation floor. It is the legal backbone underneath the same EAS hardware the FCC just told broadcasters to firewall. Hardening the equipment against criminal hijackers is unambiguously good policy. It does nothing to clarify how broadly a future president could invoke a 1934-vintage "national emergency" trigger to direct, restrict, or shut down the same communications pathways — a question that belongs to Congress, not to the FCC's Public Safety and Homeland Security Bureau.

Why This Matters Beyond Broadcast Radio

The distinction matters because EAS is the most legally explicit version of a shutdown authority that policymakers increasingly discuss extending to the internet more broadly — from proposed "kill switch" legislation debated after the Arab Spring to ongoing arguments over platform-level emergency directives. Section 706 shows what such authority looks like once it's actually been on the books for ninety years: broad, proclamation-triggered, and largely unlitigated because it has rarely been invoked. That is not evidence it is safe — it's evidence nobody has stress-tested its limits. A Congressional Research Service review of national alerting law has flagged the breadth of this authority as an open question for Congress, not something the courts have settled.

The FCC's June 25 order is proportionate, technically sound, and industry-endorsed — a template for how narrow, evidence-driven cybersecurity rulemaking should work. But policymakers should not mistake patching the locks for resolving who holds the master key. That conversation, about updating or bounding Section 706 itself, hasn't started, and it is overdue.

Sources & Citations

  1. FCC Fact Sheet: Modernization of the Nation's Alerting Systems (DOC-422171A1)
  2. 47 U.S.C. § 606 — War Powers of President (Cornell LII)
  3. Broadcast Law Blog: FCC Adopts Order to Secure EAS System
  4. The Register: FCC Warns of Radio Gear Hijacked for Fake Alerts
  5. NAB Statement on FCC EAS Cybersecurity Order
  6. TV Technology: FCC Adopts New Cybersecurity Requirements for Alerting Systems