Wireless Emergency Alerts (WEA) CMSP Cybersecurity Guidelines

The Wireless Emergency Alerts (WEA) service is a collaborative partnership that includes the cellular industry, Federal Communications Commission, Federal Emergency Management Agency (FEMA), and U.S. Department of Homeland Security Science and Technology Directorate. The WEA capability provides a valuable service, disseminating emergency alerts to users of capable mobile devices if they are located in or travel to an affected geographic area. Like other cyber-enabled services, however, WEA is subject to cyber threats that may prevent its use or dam-age the credibility of the service it provides. Attackers may attempt to delay, destroy or modify alerts, or even to insert false alerts – actions that may pose a significant risk to the public. Non-adversarial sources of failure also exist (e.g., design flaws, user errors or acts of nature that com-promise operations).

This report presents the results of a study of the CMSP element of the WEA pipeline conducted by the CERt Division at Carnegie Mellon University’s Software Engineering Institute (SEI). The goal of this study is to provide members of the CMSP community with practical guidance that they can use to better manage cybersecurity risk exposure. For the study, the research team performed a security risk analysis of the CMSP WEA infrastructure to identify and analyze security risks. We then used the results of the security risk analysis to develop cybersecurity guide-lines tailored to the needs of CMSPs.