Charter Communications agreed to pay a $15 million fine after admitting that it failed to notify more than a thousand 911 call centers about an outage caused by a denial-of-service attack and separately failed to meet the Federal Communications Commission’s reporting deadlines for hundreds of planned maintenance outages.
“As part of the settlement, Charter admits to violating the agency’s rules regarding notifications to public safety officials and the Commission in connection with three unplanned network outages and hundreds of planned, maintenance-related network outages that occurred last year,” the FCC said in an announcement yesterday.
A consent decree said Charter admits that it “failed to timely notify more than 1,000 PSAPs [Public Safety Answering Points] of an outage on February 19, 2023.” The decree notes that failure to notify the PSAPs, or 911 call centers, “impedes the ability of public safety officials to mediate the effects of an outage by notifying the public of alternate ways to contact emergency services.”
Phone providers like Charter must also provide required outage notifications to the FCC through the Network Outage Reporting System (NORS). However, Charter admits that it “failed to meet reporting deadlines for reports in the NORS associated with the [February 2023] Outage, and separate outages on March 31 and April 26, 2023; and failed to meet other NORS reporting deadlines associated with hundreds of planned maintenance outages, all in violation of the Commission’s rules.”
Error with email notification
With the February 2023 outage, “Charter was required to notify all of the impacted PSAPs ‘as soon as possible,’ but due to a clerical error associated with the sending of an email notification, over 1,000 PSAPs were not contacted,” the consent decree said. Charter also “failed to file the required NORS notification until almost six hours after it was due.”
Failure to meet NORS deadlines “impairs the Commission’s ability to assess the magnitude of major outages, identify trends, and promote network reliability best practices that can prevent or mitigate future disruptions. Therefore, it is imperative for the Commission to hold providers, like Charter, accountable for fulfilling these essential obligations,” the consent decree said.
In addition to paying a $15 million civil penalty to the US Treasury, “Charter has agreed to implement a robust compliance plan, including cybersecurity provisions related to compliance with the Commission’s 911 rules,” the FCC said. Charter reported revenue of $13.7 billion and net income of $1.2 billion in the most recent quarter.
The February 2023 outage was caused by what the FCC described as “a minor, low and slow Denial of Service (DoS) attack.” The resulting outage in Charter’s VoIP service affected about 400,000 “residential and commercial interconnected VoIP customers in portions of 41 states and the District of Columbia.” Charter restored service in less than four hours.
The FCC said its rules require VoIP providers like Charter “to notify 911 call centers as soon as possible of outages longer than 30 minutes that potentially affect such call centers. Providers are also required to file by set deadlines in the FCC’s Network Outage Reporting System when outages reach a certain severity threshold.”
The FCC investigation into the February 2023 outage led to Charter admitting violations related to hundreds of other outages:
Charter indicated that based on a misunderstanding of the Commission’s rules, hundreds of planned maintenance events may have met the criteria for filing a NORS report but were never submitted. Thereafter, Charter also identified two additional, unplanned outages—which occurred on March 31, 2023, and April 26, 2023—that each met the NORS reporting threshold but Charter failed to report.
Charter downplays violations
In a statement provided to Ars, Charter said, “We’re glad to have resolved these issues, which will primarily result in Charter reporting certain planned maintenance to the FCC.” Charter downplayed the outage reporting violations, saying that “the fine has nothing to do with cybersecurity violations and is attributable solely to administrative notifications.”
Charter’s statement emphasized that the company did not violate cybersecurity rules. “No provision within either the CISA Cybersecurity Best Practices or the NIST Cybersecurity Framework would have prevented this attack, and no flaws were identified by the FCC regarding Charter’s cybersecurity practices. We agreed with the FCC that we should continue doing what we’re already doing,” the company said.
Although Charter said the settlement “will primarily result in Charter reporting certain planned maintenance to the FCC,” the consent decree also requires changes to ensure that the company promptly notifies 911 call centers. It says that Charter must create “an automated PSAP notification system to automatically contact PSAPs after a network outage that meets the reporting thresholds in the 911 Rules.”
The FCC said the “compliance plan includes the first-of-its-kind application of certain cybersecurity measures—including network segmentation and vulnerability mitigation management—related to 911 communications services and network outage reporting. Charter has agreed to maintain and evolve its overall cybersecurity risk management program in accordance with the voluntary National Institute of Standards and Technology (NIST) Cyber Security Framework, and other applicable industry standards and best practices, and applicable state and/or federal laws covering cybersecurity risk management and governance practices.”
The compliance plan requirements are set to remain in effect for three years.
Disclosure: The Advance/Newhouse Partnership, which owns 12.4 percent of Charter, is part of Advance Publications, which also owns Ars Technica parent Condé Nast.