Independent inquiry called for in FCC’s secretive cyberattack claims

The FCC’s claim that its commenting system was attacked on the night of May 7 has been the subject of considerable controversy, but not because of the attack itself. The agency has been so reluctant to release any substantive details about the attack or the countermeasures it has taken since that Congress is calling for an independent investigation (PDF) by the Government Accountability Office.

Public interest is high in the net neutrality proceeding for which the electronic comment filing system (ECFS) has chiefly been used over the last few months. An attack on that system, numerous officials have indicated, is a serious matter. And then there’s the question of the millions of clearly fraudulent comments. What’s going on over there, they ask?

Senator Brian Schatz (D-HI) and Representative Mike Pallone (D-NJ) clearly felt that the FCC has failed to answer their questions and those of others. In a letter to GAO head Gene Dodaro, first acquired by Gizmodo, they write:

It appears that these attacks were meant to inhibit or limit public comment on this important proceeding, raising doubts about the efficacy of the FCC’s public comment process. Separately, the ECFS has been flooded with fake comments related to the net neutrality proceeding, which undermines this critical component of the FCC’s rule-making process. The FCC’s lack of action in preventing or mitigating this issue is also cause for concern. In fact, taken together, these situations raise serious questions about how the public makes its thoughts known to the FCC and how the FCC develops the record it uses to justify decisions reached by the agency.

Furthermore, they write, the FCC has juked repeatedly attempts by Congress and the public to learn more. The agency has “not released any records or documentation that would allow for confirmation that an attack occurred, that it was effectively dealt with, and that the FCC has begun to institute measures to thwart future attacks and ensure the security of its systems.”

It would perhaps be more accurate to say that the documentation the FCC has released is inadequate. The agency did tell another group of Senators that bot traffic increased by 3,000 percent around midnight on May 7, and that this represented a “non-traditional DDoS attack.” And in a follow-up letter to another letter of inquiry, it said that it would “undermine our system’s security to provide a specific roadmap” of its countermeasures, citing the “ongoing nature of the threats.” I have myself been politely rebuffed upon asking for more details.

Meanwhile, some digging by Gizmodo (whose Dell Cameron has been following this story closely) showed that a so-called “hack” of the FCC in 2014 was similarly undocumented. It’s not a good precedent.

This bald-faced stonewalling in the face of Congressional inquiry clearly suggested alternative means were necessary. Hence the letter to Dodaro, whose office can more comprehensively investigate the issue should they take up the request.

The letter asks the GAO to look into four questions:

  • What is the evidence or documentation suggesting a cyberattack took place and describing what the FCC did about it?
  • What specifically has the FCC done to improve its systems and are they in accordance with best practices?
  • Is the ECFS fundamentally vulnerable to attack, and could other systems be reached through it?
  • Are the FCC’s other systems, like those it uses for spectrum actions, also at risk and/or have they been updated since the reported attacks?

It’s hard to imagine that after all this, it’ll just be one big misunderstanding.