Top Lawmakers Call for Independent Investigation Into FCC's Shady Cyberattack Claims

FCC Commissioner Ajit Pai speaks during an open hearing and vote on “Net Neutrality” in Washington. (Photo: AP)
FCC Commissioner Ajit Pai speaks during an open hearing and vote on “Net Neutrality” in Washington. (Photo: AP)

Two US lawmakers on Thursday called for an independent investigation into the alleged cyberattack that the Federal Communication Commission says impaired its public comment system in May.

Advertisement

In a letter obtained by Gizmodo, Senator Brian Schatz and Congressman Frank Pallone Jr. called on the Government Accountability Office to conduct a thorough review of the FCC’s cybersecurity practices, to assess what evidence if any supports its claim that malicious actors have attacked the agency’s systems, and to determine whether its response was in line with the best practices and recommendations of the US Department of Homeland Security.

FCC officials, including Chairman Ajit Pai, claim that on May 8, the agency was targeted by multiple distributed denial-of-service (DDoS) attacks. The alleged attacks are said to have temporarily overwhelmed the Electronic Comment Filing System (ECFS), the website that was used to gather comments from the American public regarding the agency’s plans to roll back Obama-era rules enforcing net neutrality.

Advertisement

Those rules make it illegal for internet providers to arbitrarily block or slow down traffic to websites whenever they choose and impose fees on online services in exchange for providing consumers access to their content.

The FCC’s cyberattack claim has been met with intense skepticism. The ECFS became inaccessible almost immediately after comedian John Oliver, host of HBO’s Last Week Tonight, directed his audience to flood the agency with comments supporting net neutrality. The agency has refused to provide any definitive proof that a DDoS was responsible, even in response to inquiries by US Senators Schatz and Ron Wyden. In response to a Freedom of Information Act request by Gizmodo, the FCC refused to make public any analysis of the alleged incident.

The lawmakers’ call to review the FCC’s DDoS claim follows a Gizmodo investigation that revealed a senior FCC official fed a cybersecurity reporter false information about a June 2014 “attack” on the comment system. The official, former FCC Chief Information Officer David Bray, told the reporter privately that the ECFS had been “hacked” by “malicious actors,” even though the security team working under him had determined there was no evidence to support such a claim. The comment system’s downtime likewise followed an HBO segment in which John Oliver directed his viewers toward the agency’s website.

Advertisement

Bray, who left the FCC this summer, was also the first official to announce the ECFS had been attacked this year.

“While the FCC and the FBI have responded to Congressional inquiries into these DDoS attacks, they have not released any records or documentation that would allow for confirmation that an attack occurred, that it was effectively dealt with, and that the FCC has begun to institute measures to thwart future attacks and ensure the security of its systems,” Senator Schatz and Congressman Pallone wrote in a letter addressed to Gene Dodaro, the comptroller general of the United States.

Advertisement

As a result, the lawmakers said, “questions remain about the attack itself and more generally about the state of cybersecurity at the FCC—questions that warrant an independent review.”

A list of question offered by the lawmakers include (1) “What evidence did the security team provide to FCC CIO David Bray before his statement to the press on May 8th?” (2) “What additional evidence did the FCC gather to further support its conclusions after that statement?” (3) and “What documentation did the FCC develop during its investigation of this reported attack, and has it done any after-action reports or other evaluations that would help the FCC respond to future attacks of this nature?”

Advertisement

Both Democrats, Senator Schatz is the ranking member of the Senate Commerce Subcommittee on Communications, Technology, Innovation, and the Internet, and Congressman Pallone is the ranking member of the House Energy and Commerce Committee.

Schatz and Pallone say the May 8th incident has raised serious questions about the “general vulnerability of the ECFS,” and ask whether other public-facing data systems are at risk. “Has the FCC evaluated the security of its other public facing computer systems in light of the reported May 8th attack? Has it taken steps to mitigate any vulnerabilities in those systems?” the lawmakers wrote.

Advertisement

The letter also notes of serious concern are reports that the FCC’s comment system has been undermined by a flood of fake comments.

As Gizmodo reported last month:

In fact, reports emerging in the wake of the cyberattack suggest that the FCC public comment system is already wholly compromised. Spambots are said to have inundated the website with fake letters, according to multiple sources. Hundreds of thousands of identical messages can be viewed there—some containing the names and addresses of Americans who, when contacted by reporters, have claimed that their identities must’ve been stolen. Even opponents of net neutrality, who enjoy the support of Chairman Pai, admit that the system is “unmanageable and meaningless.”

Earlier this month, one conservative group claimed that hundreds of thousands of recent comments were all submitted using the same address in Russia.

Advertisement

“The FCC’s lack of action in preventing or mitigating this issue is also cause for concern. In fact, taken together, these situations raise serious questions about how the public makes its thoughts known to the FCC and how the FCC develops the record it uses to justify decisions reached by the agency,” Schatz and Pallone wrote.

Update, 6:30pm: FedScoop reports that FCC CIO David Bray has cancelled plans to assume a new role as chief venture officer of the National Geospatial-Intelligence Agency. Bray reportedly will not seek future employment in the federal government.

Advertisement

Senior Reporter, Privacy & Security

Share This Story

Get our newsletter

DISCUSSION

cmallen
C.M. Allen

And what about the FCC’s complete and utter failure to act as a regulatory oversight body over the US’s telecommunications infrastructure since Pai took over as its chair? Did we just ‘forget’ that the FCC’s job is not to court favors from the likes of AT&T, Comcast, Cox, et al but to lay down the law of the land — laws that are to be in the interests of not just businesses or corporation but for the citizens and the health of the entire nation? If the practices being employed by telecommunications corporations and allowed by the FCC are ‘for the benefit of the nation and its citizens’ why is the US telecommunications infrastructure rated as some of the worst in the world? Why are digital transmissions speeds and latency worse than any of our allies? Why is the FCC backpedaling on changes that forced any measure of accountability on the telecommunications industry?