Two US lawmakers on Thursday called for an independent investigation into the alleged cyberattack that the Federal Communication Commission says impaired its public comment system in May.
In a letter obtained by Gizmodo, Senator Brian Schatz and Congressman Frank Pallone Jr. called on the Government Accountability Office to conduct a thorough review of the FCC’s cybersecurity practices, to assess what evidence if any supports its claim that malicious actors have attacked the agency’s systems, and to determine whether its response was in line with the best practices and recommendations of the US Department of Homeland Security.
FCC officials, including Chairman Ajit Pai, claim that on May 8, the agency was targeted by multiple distributed denial-of-service (DDoS) attacks. The alleged attacks are said to have temporarily overwhelmed the Electronic Comment Filing System (ECFS), the website that was used to gather comments from the American public regarding the agency’s plans to roll back Obama-era rules enforcing net neutrality.
Those rules make it illegal for internet providers to arbitrarily block or slow down traffic to websites whenever they choose and impose fees on online services in exchange for providing consumers access to their content.
The FCC’s cyberattack claim has been met with intense skepticism. The ECFS became inaccessible almost immediately after comedian John Oliver, host of HBO’s Last Week Tonight, directed his audience to flood the agency with comments supporting net neutrality. The agency has refused to provide any definitive proof that a DDoS was responsible, even in response to inquiries by US Senators Schatz and Ron Wyden. In response to a Freedom of Information Act request by Gizmodo, the FCC refused to make public any analysis of the alleged incident.
The lawmakers’ call to review the FCC’s DDoS claim follows a Gizmodo investigation that revealed a senior FCC official fed a cybersecurity reporter false information about a June 2014 “attack” on the comment system. The official, former FCC Chief Information Officer David Bray, told the reporter privately that the ECFS had been “hacked” by “malicious actors,” even though the security team working under him had determined there was no evidence to support such a claim. The comment system’s downtime likewise followed an HBO segment in which John Oliver directed his viewers toward the agency’s website.
Bray, who left the FCC this summer, was also the first official to announce the ECFS had been attacked this year.
“While the FCC and the FBI have responded to Congressional inquiries into these DDoS attacks, they have not released any records or documentation that would allow for confirmation that an attack occurred, that it was effectively dealt with, and that the FCC has begun to institute measures to thwart future attacks and ensure the security of its systems,” Senator Schatz and Congressman Pallone wrote in a letter addressed to Gene Dodaro, the comptroller general of the United States.
As a result, the lawmakers said, “questions remain about the attack itself and more generally about the state of cybersecurity at the FCC—questions that warrant an independent review.”
A list of question offered by the lawmakers include (1) “What evidence did the security team provide to FCC CIO David Bray before his statement to the press on May 8th?” (2) “What additional evidence did the FCC gather to further support its conclusions after that statement?” (3) and “What documentation did the FCC develop during its investigation of this reported attack, and has it done any after-action reports or other evaluations that would help the FCC respond to future attacks of this nature?”
Both Democrats, Senator Schatz is the ranking member of the Senate Commerce Subcommittee on Communications, Technology, Innovation, and the Internet, and Congressman Pallone is the ranking member of the House Energy and Commerce Committee.
Schatz and Pallone say the May 8th incident has raised serious questions about the “general vulnerability of the ECFS,” and ask whether other public-facing data systems are at risk. “Has the FCC evaluated the security of its other public facing computer systems in light of the reported May 8th attack? Has it taken steps to mitigate any vulnerabilities in those systems?” the lawmakers wrote.
The letter also notes of serious concern are reports that the FCC’s comment system has been undermined by a flood of fake comments.
As Gizmodo reported last month:
In fact, reports emerging in the wake of the cyberattack suggest that the FCC public comment system is already wholly compromised. Spambots are said to have inundated the website with fake letters, according to multiple sources. Hundreds of thousands of identical messages can be viewed there—some containing the names and addresses of Americans who, when contacted by reporters, have claimed that their identities must’ve been stolen. Even opponents of net neutrality, who enjoy the support of Chairman Pai, admit that the system is “unmanageable and meaningless.”
Earlier this month, one conservative group claimed that hundreds of thousands of recent comments were all submitted using the same address in Russia.
“The FCC’s lack of action in preventing or mitigating this issue is also cause for concern. In fact, taken together, these situations raise serious questions about how the public makes its thoughts known to the FCC and how the FCC develops the record it uses to justify decisions reached by the agency,” Schatz and Pallone wrote.
Update, 6:30pm: FedScoop reports that FCC CIO David Bray has cancelled plans to assume a new role as chief venture officer of the National Geospatial-Intelligence Agency. Bray reportedly will not seek future employment in the federal government.