A federal watchdog agency will investigate a cyberattack that took down the Federal Communications Commission’s system for filing public comments on its plan to repeal net neutrality rules.
The Government Accountability Office announced this week it will conduct an investigation into the cyber incident at the request of congressional Democrats. Lawmakers on the left are skeptical of the Republican-led FCC’s explanation of the event, which prevented the public from filing comments after an episode of HBO’s “Last Week Tonight with John Oliver” encouraged them to do so in May.
Charles Young, GAO’s public affairs managing director, said the investigation “is now in the queue,” but added “the work won’t get underway for several months when staff become available,” according to Broadcasting & Cable. The GAO won’t determine the scope and methodology of the investigation until then.
Hawaii Sen. Brian Schatz and New Jersey Rep. Frank Pallone asked the GAO in August to vet the FCC’s account of the incident, and expressed skepticism and frustration with the agency over a perceived lack of cooperation in providing more details to Congress.
The cyberattack occurred after Oliver called on viewers to file comments opposing Republican FCC Chairman Ajit Pai’s plan to weaken and possibly repeal entirely net neutrality rules passed during the Obama administration. The FCC’s chief information officer (CIO) and Pai submitted a timeline of the incident to Congress and the FBI has declined to investigate it.
But Democrats opposed to Pai’s plan aren’t satisfied. Many raised more questions after the FCC told a news outlet in July it didn’t document the attack as it was occurring.
“While the FCC and the FBI have responded to congressional inquiries into these DDoS [distributed denial of service] attacks, they have not released any records or documentation that would allow for confirmation that an attack occurred, that it was effectively dealt with, and that the FCC has begun to institute measures to thwart future attacks and ensure the security of its systems,” Schatz and Pallone wrote to the GAO in August.
Both further expressed concern with the flood of fake public comments on the net neutrality docket, with some reports estimating as much as a third of the more than 20 million comments are fake.
“In fact, taken together, these situations raise serious questions about how the public makes its thoughts known to the FCC and how the FCC develops the record it uses to justify decisions reached by the agency,” the letter to GAO read.
They asked the GAO to figure out how the FCC determined it was subjected to a cyberattack, evidence the agency collected, what the FCC is doing to prevent future attacks, if the FCC website’s Electronic Comment Filing System (ECFS) can be used to infiltrate other parts of the agency, and if its other systems — especially those that are public-facing — have security vulnerabilities.
Congressional Democrats also asked the FBI and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center to investigate the incident.
The FCC’s CIO described the incident as a “non-traditional DDoS” attack that targeted a specific ECFS interface “normally used by automated programs or bots for bulk filings.” Hits to the interface increased 3,000 percent beginning around 11 p.m. on May 7, at the start of Oliver’s show.
Malicious traffic originated from cloud-based bots and was “not associated with IP addresses usually linked to individual human filers” and “effectively blocked or denied additional web traffic–human or otherwise–to the comment filing system.” Eventually the bot swarms peaked early May 8 at 30,000 requests per minute, “or three times the total daily traffic for any day in the previous sixty days” and the maximum the FCC’s commercial, cloud-based servers could handle.
The agency says it has “voluminous documentation of this attack in the form of logs collected by our commercial cloud partners,” but can’t release more than 200 pages discussing the incident because they contain “privileged or confidential . . . trade secrets and commercial or financial information.”