‘Deficiencies’ that broke FCC commenting system in net neutrality fight detailed by GAO
Today marks the conclusion of a years-long saga that started when John Oliver did a segment on Net Neutrality that was so popular that it brought the FCC’s comment system to its knees. Two years later it is finally near addressing all the issues brought up in an investigation from the General Accountability Office.
The report covers numerous cybersecurity and IT issues, some of which the FCC addressed quickly, some not so quickly and some it’s still working on.
“Today’s GAO report makes clear what we knew all along: the FCC’s system for collecting public input has problems,” Commissioner Jessica Rosenworcel told TechCrunch. “The agency needs to fully fix this mess because this is the way the FCC is supposed to take input from the public. But as this report demonstrates, we have real work to do.”
Here’s the basic timeline of events, which seem so long ago now:
- May 2017: John Oliver’s segment airs, and the next day the FCC claims it was hit by denial-of-service attacks that took down its comment system, ECFS. (In fact it was merely the sheer volume of people who wanted to share their opinion of the FCC’s plan to kill net neutrality.)
- July 2017: Despite calls for details, the FCC refuses to release any details on the cyberattack, despite congressional demands, saying the threat was “ongoing.” (Its investigations had not in fact determined malicious intent and its official account was in doubt internally from the start.)
- August 2017: Congress calls for an independent investigation of the FCC’s claims and its comment system. (That’s the report released today. Also around this time another improbable “hack” was found to have (not) happened in 2014.)
- October 2017: FCC’s chief information officer, David Bray, who claimed the attacks took place both in 2017 and 2014, leaves the FCC.
- December 2017: The FCC votes along party lines to kill net neutrality.
- June 2018: A watchdog group acquires 1,300 pages of emails, which (though very heavily redacted) show that the DDoS claims were essentially false and known to be so.
- August 2018: The FCC finally admits that it was never hacked, and the next day its own internal report comes out showing that it really was just overwhelming interest from people wanting to be heard. Members of Congress accuse Chairman Ajit Pai of “dereliction of duty” in perpetuating this dangerously incorrect narrative.
Then it’s been pretty quiet basically until today, when the report requested in 2017 was publicly released. A version with sensitive information (like exact software configurations and other technical information) was internally circulated in September, then revised for today’s release.
The final report is not much of a bombshell, since much of it has been telegraphed ahead of time. It’s a collection of criticisms of an outdated system with inadequate security and other failings that might have been directed at practically any federal agency, among which cybersecurity practices are notoriously poor.
The investigation indicates that the FCC, for instance, did not consistently implement security and access controls, encrypt sensitive data, update or correctly configure its servers, detect or log cybersecurity events, and so on. It wasn’t always a disaster (even well-run IT departments don’t always follow best practices), but obviously some of these shortcomings and cut corners led to serious issues like ECFS being overwhelmed.
More importantly, of the 136 recommendations made in the September report, 85 have been fully implemented now, 10 partially, and the rest are on track to be so.
That should not be taken to mean that the FCC has waited this whole time to update its commenting and other systems. In fact it was making improvements almost immediately after the event in May of 2017, but refused to describe them. Here are a few of the improvements listed in the GAO report:
Representative Frank Pallone (D-NJ), who has dogged the FCC on this issue since the beginning, issued the following statement:
I requested this report because it was clear, after the net neutrality repeal comment period debacle, that the FCC’s cybersecurity practices had failed. After more than two years of investigating, GAO agrees and found a disturbing lack of security that places the Commission’s information systems at risk… Until the FCC implements all of the remaining recommendations, its systems will remain vulnerable to failure and misuse.