The Federal Communications Commission is pushing back on a report claiming the agency didn’t document a May cyberattack it credited with knocking its website offline while users tried to file comments on a plan to repeal net neutrality rules.
Gizmodo published a story Thursday that claims the FCC “holds no records” or “analysis” of multiple distributed denial of service (DDoS) attacks the agency says crashed its electronic comment filing system in May. The attacks followed a “Last Week Tonight with John Oliver” segment, when Oliver called on viewers to submit comments opposing the Trump administration’s plan to scale back open internet regulations.
“The FCC now tells Gizmodo, however, that it holds no records of such an analysis ever being performed on its public comment system; the agency claims that while its IT staff observed a cyberattack taking place, those observations ‘did not result in written documentation,'” the report reads, quoting documents from a Freedom of Information Act (FOIA) request it filed with the FCC in May.
The agency disputes the outlet’s report as “categorically false,” adding an analysis describing the attack was made public in a June letter to Congress.
“Media reports claiming that the FCC lacks written documentation of its analysis of the May 7-8 non-traditional DDoS attack that took place against our electronic comment filing system are categorically false,” the FCC said in a statement to InsideSources.
An agency spokesman said the analysis confirming the event as a “non-traditional DDoS attack” by the commission’s IT staff wasn’t “reduced to writing” while staff addressed it on May 8, “but subsequent analysis, once the incident had concluded, was put in writing. Indeed, analysis was made public in response to a request from Capitol Hill.”
A June letter to Congress described the attack as a “non-traditional DDoS” attack that targeted a specific portion of the FCC’s Electronic Comment Filing System (ECFS) interface “normally used by automated programs or bots for bulk filings.” Hits to the interface increased 3,000% beginning around 11 p.m. on May 7, at the start of Oliver’s show.
Malicious traffic originated from cloud-based bots and was “not associated with IP addresses usually linked to individual human filers” and “effectively blocked or denied additional web traffic–human or otherwise–to the comment filing system.” Eventually the bot swarms peaked early May 8 at 30,000 requests per minute, “or three times the total daily traffic for any day in the previous sixty days” and the maximum the FCC’s commercial, cloud-based servers could handle.
The Gizmodo story makes no mention of the June letter to Congress describing the attack in detail, and mentions only a May 8 letter from FCC Chief Information Officer David Bray disclosing the incident. The June letter from FCC Chairman Ajit Pai to Senate Democrats further states the FCC brought the cyberattack to the attention of the FBI. The bureau declined to investigate further.
“Moreover, the FCC has never stated that it lacks any documentation of this DDoS attack itself,” the spokesman said Friday. “And news reports claiming that the commission has said this are without any basis and completely irresponsible.”
The agency says it has “voluminous documentation of this attack in the form of logs collected by our commercial cloud partners,” but told Gizmodo it couldn’t release more than 200 pages discussing the incident because they contain “privileged or confidential . . . trade secrets and commercial or financial information.”
According to the FCC, those documents contain private information like IP addresses and were withheld to “prevent injury to the quality of agency decisions.”
Since the May incident, the agency has been awash in skepticism from pro-net neutrality advocates including Free Press, executive director of Fight for the Future Evan Greer, Democratic Sens. Ron Wyden of Oregon and Brian Schatz of Hawaii, and numerous media outlets.
Vague accusations from all of the above range from concocting the cyberattack claim to avoid responsibility for the ECFS’s inability to sustain a high volume of comments, to the agency protecting and even colluding with internet service providers to crash the ECFS before it could receive a high number of comments opposing the repeal plan.
Such a conspiracy would amount to the FCC, from the office of the chairman down through its career IT staffers, misleading its own service providers, the public, Congress, and the FBI — an especially egregious felony for a federal agency — about the nature of a highly publicized cyber incident.
Senior FCC officials from Pai’s office warned the system was susceptible to high-volume crashes in April before the May incident ever occurred. At the same time they revealed a cyberattack that crashed the system during the first net neutrality proceeding in 2014.
During a call with reporters senior FCC staff said the agency won’t be basing its decision on the number of comments filed for or against the plan, but whether their arguments and data are factual and have sound legal backing, as required by law.