Lawmakers Seek Investigation Into Alleged Attack On FCC Commenting System

Image courtesy of Consumerist

When the FCC’s new leadership officially began the process of dismantling net neutrality rules, it didn’t come as much of a surprise when an overwhelming amount of traffic crashed the Commission’s public commenting system. After all, it happened a few years ago when these rules were being written. What did surprise people was the FCC’s claim — made without providing any additional information — that the system failure was not the result of too many people trying to comment, but a malicious attack. The FCC has never fully explained how it reached that conclusion, and now some lawmakers want to know why.

The system is down

In May, the second net neutrality fight, much like the first back in 2014, got a swift kick in the pants from a segment on John Oliver’s show Last Week Tonight.

The FCC’s updated, but still somewhat fragile, online commenting system was overwhelmed with demand in the hours immediately following the first airing of Oliver’s story, and was temporarily inaccessible for millions. Most assumed that it was simply overloaded due to high demand and too many simultaneous requests. The Commission, however, said that the demand was not simply from millions wanting to have a say, but a deliberate attack designed to take the system down.

David Bray, the FCC’s Chief Information Officer at the time (he has since left), said in a statement that Sunday evening right after Oliver’s show, “the FCC was subject to multiple distributed denial-of-service attacks (DDoS).”

“These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host,” Bray added. “These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC.”

But where’s the proof?

If the timing of the claim seems a little too “convenient” to you, you’re not the only one.

The day after the FCC cried foul, a pair of Senators, Ron Wyden (OR) and Brian Schatz (HI), sent a letter to FCC Chair Ajit Pai asking for more information about this DDOS attack.

If it really was an attack against a U.S. federal agency by external actors, Wyden and Schatz pointed out, then that constitutes a significant threat.

So the Senators asked Pai a series of questions about the attack: Approximately how many devices were involved? Were people actually blocked from commenting? How many simultaneous visitors can the FCC’s comment portal actually handle? Who was behind it?

Pai was given until June 8 to respond. He made it by the deadline, but the response [PDF] was underwhelming.

The FCC said it classified the “disruption” as “a non-traditional DDoS attack.” Some cloud-based bot entity went specifically for the comment filing system, the Commission said, and as it was making more than 160 requests per second it overwhelmed the API.

But the Commission also said that after consulting with the FBI, the attack didn’t seem major enough to bother pursuing — and the rest of its answers weren’t exactly deeply detailed.

So Schatz, along with New Jersey Representative Frank Pallone, are asking the Government Accountability Office (GAO) to investigate the FCC’s claims [PDF].

“While the FCC and FBI have responded to Congressional inquiries into these attacks,” Pallone and Schatz write, “they have not released any records or documentation that would allow for confirmation that an attack occureed, that it was effectively dealt with, and that the FCC has begun to institute measures to thwart future attacks and ensure the security of its systems.”

The letter asks the GAO to find out how the FCC determined a cyberattack took place; what evidence the FCC used to make that determination; and what processes the Commission has in place to “prevent or mitigate” another attack just like the supposed May 8 event.

Not the first time

As we mentioned, this was the second time John Oliver got involved in the net neutrality fray. The first time, in 2014, his memorable segment (in which he called then-chair Tom Wheeler a dingo, among other things) also led to the comment system crashing in June of that year.

A few weeks later, as the comment deadline loomed, the system once again got overwhelmed with traffic, leading the Commission to extend the filing deadline by three days in order to accomodate everyone.

These both just seemed like high-traffic events at the time: A deadline is looming, and everyone suddenly wants to get their last word in at once. The proceeding received a then-record 4 million comments, an extremely high volume for the creaky old system to handle. Makes sense.

But as Gizmodo notes, Bray also claimed at the time that the FCC suffered a comment system outage due to a hack — even though no evidence of a malicious attack ever existed.

Multiple sources at the FCC told Gizmodo that no evidence ever existed that a cyberattack occured in 2014, even though they looked hard to find any.

Gizmodo, meanwhile, filed Freedom of Information Act (FOIA) requests with the FCC seeking any document that could possibly be related to a cyberattack in May, 2017.

The result was a total of 16 pages of mostly-redacted emails, and a statement from the Commission that it sreal-time observations of the disruption “did not result in written documentation.” The FCC declined to release a further 209 pages of documentation, Gizmodo reported.

In response to Gizmodo’s reporting, the FCC issued a press release blasting “inaccurate media reports;” Gizmodo, in turn, countered with a full rejoinder under the headline, “The FCC is full of s**t.”