nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

FCC: We could tell you our cybersecurity plan… but we'd have to kill you

Despite Pai on face, US federal regulator keeps digging DDoS BS hole

By Kieren McCarthy, 2 Aug 2017

America's broadband watchdog, the FCC, has continued digging an ever-deeper hole over its claims it was subject to a distributed denial-of-service attack.

The latest shovel of BS came in a letter [PDF] to US Congress in which the FCC's chief information officer David Bray said he could not tell Congressmen what the "additional solutions" he had previously claimed the federal regulator was putting in place to prevent future attacks were.

Why not? Because to do so "would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred."

That answer is just the latest in a long series of implausible responses from the federal regulator over its claim in May that its systems were "subject to multiple distributed denial-of-service attacks (DDoS)" that caused them to fall off the internet.

The web tsunami hit right after the FCC's controversial plan to overturn net neutrality rules was featured on a popular late-night TV show. The host, John Oliver, actively encouraged readers to contact the FCC to register their disagreement.

Oliver pointed out that the process of filing a comment was much more complicated than previously and required a five-step process before a comment could be submitted. And so the show set up a specific URL – gofccyourself.com – that automatically redirected to the right FCC sub-page and only required a single click to comment.

The subsequent flood of people commenting on the proceedings caused the FCC's public comment system to fall over.

Deja Poo

Which was embarrassing for the FCC, especially since the exact same thing had happened three years earlier when Oliver featured the issue of net neutrality and encouraged viewers to comment.

Rather than admit to its failure, however, the next day the FCC put out a press release that sought to paint the critical commenters as malicious actors and claimed it had been subject to an online attack.

"These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host," the release [PDF] said. "These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC."

That claim was met with extreme skepticism – especially since FCC chairman Ajit Pai and his office have repeatedly attempted to undermine or belittle opposition to their plans.

And so began a ridiculous game of cat-and-mouse in which journalists and congressman have taken the FCC at its word and acted as though it really had been subject to a denial-of-service attack.

I see...

The result has been an embarrassing series of efforts by the FCC to close the book on the incident without admitting its initial statement was incorrect. Since May, the FCC has:

  • Refused to provide any records to a FOIA request for information on the attack because they contain "commercially confidential details, copyrighted information, and internal agency notes."
  • Been forced to admit it never wrote down its initial analysis of the DDoS attack because it stemmed from "real time observation and feedback."
  • Redescribed the attack as a "non-traditional DDoS attack" – and then refused to explain what that term means.
  • Admitted that it did not report the attack through the normal channels – to the federal government through Homeland Security's Hunt and Incident Response Team (HIRT) or to Congress through the Federal Information Security Management Act (FISMA) reporting system - because it did not reach the level of a "significant cyber incident."
  • Increasingly upgraded the sort of damage that would have had to have occurred in the attack for the FCC to take official action (as opposed to drafting a press release). The FCC's new claimed standard is an attack that causes "demonstrable harm to the national security interests, foreign relations, or economy." Under this, it's hard to imagine any attack on the FCC would ever need to be reported.

The simple fact is no one believes the FCC was really the target of a DDoS attack, with congressmen openly referring to it as an "alleged cyberattack."

And if there is one piece of evidence (outside of the documents that the FCC refuses to hand over) that demonstrates that a federal regulator is actively and repeatedly misleading US citizens and Congress in order to try to undermine critics of its actions, it comes in the fact that the FCC website fell over a second time the next night after the original failure.

It just so happened that John Oliver's segment was re-airing at the same time. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing