FCC is either too secretive or is unprepared for future attacks, senator says.
US Senator Ron Wyden (D-Ore.) criticized the Federal Communications Commission for failing to turn over its internal analysis of the DDoS attacks that hit the FCC’s public comment system.
The FCC declined to provide its analysis of the attacks to Gizmodo, which had filed a Freedom of Information Act (FoIA) request for a copy of all records related to the FCC analysis “that concluded a DDoS attack had taken place.” The FCC declined the request, saying that its initial analysis on the day of the attack “did not result in written documentation.”
“If the FCC did suffer a DDoS attack and yet created no written materials about it, that would be deeply irresponsible and cast doubt on how the FCC could possibly prevent future attacks,” Wyden told Gizmodo in a story today. “On the other hand, if FCC is playing word games to avoid responding to FoIA requests, it would clearly violate Chairman Ajit Pai’s pledge to increase transparency at the FCC.”
Wyden also said that the FCC’s response to the FoIA request raised “legitimate questions about whether the agency is being truthful when it claims a DDoS attack knocked its commenting system offline.”
FCC word games
After yesterday’s articles about the FoIA request, the FCC issued a statement claiming that it is “categorically false” to suggest that “the FCC lacks written documentation of its analysis.” The FCC claimed that Gizmodo only asked for analysis produced on May 8, the day of the attack, and that the FCC thus doesn’t have to provide any written analysis produced after that date. Those are the “word games” that Wyden referred to.
Gizmodo’s new article, titled “The FCC Is Full of Shit,” disputes the FCC’s characterization of the FoIA request.
“Gizmodo did not simply request a copy of the ‘analysis’ referenced by [FCC CIO David] Bray [on May 8], however; citing the federal law, it had asked the agency to turn over any records even ‘related to’ the analysis of which Bray spoke,” Gizmodo wrote.
The FCC’s statement that there is no documentation from May 8 would mean “that for a period of about 15 hours, no one in the agency’s IT department wrote a single e-mail or memo, nor did they take down any notes of any kind about the cyberattack that, according to Chairman Pai, caused a malicious 3000-percent increase in network traffic,” Gizmodo also wrote.
The FCC did release 16 pages of records including e-mails, “though none of them shed any light on the events that led to the FCC’s website crashing on May 8,” Gizmodo wrote yesterday. The FCC declined to release another another 209 pages of records.
“Voluminous documentation” still secret
While Gizmodo was seeking the FCC’s internal analysis of the attack, Pai did publicly provide written answers to questions asked by members of Congress including Wyden last month. The FCC yesterday also said that it has “voluminous documentation of this attack in the form of logs collected by our commercial cloud partners,” which has not been released publicly.
When asked about Wyden’s statement today, a spokesperson for Pai told Ars:
The FCC has provided a written response to Congress detailing the attack, and we have never said that we have no written materials about it. Rather, the documents that were not produced in response to the FOIA request cannot be provided, among other reasons, because of security and privacy concerns.
The FCC’s website failure temporarily prevented the public from commenting on Pai’s controversial proposal to dismantle net neutrality rules. The downtime coincided with a heavy influx of comments triggered by comedian John Oliver’s HBO segment criticizing Pai’s plan, but the FCC attributed the downtime solely to “multiple distributed denial-of-service attacks.”
We spoke to security experts and an FCC official in late May, and their comments suggested that the FCC was hit either by an unusual type of DDoS or poorly written spam bots.