FCC: We could tell you our cybersecurity plan… but we'd have to kill you

Despite Pai on face, US federal regulator keeps digging DDoS BS hole


America's broadband watchdog, the FCC, has continued digging an ever-deeper hole over its claims it was subject to a distributed denial-of-service attack.

The latest shovel of BS came in a letter [PDF] to US Congress in which the FCC's chief information officer David Bray said he could not tell Congressmen what the "additional solutions" he had previously claimed the federal regulator was putting in place to prevent future attacks were.

Why not? Because to do so "would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred."

That answer is just the latest in a long series of implausible responses from the federal regulator over its claim in May that its systems were "subject to multiple distributed denial-of-service attacks (DDoS)" that caused them to fall off the internet.

The web tsunami hit right after the FCC's controversial plan to overturn net neutrality rules was featured on a popular late-night TV show. The host, John Oliver, actively encouraged readers to contact the FCC to register their disagreement.

Oliver pointed out that the process of filing a comment was much more complicated than previously and required a five-step process before a comment could be submitted. And so the show set up a specific URL – gofccyourself.com – that automatically redirected to the right FCC sub-page and only required a single click to comment.

The subsequent flood of people commenting on the proceedings caused the FCC's public comment system to fall over.

Deja Poo

Which was embarrassing for the FCC, especially since the exact same thing had happened three years earlier when Oliver featured the issue of net neutrality and encouraged viewers to comment.

Rather than admit to its failure, however, the next day the FCC put out a press release that sought to paint the critical commenters as malicious actors and claimed it had been subject to an online attack.

"These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host," the release [PDF] said. "These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC."

That claim was met with extreme skepticism – especially since FCC chairman Ajit Pai and his office have repeatedly attempted to undermine or belittle opposition to their plans.

And so began a ridiculous game of cat-and-mouse in which journalists and congressman have taken the FCC at its word and acted as though it really had been subject to a denial-of-service attack.

I see...

The result has been an embarrassing series of efforts by the FCC to close the book on the incident without admitting its initial statement was incorrect. Since May, the FCC has:

  • Refused to provide any records to a FOIA request for information on the attack because they contain "commercially confidential details, copyrighted information, and internal agency notes."
  • Been forced to admit it never wrote down its initial analysis of the DDoS attack because it stemmed from "real time observation and feedback."
  • Redescribed the attack as a "non-traditional DDoS attack" – and then refused to explain what that term means.
  • Admitted that it did not report the attack through the normal channels – to the federal government through Homeland Security's Hunt and Incident Response Team (HIRT) or to Congress through the Federal Information Security Management Act (FISMA) reporting system - because it did not reach the level of a "significant cyber incident."
  • Increasingly upgraded the sort of damage that would have had to have occurred in the attack for the FCC to take official action (as opposed to drafting a press release). The FCC's new claimed standard is an attack that causes "demonstrable harm to the national security interests, foreign relations, or economy." Under this, it's hard to imagine any attack on the FCC would ever need to be reported.

The simple fact is no one believes the FCC was really the target of a DDoS attack, with congressmen openly referring to it as an "alleged cyberattack."

And if there is one piece of evidence (outside of the documents that the FCC refuses to hand over) that demonstrates that a federal regulator is actively and repeatedly misleading US citizens and Congress in order to try to undermine critics of its actions, it comes in the fact that the FCC website fell over a second time the next night after the original failure.

It just so happened that John Oliver's segment was re-airing at the same time. ®


Other stories you might like

  • DigitalOcean tries to take sting out of price hike with $4 VM
    Cloud biz says it is reacting to customer mix largely shifting from lone devs to SMEs

    DigitalOcean attempted to lessen the sting of higher prices this week by announcing a cut-rate instance aimed at developers and hobbyists.

    The $4-a-month droplet — what the infrastructure-as-a-service outfit calls its virtual machines — pairs a single virtual CPU with 512 MB of memory, 10 GB of SSD storage, and 500 GB a month in network bandwidth.

    The launch comes as DigitalOcean plans a sweeping price hike across much of its product portfolio, effective July 1. On the low-end, most instances will see pricing increase between $1 and $16 a month, but on the high-end, some products will see increases of as much as $120 in the case of DigitalOceans’ top-tier storage-optimized virtual machines.

    Continue reading
  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading

Biting the hand that feeds IT © 1998–2022