Why wasn’t the agency using basic protection that could have prevented alleged cyber attacks that silenced pro-net neutrality voices?
The FCC has responded to a letter from Senators Wyden and Schatz requesting more information about an alleged DDoS attack that took down the agency’s comment system immediately following John Oliver’s viral segment about net neutrality, during a time when large numbers of concerned citizens were attempting to register their support for Title II.
The FCC’s response, however, raises more questions than answers. The agency’s explanation of the attack makes it seem as if they have not yet identified or taken steps to address the bottlenecks or flaws in their architecture to prevent their system from collapsing at another critical moment. It’s the responsibility of anyone running an important site like the FCC’s electronic comment filing system to employ basic cybersecurity practices that prevent abuse and outages, including the ability to block malicious traffic by IP address, and simple scaling strategies, like caching slow database queries. The agency also claims the attacks came from "cloud providers." If this is the case, cloud providers keep records of the exact resources used by each account for billing purposes. Why hasn’t the FCC employed legal means to identify who allegedly attacked their systems? And why haven’t they used the same legal means to attempt to identify the attacker that is submitting hundreds of thousands of fraudulent comments using stolen identities, in violation of federal law (18 U.S.C. § 1001)?
The bottom line is that the FCC failed to take basic steps to prevent these alleged DDoS attacks – as well as the widely reported flood of fake anti-net neutrality comments, have refused to release information that would assist in an investigation into who is behind them, and have failed to take steps to prevents something like this from happening again.
"Ajit Pai and the FCC are blatantly trying to sweep this under the rug, so I’m not surprised that they issued their response on a Friday afternoon, hoping that it would go unnoticed," said Evan Greer, campaign director of Fight for the Future, "But the fact remains that large numbers of people were prevented from voicing their legitimate concerns about the agency’s plan to dismantle net neutrality protections, while at the same time they have refused to do anything about the massive number of fake anti-net neutrality comments that have been submitted using stolen names and addresses. The agency must address these serious issues before moving forward, or it is making it clear that it has lost all legitimacy and is simply working on behalf of the very companies that it is supposed to be protecting consumers from."
Members of Congress also responded to Ajit Pai’s letter with additional questions for the agency. See their response here.