FCC Shift to Regulations.gov Could Fix Agency's Cyberattack Vulnerabilities, Experts Say

Four top House Commerce Committee Democrats urged their Republican counterparts Wednesday night "to hold a hearing to examine the recent failure" of the agency's site "to handle the high volume of comments" on net neutrality proceeding. "We have serious concerns that the FCC’s website failures deprive members of the public of opportunities to make their voices heard on net neutrality," committee ranking member Frank Pallone, D-N.J., Oversight and Investigations Subcommittee ranking member Diana DeGette, D-Colo., Communications Subcommittee ranking member Mike Doyle, D-Pa., and Rep. Yvette Clarke, D-N.Y., wrote their colleagues. An FCC spokesman declined to comment.

Comedian John Oliver's HBO segment earlier this month on net neutrality led to loads of traffic hitting the application programming interface, which was impossible to block because the traffic wasn’t coming from the dark web but from major commercial cloud hosting companies, an FCC representative said: “Unless someone actually intrudes” into FCC IT, “we really can’t block you, because it may be that you wrote really bad code.” The agency began slowing down the number of such mass comments that can be received at any one time. A new tech fix was made last week after “very massive queries” on ECFS’ RSS feeds “were making it very slow for everybody else,” the rep said.

Cyberincidents are becoming an increasingly attractive means of targeting government websites because they can be a “silencing tool,” so “it wouldn’t be out of left field for DDoS to actually be the culprit,” said Corero Network Security Vice President Stephanie Weagle. The incident that the FCC has described bears the hallmarks of a “layer 7” DDoS attack, in which the intrusion is executed via overuse of a website function, but such an attack is difficult to verify because it’s “indistinguishable” from high volumes of benign use, said NimbusDDoS CEO Andrew Shoemaker.

A DDoS attack is typically “noisy and loud,” but “none of the sensors around the internet that we use to detect this stuff” have signaled one, said Fidelis Cybersecurity Threat Intelligence Manager John Bambenek. “It’s theoretically possible that we’re just not seeing it, but why would somebody use such a novel form of undetectable attack on the FCC?” Rendition InfoSec CEO Jake Williams noted a lack of chatter via the dark web or elsewhere, including commands to botnets. The entities that carry out DDoS attacks “brag about this stuff,” he said: “It’s an advertisement for them.”

High volumes of traffic the FCC detected as targeting the net neutrality proceeding could be an attack incident but could just as easily be an instance of ECFS “resource exhaustion” since both would have the same net effect, Bambenek said. What typically distinguishes a DDoS attack from resource exhaustion is the intent of the users whose traffic has affected the system, Shoemaker said. “A legitimate DDoS attack involves a bad actor who intends to flood the network." A confluence of mass numbers of commenters influenced by Oliver and Reddit doesn’t indicate nefarious intent without proof, Shoemaker said.

FCC Outlier

The FCC is an outlier among most agencies by having its own regulatory proceeding website instead of doing work through the Federal Register and Regulations.gov, like most agencies, we were told.

Its IT department talked in 2013 and 2015 with Regulations.gov and concluded it would have had the same challenges, an FCC spokesman told us. Regulations.gov also said the traffic volume the FCC handles far exceeds what it normally handles, while using Regulations.gov would cost the FCC about five times what it pays to operate and maintain ECFS, he said.

Regulations.gov offers all agencies not just a comments portal but a docket management system, said Hudson Hollister, founder of open data advocacy group Data Coalition. He said the FCC and the SEC are rarities in not using Regulations.gov, while the FTC "is kind of in the middle" as commenters can opt to use that shared site. He said the distinction is the FCC and SEC have sites that largely cater to the legal communities that closely and frequently deal with those agencies. The FCBA said the issue is on the agenda for its next executive committee meeting.

Hollister said the federal government broadly needs not only a common portal but also a consistent data structure across agencies, such as consistent data fields. He said the lack of consistency makes accessing government data for such uses as business intelligence nearly impossible. The Financial Transparency Act introduced in March by Rep. Darrell Issa, R-Calif., would require all financial regulators to adopt common data fields for the information they collect, and that could serve as a foundation to eventually broader practices of consistent data fields, Hollister said.

"There was a hoopla" when then-Chairman Julius Genachowski had ECFS update plans, former Commissioner Michael Copps said. "Any improvements [seem] decidedly marginal. The informational retrieval system is not the best.” He said while the ECFS woes reflect negatively on governmental transparency and accessibility, "it also says something about a Congress that's been rather stingy about [FCC] resources. It needs more engineers, more everybody, and it's suffering a slow death through the stinginess of Congress."

'Creaky' ECFS

The 2014 net neutrality proceeding showed “how creaky and old the 16-year-old ECFS system was," Sunlight Foundation Deputy Director Alex Howard said. The move in late 2015 to an updated ECFS (see 1512110039) was supposed to obviate such problems by being, for example, cloud hosted, he said.

Problems accessing the site in the run-up to Thursday's scheduled vote on the Title II NPRM "is emblematic of people's existential concerns about what could happen if internet access isn’t appropriately regulated transparently -- if there aren’t some boundaries where some entity has some authority," Howard said. "It should not be an issue for any public-facing government website to be able to hold up under high public demand,” particularly during a regulatory proceeding of high interest, like Title II, he said. "In 2017, there are many different services that can and do enable websites to hold up under massive demand. This is not 2007.”

After Oliver's 2014 segment regarding net neutrality, the FCC got many automated filings via “deadlocking” in which the search index was tied up, so that regular users couldn’t access ECFS search, said an FCC representative. The FCC then shifted the system to the cloud to add capacity, and added an API to discourage the use of bots, he said. The agency didn’t require user authentication each time a comment was filed, such as via CAPTCHA, because that could potentially impede legitimate filings, the rep said.

The FCC should take additional steps now to bolster ECFS , Shoemaker and others said. The FCC should begin testing ECFS in a controlled environment to determine what vulnerabilities the system faces so it can correct them before any additional incidents occur, Shoemaker said. The FCC should reconsider applying user authentication technologies to ECFS, he said.

The regulator must face that either an attack or resource exhaustion points to ECFS traffic capacity issues that the agency may need to address ahead of future proceedings that could generate high-volume traffic, Weagle and others said. “Every DDoS attack is fundamentally a capacity issue,” Williams said. Filtering technologies can be effective for the private sector “but do you really want to implement barriers for the American public to communicate with their government?” Bambenek said. The FCC should consider implementing a shared IT services solution, which President Donald Trump is seeking as part of his federal IT modernization push, Bambenek said.