Today marks the end of a year-long saga that began when John Oliver turned a segment on net neutrality that was so popular that it brought the FCC's comment system to its knees. Two years later, the time has finally come to solve all the problems that were raised in an investigation by the General Accountability Office.
The report addresses numerous cyber security and IT issues, some of which are addressed by the FCC addressed quickly, some not so quickly and others are still working on it.
"Today's GAO report makes it clear what we have known all along: the FCC system for collecting public contributions has problems," said Commissioner Jessica Rosenworcel theinformationsuperhighway said. “The agency needs to completely resolve this mess because this is how the FCC should receive contributions from the public. But as this report shows, we have real work to do. "
Here's the basic timeline of events that seem so long ago:
- May 2017: John Oliver's segment airs, and the next day, the FCC claims it was hit by denial-of-service attacks that shut down the ECFS comment system. (In fact, it was just the sheer number of people who wanted to share their opinion about the FCC's plan to kill net neutrality.)
- July 2017: Despite requesting details, the FCC refuses to release details of the cyber attack despite Congress requests, saying the threat is "ongoing". (His investigation had in fact found no malicious intent, and his official report was internally dubious from the start.)
- August 2017: Congress calls for an independent investigation into the FCC's demands and comment system. (This is the report released today. It was also around this time that another unlikely “hack” (not) occurred in 2014.)
- October 2017: FCC chief information officer David Bray, who claims the attacks occurred in both 2017 and 2014, is leaving the FCC.
- December 2017: The FCC votes by party lines to kill net neutrality.
- June 2018: A watchdog group purchases 1,300 pages of email that show (although heavily edited) that the DDoS claims were essentially false and are known as such.
- August 2018: The FCC finally admits that it was never hacked, and the next day a separate internal report appears, showing that it was really just an overwhelming interest from people who wanted to be heard. Congress members accuse Chairman Ajit Pai of "breach of duty" of upholding this perilously wrong narrative.
Then it was basically pretty quiet to this day when the report requested in 2017 was published publicly. A version with confidential information (such as precise software configurations and other technical information) was disseminated internally in September and revised for today's version.
The final report is not a big bomb, as much of it was telegraphed in advance. It is a collection of criticisms of an outdated system with insufficient security and other shortcomings that may have been directed at virtually any federal agency, among which cybersecurity practices are notoriously poor.
The investigation found that the FCC, for example, did not consistently implement security and access controls, encrypted confidential data, did not update or configure its servers correctly, recognized or logged cyber security events, etc. It was not always a disaster (even well-run IT departments do not follow always best practices), but apparently some of these shortcomings and cuts led to overwhelming problems like ECFS.
More importantly, of the 136 recommendations in the September report, 85 have now been fully implemented, 10 partially, and the rest are on the right track to do so.
This does not mean that the FCC has been waiting all the time to update its comments and other systems. In fact, improvements were made almost immediately after the event in May 2017, but these should not be described. Here are some of the improvements listed in the GAO report:
Representative Frank Pallone (D-NJ), who has been pursuing the FCC on this matter from the outset, made the following statement:
I requested this report because after the debacle on lifting net neutrality, it was clear that the FCC's cyber security practices had failed. After more than two years of investigation, the GAO agrees and finds a worrying lack of security that threatens the Commission's information systems. Until the FCC implements all of the remaining recommendations, its systems remain vulnerable to errors and abuse.
You can read the final GAO report here.