Ex-FCC CIO Says 'Something Odd' Hit ECFS Last Spring, When Companies Pitched Services
Call it a distributed denial of service, a "bot swarm" or "something hammering" the FCC electronic comment filing system application programming interface, it's clear "something odd" occurred in May 2017, former Chief Information Officer David Bray wrote Tuesday. He responded to a report based on a Freedom of Information Act request that the agency misled media about a possible DDoS attack on its commenting system (see 1806050046). The thousand-plus pages of emails in that FOIA from American Oversight, which we reviewed, show executives from at least four software and cybersecurity firms effectively pitched their services to the agency in the days after the 2017 DDoS incident.
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
Verisign's David Nicholson told Bray and other officials his company “has protected two root servers” and 20 top-level domains from DDoS attacks “for the past 19 years with 100% documented uptime.” Neustar “owns and operates the most advanced and resilient DDoS Mitigation Network in existence,” emailed Senior Director-Federal Business John Hall. “I would welcome / appreciate the opportunity to provide you with a technical brief, and talk through our competitive differentiation.”
Red Hat Hybrid Cloud Strategist-Federal Civilian Agencies Chad DiMarzo sought a meeting with Bray and others about how the company “can help the FCC Optimize the ECFS. I am hearing that ECFS is deployed using docker containers on Red Hat Servers. Red Hat has a technology related to docker containers that allow the FCC to further increase optimization (operations and cost). It also allows 'running your containers at scale', and under security 'patching hundreds to thousands of containers when vulnerabilities hit', along with running your CI/CD pipelines within containers.” Distil Networks Regional Director-Enterprise/Federal Sales Carleton Robinson told officials his own investigation of comments in docket 17-108 showed significant numbers of comments “with form language, which is an indication of bots trying to skew your comments analytics and spamming your website.” Distil “could help you identify bots and give you a true indication of legitimate human comments about your issues,” he said. The FCC and the four companies didn't comment.
Back on May 8, 2017, at the time of the ECFS massive volume following John Oliver devoting most of one program of his HBO show to the net neutrality deregulation then underway at the regulator, CIO Bray's biggest concern was the high volume of API requests seeming to point at automated spam that could run the risk of denying system resources to real humans wanting to comment on the Communications Act Title II rollback. He said the chief lesson from that day is that the FCC needs to update its notice and comment process. Bray said the original process was based on postal delivery of comments, and a simple fix in the digital era would be turning off receiving of automated and batch submissions using the API and to block web scrappers. He said the agency also might want to revisit using CAPTCHA authentication or other verification procedures. Sens. Jeff Merkley, D-Ore., and Pat Toomey, R-Pa., also suggested the FCC adopt such authentication (see 1805210063).