Today marks the conclusion of a years-long saga that started when John Oliver did a segment on Net Neutrality that was so popular that it brought the FCC’s comment system to its knees. Two years later it is finally near addressing all the issues brought up in an investigation from the General Accountability Office.
The report covers numerous cybersecurity and IT issues, some of which the FCC addressed quickly, some not so quickly, and some it’s still working on.
“Today’s GAO report makes clear what we knew all along: the FCC’s system for collecting public input has problems,” Commissioner Jessica Rosenworcel told TechCrunch . “The agency needs to fully fix this mess because this is the way the FCC is supposed to take input from the public. But as this report demonstrates, we have real work to do.”
Here’s the basic timeline of events, which seem so long ago now:
- May 2017: John Oliver’s segment airs, and the next day the FCC claims it was hit by denial-of-service attacks that took down its comment system, ECFS. (In fact it was merely the sheer volume of people who wanted to share their opinion of the FCC’s plan to kill net neutrality.)
- July 2017: Despite calls for details, the FCC refuses to release any details on the cyberattack, despite Congressional demands, saying the threat was “ongoing.” (Its investigations had not in fact determined malicious intent and its official account was in doubt internally from the start.)
- August 2017: Congress calls for an independent investigation of the FCC’s claims and its comment system. (That’s the report released today. Also around this time another improbable “hack” was found to have (not) happened in 2014.)
- October 2017: FCC’s chief information officer, David Bray, who claimed the attacks took place both in 2017 and 2014, leaves the FCC.
- December 2017: The FCC votes along party lines to kill net neutrality.
- June 2018: A watchdog group acquires 1,300 pages of emails, which (though very heavily redacted) show that the DDoS claims were essentially false and known to be so.
- August 2018: The FCC finally admits that it was never hacked, and the next day its own internal report comes out showing that it really was just overwhelming interest from people wanting to be heard. Members of Congress accuse Chairman Ajit Pai of “dereliction of duty” in perpetuating this dangerously incorrect narrative.
Then it’s pretty quiet basically until today, when the report requested in 2017 was publicly released. A version with sensitive information (like exact software configurations and other technical information) was internally circulated in September, then revised for today’s release.
The final report is not much of a bombshell, since much of it has been telegraphed ahead of time. It’s a collection of criticisms of an outdated system with inadequate security and other failings that might have been directed at practically any federal agency, among which cybersecurity practices are notoriously poor.