The US Federal Communications Commission intends to keep secret more than 200 pages of documents related to an alleged cyberattack that the agency says impaired its systems two months ago. The agency claims that it was bombarded in early May with traffic originating from a cloud service, which caused its website to crash temporarily while reportedly receiving more than 160 comments per minute on the topic of net neutrality.
The agency's chief information officer, David Bray, stated in a letter on May 8 that an "analysis" had revealed that the FCC was "subject to multiple distributed denial-of-service attacks", bringing down the comment site and leaving it inaccessible to the public. Those attacks, Bray said, were "deliberate attempts by external actors to bombard the FCC's comment system with a high amount of traffic to our commercial cloud host".
The FCC now tells Gizmodo, however, that it holds no records of such an analysis ever being performed on its public comment system; the agency claims that while its IT staff observed a cyberattack taking place, those observations "did not result in written documentation".
The agency's comments came in response to a Freedom of Information Act request filed by Gizmodo on May 21, which sought among other types of records, "all communications between employees in the offices of Chairman Ajit Pai and Commissioner Michael O'Rielly" concerning the alleged cyberattack, as well as copies of "any records related to the FCC 'analysis' (cited in Dr Bray's statement) that concluded a DDoS attack had taken place".
An entirely redacted letter between FCC staffers.
A total of 16 pages were released to Gizmodo yesterday — though none of them shed any light on the events that led to the FCC's website going down. The few emails by FCC staffers that were released to Gizmodo are entirely redacted.
The agency cited a variety of justifications in explaining why it was refusing to release 209 pages related to the purported DDoS attack. Some of the records, it said, contain "trade secrets and commercial or financial information" which it deems "privileged or confidential", citing the Trade Secrets Act. Other documents are withheld in an effort to "prevent injury to the quality of agency decisions", citing a FOIA exemption that typically protects attorney-client communications but also extends to documents that reflect "advisory opinions, recommendations and deliberations" as part of the US government's decision-making processes.
Still, other records concerning the cyberattack were not released because the FCC claimed disclosing them would "constitute a clearly unwarranted invasion of personal privacy", citing a FOIA exemption that protects "personnel and medical files" from disclosure. "We have determined that it is reasonably foreseeable that disclosure would harm the privacy interest of the persons mentioned in these records," the agency said.
Bray had previously told reporters that the FCC would refuse to release any logs pertaining to the DDoS attack because they contain private information, such as IP addresses. Gizmodo, citing provisions of the federal FOIA statute, had requested that the FCC release "any reasonably segregable portion" of non-exempt material contained in documents it felt should be withheld. The agency did not, however, release any documents containing the redacted IP addresses and claimed those records were "inextricably intertwined" with material it could otherwise release.
The material provided to Gizmodo did contain six emails from private citizens criticising the agency over its position on net neutrality and for further failing to produce any evidence that its public comment website crashed due to a malicious attack.
"Maybe you can't see it through your greed and corruption, but Net Neutrality is what the American public wants," one person wrote. "It's not some kind of 'onerous regulation on industry' — it is simply about protecting everyone's freedom to communicate in the modern world."
This week, the FCC refused to release under FOIA a batch of more than 47,000 complaints pertaining to the agency's handling of net neutrality issue, arguing that doing so was a task too burdensome for the agency.
"They have continuously refused to provide meaningful answers to basic questions about these alleged DDoS attacks, and have utterly failed to address very serious issues that have plagued their comment process and interfered with the public's ability to participate," said Evan Greer, executive director of the pro-net neutrality group Fight for the Future.
"If the agency continues to move forward with their unpopular plan to dismantle net neutrality protections without addressing these concerns," she continued, "they're exposing themselves as a rogue bureaucracy that is working for the likes of Comcast and Verizon, not in the public interest."
The FCC's website crashed after a surge in traffic that occurred shortly after an HBO segment in which comedian John Oliver blasted FCC Chairman Ajit Pai. Oliver further directed his viewers to visit the agency's comment website and lodge complaints about the chairman's efforts to gut net neutrality — rules established under the Obama administration in 2015 which require all data travelling across the internet to be treated equally. Net neutrality proponents say that without it, ISPs would be able to legally throttle traffic on websites that don't pay for preferential treatment, establishing what many refer to as "internet fast lanes."
The agency has received more than nine million comments from the public on the topic of net neutrality, according to USA Today.
The FCC's plans to rollback net neutrality — which were endorsed by the Trump White House earlier this week — are opposed by America's largest internet companies, including Apple, Amazon, Microsoft, Twitter, Google, Facebook, Netflix, Pornhub, Reddit, Dropbox, Yelp and Spotify, among others.