Cybersecurity and Cyberwarfare

The Federal Communications Commission has told members of Congress that it won't reveal exactly how it plans to prevent future attacks on the public comment system. FCC Chairman Ajit Pai and Democratic lawmakers have been exchanging letters about a May 8 incident in which the public comments website was disrupted while many people were trying to file comments on Pai's plan to dismantle net neutrality rules. The FCC says it was hit by DDoS attacks. The commission hasn't revealed much about what it's doing to prevent future attacks, but it said in a letter in June that it was researching "additional solutions" to protect the comment system.

Democratic Leaders of the House Commerce and Oversight committees then asked Pai what those additional solutions are, but they didn't get much detail in return. "Given the ongoing nature of the threats to disrupt the Commission’s electronic comment filing system, it would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred," the FCC chief information officer wrote. "However, we can state that the FCC’s IT staff has worked with commercial cloud providers to implement Internet‐based solutions to limit the amount of disruptive bot-related activity if another bot-driven event occurs."

The Republican National Committee counsel's office asked employees to preserve all documents regarding the 2016 presidential election. The memo stresses that the RNC has not been contacted in any of the investigations into possible ties between President Trump's campaign or allies and Russia. The move is instead framed as a proactive step. “Given the important role that the RNC plays in national elections and the potentially expansive scope of the inquiries and investigations, it is possible that we will be contacted with requests for information,” says a July 28 memo to staff from the RNC counsel’s office. "Therefore, we must preserve all documents potentially relevant to these matters until they are resolved or until we are informed by all necessary parties that preservation is no longer necessary."

On June 26, 2017, Reps Frank Pallone (R-NJ), Elijah Cummings (D-MD), Diana DeGette (D-CO), Robin Kelly (D-IL), Mike Doyle (D-PA), and Gerald Connolly (D-VA) wrote to the Federal Communications Commission to express concerns about the FCC's cybersecurity preparedness and the multiple reported problems with the FCC's website in taking public comments in the net neutrality proceeding.

On July 21, FCC Chairman Ajit Pai responded by saying the Information Technology (IT) staff at the FCC immediately addressed the disruption to the FCC's Electronic Comment Filing System (ECFS). Chairman Pai wrote, "Although i cannot guarantee that we will not experience further attempts to disrupt our systems, our staff is constantly monitoring and reviewing the situation so that everyone seeking to comment on our proceedings will be afforded the opportunity to do so."

The purpose for this document is assist risk managers in making decisions with respect to privacy when sharing cybersecurity information. It builds upon the previously published basic principles by outlining actions to promote efficient and effective information sharing while minimizing the impact on privacy interests. Importantly, this document reflects the contributions of industry, civil society, and the government. This document supplements ISAO 300-1 Introduction to Information Sharing, Section 9 Information Privacy.

Facebook is sponsoring the efforts of former Hillary Clinton and Mitt Romney campaign managers to combat hacking and disinformation campaigns designed to interfere with elections. Facebook’s chief security officer Alex Stamos announced the company’s $500,000 investment in the effort, called Defending Digital Democracy, today during a keynote at the security conference Black Hat. The project was launched last month by a Harvard University group and Stamos is a member of the group’s advisory committee.

“Our goal is to build an information sharing organization that includes political parties, campaigns, state and local election officials, and tech companies,” Stamos said. The information sharing unit will be modeled on similar efforts within the tech industry to share threat intelligence. Facebook and other major tech companies like Microsoft and Twitter use these kinds of partnerships to share information on terrorist threats, revenge porn, and child exploitation. “If one company detects an attack they can immunize others very quickly,” Stamos said. But Defending Digital Democracy plans to incorporate data not just from participating tech companies—executives from Google and the cybersecurity firm CrowdStrike are also on the advisory board—but from election officials as well.

The Federal Trade Commission announced that a mobile app developed by a New Hampshire software developer was awarded the top prize in the agency’s competition seeking tools to help consumers protect the security of their Internet of Things (IoT) devices. The FTC launched the contest in January to challenge innovators to develop a tool that would help address security vulnerabilities of IoT devices.

With the assistance of an expert panel of five judges, the FTC awarded Steve Castle the $25,000 top prize for his proposal for a mobile app, “IoT Watchdog.” As a software developer, Castle said he was motivated to enter the contest to distill his network security knowledge and experience into a tool that can help users easily determine if their devices are out of date or if their networks are insecure. The mobile app he proposed seeks to help users manage the IoT devices in their home. It would enable users with limited technical expertise to scan their home Wi-Fi and Bluetooth networks to identify and inventory connected devices. It would flag devices with out-of-date software and other common vulnerabilities and provide instructions on how to update each device’s software and fix other vulnerabilities.

Sen Ron Wyden (D-OR) criticized the Federal Communications Commission for failing to turn over its internal analysis of the DDoS attacks that hit the FCC's public comment system.

The FCC declined to provide its analysis of the attacks to Gizmodo, which had filed a Freedom of Information Act (FoIA) request for a copy of all records related to the FCC analysis "that concluded a DDoS attack had taken place." The FCC declined the request, saying that its initial analysis on the day of the attack "did not result in written documentation." “If the FCC did suffer a DDoS attack and yet created no written materials about it, that would be deeply irresponsible and cast doubt on how the FCC could possibly prevent future attacks," said Sen Wyden. "On the other hand, if FCC is playing word games to avoid responding to FoIA requests, it would clearly violate Chairman Ajit Pai’s pledge to increase transparency at the FCC.” Sen Wyden also said that the FCC's response to the FoIA request raised "legitimate questions about whether the agency is being truthful when it claims a DDoS attack knocked its commenting system offline.”

FCC Chairman Pai’s response: “The FCC has provided a written response to Congress detailing the attack, and we have never said that we have no written materials about it. Rather, the documents that were not produced in response to the FOIA request cannot be provided, among other reasons, because of security and privacy concerns.”

A bill that would reauthorize the Homeland Security Department for the first time in its nearly 15-year history and beef up cyber protections at ports and airports passed the House of Representatives.

The reauthorization bill, which was long championed by House Homeland Security Chairman Michael McCaul (R-TX) would direct the Transportation Security Administration to conduct a broad assessment of cyber risks to aviation security and to be prepared to vet cyber protections of specific airports and airlines if requested. TSA must also develop one program to enhance cyber threat information sharing across the aviation sector and another to assess cyber vulnerabilities in data stored by TSA PreCheck and other trusted traveler programs, according to the bill, which passed the House 386-41. The bill also formally tasks the US Coast Guard with ensuring cyber protections at US ports and with helping port operators share cyber threat information.

The US Federal Communications Commission says it has no written analysis of DDoS attacks that hit the commission's net neutrality comment system in May. In its response to a Freedom of Information Act (FoIA) request filed by Gizmodo, the FCC said its analysis of DDoS attacks "stemmed from real time observation and feedback by Commission IT staff and did not result in written documentation." Gizmodo had asked for a copy of any records related to the FCC analysis that concluded DDoS attacks had taken place.

Because there was no "written documentation," the FCC provided no documents in response to this portion of the Gizmodo FoIA request. The FCC also declined to release 209 pages of records, citing several exemptions to the FoIA law. For example, publication of documents related to "staffing decisions made by Commission supervisors, draft talking points, staff summaries of congressional letters, and policy suggestions from staff" could "harm the Commission’s deliberative processes," the FCC said. "Release of this information would chill deliberations within the Commission and impede the candid exchange of ideas."

On July 7, 2017, Sens Ron Wyden (D-OR) and Brian Schatz (D-HI) wrote to Federal Communications Commission Chairman Ajit Pai to express concern about the FCC facing a similar cyberattack on July 12 as it did during the May 7-8.

On July 11, Chairman Pai responded, writing, "Over the course of the last two months, the Commission has taken a series of steps to mitigate the chances of a disruption similar to the one that took place on May 7-8 from occurring again...In preparation for July 12, the Commission's IT professionals have taken additional measures to safeguard our comment filing system. Moreover, they will be on high alert over the next 48 hours and ready to respond as quick as possible to any attacks. Given the nature of this situation, however, I believe that publicly disclosing the specific steps that we are taking could undermine their efficacy."