This morning, the Senate will have its first opportunity to question Federal Communications Commission Chairman Ajit Pai about why officials at his agency falsely claimed to have experienced a cyberattack during the height of last year’s net neutrality debate.
Lawmakers on the Commerce, Science and Transportation Committee are expected to press Pai about an FCC inspector general report last week that found officials misled the public and Congress about the episode.
It's a high-stakes appearance for Pai, whose inconsistent responses to the fabricated attack have brought on fierce criticism and tainted his unpopular decision to repeal Obama-era net neutrality rules. There’s no doubt he’ll come prepared for a grilling, especially from Senate Democrats, but he risks further alienating himself and his agency if he sidesteps questions or continues to deflect responsibility onto his subordinates.
“Chairman Pai should take the FCC inspector general’s report as an opportunity to reflect on his leadership. It’s clear now that the only attack at the FCC was the one he led on Americans to rob them of an open and fair internet,” Sen. Catherine Cortez Masto (D-Nev.), a member of the committee, told me in an email. She said it’s important that Pai “is held accountable to the millions of Americans who tried to make their voices heard against the rollback of net neutrality.”
Here's what senators will want to know:
When did Pai learn the cyberattack story was bogus?
This, of course, is the million-dollar question. In May of last year, the FCC blamed an hours-long outage in its public comment system on a distributed denial-of-service attack that overwhelmed its network with fake traffic. The commission ran with the story for months, and at one point chided journalists for raising questions about its claims.
But the FCC’s inspector general found in its Aug. 6 report that no such attack took place. In reality, the outage probably was caused by a crush of legitimate traffic after comedian John Oliver, host of HBO’s “Last Week Tonight,” urged viewers to file comments opposing Pai’s net neutrality repeal. The FCC, relying on faulty information from its then-Chief Information Officer David Bray, made false statements to lawmakers during congressional inquiries into the matter, the inspector general concluded. The commission also fed phony stories about a similar attack from 2014 to media outlets.
Pai said last week that he was in the dark about the whole affair. He said the report “debunks the conspiracy theory that my office or I had any knowledge that the information provided by the former CIO was inaccurate and was allowing that inaccurate information to be disseminated for political purposes.”
Senators may want to see if he gives the same answer under oath. Some of their colleagues in the House have already raised the issue, telling Pai in a letter this week that they were troubled that the fake story persisted for so long. As Motherboard notes, “Pai’s claim that he knew nothing at all doesn’t align with the fact that several Pai staffers not only fed false information to Congress, but Pai’s own press shop maligned reporters for digging into the false claims.”
Will Pai amend his statements to Congress?
The inspector general found that the FCC made false statements about the supposed denial-of-service attack in a letter responding to an inquiry from Sens. Ron Wyden (D-Ore.) and Brian Schatz (D-Hawaii). The letter was signed by Pai, but the commission’s CIO was responsible for the sections related to technical issues, according to the report, which states plainly that the information they provided the lawmakers about the incident was inaccurate. It’s hard to imagine Commerce Committee senators won’t call on Pai to set the record straight.
What about the FCC’s statements to the public?
Pai could also face pressure from senators to correct the public statements and news releases the commission issued about the fake cyberattack. One release falsely claimed that an “analysis” had shown that the denial-of-service attack was genuine. Another blasted “completely irresponsible” news reports challenging the FCC’s account. On top of that, a public records request by the blog Gizmodo revealed that the commission tried to plant untrue stories about the incident in media outlets such as the Wall Street Journal and Politico.
Will the FCC get a better public comment system?
An important, albeit technical, takeaway from the inspector general’s report is that the FCC’s online comment system is pretty shoddy. On the night of the outage, it simply couldn’t handle all the traffic from Oliver’s followers, in part because of design flaws in the system. This is one area where Pai seems eager to help. In a statement last week on the inspector general’s report, he said it was “abundantly clear” that the system needed a redesign.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: President Trump, seeking to loosen restrictions on launching cyberattacks, has revoked Obama-era rules that established a process for using cyberweapons against adversaries, the Wall Street Journal's Dustin Volz reported. “Mr. Trump signed an order on Wednesday reversing the classified rules, known as Presidential Policy Directive 20, that had mapped out an elaborate interagency process that must be followed before U.S. use of cyberattacks, particularly those geared at foreign adversaries,” Volz wrote. “The change was described as an ‘offensive step forward’ by an administration official briefed on the decision, one intended to help support military operations, deter foreign election influence and thwart intellectual property theft by meeting such threats with more forceful responses.”
But, as the Journal notes, it's unclear what policy Trump is enacting in replacement of the 2012 guidelines. “As designed, the Obama policy required U.S. agencies to gain approval for offensive operations from an array of stakeholders across the federal government, in part to avoid interfering with existing operations such as digital espionage,” Volz wrote. “Critics for years have seen Presidential Policy Directive 20 as a particular source of inertia, arguing that it handicaps or prevents important operations by involving too many federal agencies in potential attack plans. But some current and former U.S. officials have expressed concern that removing or replacing the order could sow further uncertainty about what offensive cyber operations are allowed.”
PATCHED: Hackers carried out repeated cyberattacks against a Democratic opponent of Rep. Dana Rohrabacher, the California Republican who is a vocal supporter of Russia, targeting his work email as well as his campaign's website, hosting service and Twitter account, Rolling Stone's Andy Kroll reported Wednesday. Hans Keirstead, who unsuccessfully ran in a California nonpartisan primary against Rohrabacher, gave away his password when hackers first attacked him with a spearphishing email in August 2017. But later hacking attempts, which included brute-force attacks on his campaign's website, did not succeed.
“Kyle Quinn-Quesada, who was Keirstead’s campaign manager, tells Rolling Stone that the campaign is now going public about the attacks for the sake of voter awareness,” Kroll wrote. “‘It is clear from speaking with campaign professionals around the country that the sustained attacks the Keirstead for Congress campaign faced were not unique but have become the new normal for political campaigns in 2018,’ Quinn-Quesada says. He added that the Keirstead campaign did not believe the cyberattacks had an effect on the primary election results.” The FBI investigated the hacking, but Quinn-Quesada said the bureau did not tell the campaign whether it had found who launched the attacks, Kroll reported.
PWNED: The FBI sought location data of Google users as part of an investigation into robberies in Portland, Maine, but the company never complied and the bureau was able to find the suspect via other means, Forbes's Thomas Fox-Brewster reported on Wednesday. “The feds wanted the tech giant to find all users of its services who’d been within the vicinity of at least two of nine of those robberies,” according to Forbes. “They limited the search to within 30-minute timeframes around when the crimes were committed. But the request covered a total space of 45 hectares and could’ve included anyone with an Android or iPhone using Google’s tools, not just the suspect.”
The bureau first issued a warrant to Google in March and unsuccessfully renewed its request several times until August. “It’s unclear whether Google didn’t want to give up the information, or if it simply couldn’t retrieve the data,” Fox-Brewster wrote. “There were no filings objecting to the warrant and Google declined to comment.” Marina Medvin, an attorney and founder of the Medvin Law firm, told Forbes that the warrant was overly broad. “This is a general search, which is prohibited under our Constitution. It is not particularized, a legal prerequisite to obtain a warrant under U.S. law,” Medvin said.
— The Department of Homeland Security hosted a three-day exercise involving 44 states, the District of Columbia and several federal agencies to improve the response to election security threats, according to a DHS statement released Wednesday. “The response we have received from this week’s participants has been overwhelmingly positive and we’ve identified areas we need to collectively focus on ahead of the midterm elections,” Homeland Security Secretary Kirstjen Nielsen said in a statement. “In this environment, if we prepare individually, then we fail collectively, and I am grateful for everyone’s participation and partnership this week.” The exercise relied on a scenario that featured threats such as online disinformation, spearphishing against campaigns and cyberattacks against election infrastructure, according to DHS.
It bears repeating— Sec. Kirstjen Nielsen (@SecNielsen) August 15, 2018
Any attempt to interfere in our elections is a direct attack on our democracy and will not be tolerated. Ensuring the security of our electoral process is a vital national interest and one of our highest priorities as citizens in a democratic society.
— The troubles in Louisiana's quest to modernize its voting equipment are not over. “Candidates vying to be Louisiana secretary of state want to pause the work being done to replace the state’s 10,000 voting machines until after the election, citing allegations of impropriety during the contractor selection,” the Associated Press's Melinda Deslatte wrote on Wednesday. “Republican former state Sen. A.G. Crowe, one contender seeking to oust GOP Secretary of State Kyle Ardoin, said he’s asking the attorney general and legislative auditor to review the bid process for the contract that could be worth as much as $95 million.”
— “The National Security Agency successfully broke the encryption on a number of ‘high potential’ virtual private networks, including those of media organization Al Jazeera, the Iraqi military and internet service organizations, and a number of airline reservation systems, according to a March 2006 NSA document,” the Intercerpt's Micah Lee reported Wednesday. The 2006 document is an article from SIDtoday, an internal publication of the NSA's Signals Intelligence Directorate. The Intercept published 328 documents in its seventh release of SIDtoday articles on Wednesday.
“According to the document, contained in the cache of materials provided by NSA whistleblower Edward Snowden, the NSA also compromised VPNs used by airline reservation systems Iran Air, ‘Paraguayan SABRE,’ Russian airline Aeroflot, and ‘Russian Galileo,’ ” Lee wrote. “Sabre and Galileo are both privately operated, centralized computer systems that facilitate travel transactions like booking airline tickets. Collectively, they are used by hundreds of airlines around the world.” However, the document doesn't specify how the NSA actually managed to break the encryption. “The technical details that describe how the NSA exploits VPNs are a closely-guarded secret, according to another SIDtoday article, from December 2006,” the Intercept reported. “‘Exploiting VPNs makes use of some of the newest state-of-the-art techniques,’ the article stated, ‘and because of this, the exploitation details are held closely and generally not available to field sites.’ ”
— “A Georgia woman who mailed a secret U.S. report to a news organization faces the ‘longest sentence’ ever behind bars for a federal crime involving leaks to the news media, prosecutors said in a court filing,” the AP's Russ Bynum reported on Wednesday. “Former National Security Agency contractor Reality Winner, 26, is scheduled to be sentenced Aug. 23 by U.S. District Court Judge J. Randal Hall in Augusta. She pleaded guilty in June to a single count of transmitting national security information when she worked in Augusta as a translator at an NSA facility.”
— More cybersecurity news from the public sector:
— More news about security incidents:
- Usenix Security Symposium in Baltimore through tomorrow.
- Senate Commerce Committee hearing to conduct oversight of the Federal Communications Commission.
- Senate Rules and Administration Committee business meeting about the Secure Elections Act on Aug. 22.
How one man escaped North Korea at the height of the Korean War:
Firefighters in Genoa are using drones after the bridge collapse:
White House: Trump revokes security clearance of former CIA director John Brennan