CommLawBlog

GAO Report: In Wake of Successful Hack of FCC Computer Systems, $10 Million Fix Ineffective

Gee, do we really want to entrust our social security numbers to the FCC?

Did you know that, in September, 2011, the FCC was the victim of “a security breach on its agency network”? 

Neither did we. 

The precise nature and extent of the breach hasn’t been made public (as far as we can tell), but it must have been impressive. Did you also know that, in reaction to that breach, within a couple of months the FCC had wangled out of the Office of Management and Budget a cool $10 million to undertake an immediate “Enhanced Secured Network” (ESN) Project to improve its computer security against such cyber attacks? 

Neither did we.

And did you also know that the General Accountability Office (GAO), called in to assess the manner in which the FCC implemented its ESN Project, concluded that the FCC messed up? In particular, according to the GAO, the Commission “did not effectively implement or securely configure key security tools and devices to protect these users and its information against cyber attacks.” And did you know that, as a result, again according to the GAO, the Commission continues to face “an unnecessary risk that individuals could gain unauthorized access to its sensitive systems and information”? 

Neither did we.

This is all spelled out – circumspectly, to be sure, presumably so as not to reveal too much about the FCC’s vulnerabilities – in a GAO report sent to Congress on January 25, 2013. The report was not publicly announced until last week.

The fact that the FCC’s computer systems have been compromised is bad enough. The fact that the FCC, apparently acting in haste, cut a few too many corners in its effort to lock up the barn door after the horse had taken a hike is even more troublesome.

But what is especially galling – to this blogger, at least – is the fact that, while all that has been going on, the Commission has proposed to force a large universe of individuals to trust the FCC with their social security numbers. And in so doing, the Commission hasn’t bothered to mention that the computer systems on which those numbers would presumably be maintained have already been shown to be vulnerable to hackers.

As we reported last month, the Commission is considering the elimination of the Special Use FRN in connection with broadcast Ownership Reports (FCC Forms 323 and 323-E). If adopted, that elimination would mean that all attributable interest holders of all full-service broadcast stations (as well as LPTV and Class A TV stations) would have to cough up their social security numbers to the Commission in order to obtain an FCC Registration Number (FRN), which would have to be included in all Ownership Reports. Comments on that proposal are currently due to be filed on February 14.

The FCC’s seeming reticence relative to the fact that it suffered an apparently successful cyber attack 18 months ago, and that its efforts to fix the problem in the meantime have apparently been less than successful, is understandable, if regrettable (and also curiously contrary to this Commission’s professions of “transparency”).

But it seems extraordinarily inappropriate for the Commission, knowing of those vulnerabilities, to then propose that a huge number of folks must provide to the FCC the crown jewels of their identity, their social security numbers. In so doing, shouldn’t the Commission, at a bare minimum, have alerted us all to the fact that not only are their computers possibly vulnerable (we all know that that’s an unfortunate fact of modern-day life), but that their computers had already been successfully attacked? Oh yeah, and mightn’t it have been a good idea to spread the word that GAO had been called in to see whether the problem had been fixed? And once GAO concluded that, um, the problem hadn’t been fixed, don’t you think the FCC might have at least had some second thoughts about persisting in its proposed insistence on the submission of social security number-based FRNs?

Before you answer those questions, consider this. In 2009, when the FCC first proposed to require the submission of SSN-based FRNs for all attributable interest holders, a number of parties objected, pointing out (among other things) that such submission would increase the risk of identity theft. The Commission’s response? We quote it verbatim:

While identity theft is a serious matter, none of the comments identify a single instance of a security breach with respect to the Commission’s CORES system. Indeed, their claims are purely speculative. The FCC has a robust security architecture in place for CORES that exceeds Federal guidelines and recommendations and has deployed strict operational controls in compliance with NIST guidance. The servers are located in secured locations with strict access control. Logically, the databases are located behind several firewalls that protect the data from the Internet and the general FCC user population. All servers and communications are monitored both by automated tools and systems as well as operational procedures. The CORES application uses separate roles for various user classes, and administrative access is only permitted from limited set of known internal workstations. All transmission of non-public data is encrypted.

(You can find the entire FCC response on the OMB website. It’s the “Supplementary Document”, uploaded on 10/16/09 and titled “Response Letter to OMB on Comments Received”.)

So, according to the FCC, the notion that its oh-so-secure computer systems might be compromised was, at most, far-fetched speculation. 

Oops.

We now know that that speculation was not at all far-fetched. That being the case, the Commission may want to re-think its proposed abandonment of the Special Use FRN. And anyone who, in response to the proposal to deep-six the SUFRN, expresses concern about data security should be sure to cite to the GAO report. That way, the Commission can’t claim that such concerns are merely speculative.

Trackbacks (0) Links to blogs that reference this article Trackback URL
http://www.commlawblog.com/admin/trackback/294407
Comments (1) Read through and enter the discussion with the form at the end
Peter - February 11, 2013 1:20 PM

What I really want to see is their NIST SP800-53A SCA in raw form (redact the IP's / hostnames if you wish).

NIST controls are almost always fluffed, by both the organization and it's assessors.

1300 N. 17th Street - 11th Floor Arlington, Virginia 22209 Telephone: 703-812-0400 Fax: 703-812-0486