Revealing technical details would "undermine our system security," FCC says.

The Federal Communications Commission has told members of Congress that it won't reveal exactly how it plans to prevent future attacks on the public comment system.

FCC Chairman Ajit Pai and Democratic lawmakers have been exchanging letters about a May 8 incident in which the public comments website was disrupted while many people were trying to file comments on Pai's plan to dismantle net neutrality rules. The FCC says it was hit by DDoS attacks. The commission hasn't revealed much about what it's doing to prevent future attacks, but it said in a letter last month that it was researching "additional solutions" to protect the comment system.

Democratic Leaders of the House Commerce and Oversight committees then asked Pai what those additional solutions are, but they didn't get much detail in return.

"Given the ongoing nature of the threats to disrupt the Commission’s electronic comment filing system, it would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred," the FCC chief information officer wrote. "However, we can state that the FCC’s IT staff has worked with commercial cloud providers to implement Internet‐based solutions to limit the amount of disruptive bot-related activity if another bot-driven event occurs."

Talking about hardware also undermines security

The CIO's answers to lawmakers' questions were sent along with a letter from Pai to Reps. Frank Pallone, Jr. (D-N.J.), Elijah Cummings (D-Md.), Mike Doyle (D-Penn.), DeGette (D-Colo.), Robin Kelly (D-Ill.), and Gerald Connolly (D-Va.). The letter is dated July 21, and it was posted to the FCC's website on July 28.

When responding to another question about what hardware resources are being committed to improve the comment system's uptime, the CIO again said that revealing specific details would undermine the FCC's security.

"The Commission’s Electronic Comment Filing System is commercially cloud-based, so our 'hardware resources' are provided by our commercial partners. While it would undermine our system security to provide a specific roadmap of what we are doing, we can state that FCC IT staff has notified its cloud providers of the need to have sufficient 'hardware resources' available to accommodate high-profile proceedings," the FCC response said.

Public records requests denied

The FCC has also rebuffed multiple Freedom of Information Act (FoIA) requests about its response to the DDoS attacks. The commission denied one FoIA request sent by Ars, saying that it won't reveal e-mails and other communications about the attacks because of an ongoing internal investigation. Releasing the records we requested would impede and interfere with that investigation, the FCC told us.

In response to a FoIA request by Gizmodo, the FCC said that its initial analysis of the DDoS attacks "stemmed from real time observation and feedback by Commission IT staff and did not result in written documentation."

Freelance journalist Kevin Collier filed a lawsuit against the FCC, alleging that the commission failed to comply with FoIA requests about the alleged DDoS attack and the agency's analysis of of anti-net neutrality comments generated by astroturfers.

No law enforcement investigation

There are apparently no law enforcement agencies involved in the FCC's ongoing investigation because the attacks weren't significant enough. "The FCC consulted with the FBI following this incident, and it was agreed this was not a 'significant cyber incident' consistent with the definition contained in Presidential Policy Directive-41 (PPD-41)," the FCC said in its letter to House Democrats.

The FCC also did not notify Congress of the attacks under the process outlined in the Federal Information Security Management Act (FISMA). Although the FCC provided background information to Congressional committee offices, "we did not provide a FISMA-based notification," the letter explained. "We determined that this event was not a 'major incident' under the Office of Management and Budget’s (OMB) definition and hence it did not meet the criteria of a reportable incident to Congress under OMB’s FISMA guidance."

Pai told House Democrats to trust him that the situation is under control.

"The docket now contains more than 10 million comments overall, demonstrating that our processes are facilitating widespread public participation in this proceeding," Pai wrote. "Although I cannot guarantee that we will not experience further attempts to disrupt our systems, our staff is constantly monitoring and reviewing the situation so that that everyone seeking to comment on our proceedings will be afforded the opportunity to do so."