Last week, if you recall, I wrote about DDoS attacks becoming longer. During my research for that article, I found several pieces that talked about the FCC and its response to a DDoS attack that appeared to be in retaliation for the agency’s stand on net neutrality. The FCC refuses to provide details of the attack or reveal its security system to protect from future attacks. It’s a measure that is raising concern in Congress. When the leadership of several Congressional committees wanted answers about the FCC’s cybersecurity preparedness, according to an Engadget article, FCC Chairman Ajit Pai responded:
it would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred. . . . [W]e can state that FCC IT staff has notiﬁed its cloud providers of the need to have sufﬁcient 'hardware resources' available to accommodate high-proﬁle proceedings.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
When I read this, I wondered, why the secrecy, especially in light of Congress pushing legislation to encourage and require cybersecurity information sharing. As Allison Bender wrote on behalf of IAPP:
Cybersecurity information sharing and collaboration can help organizations and governments protect against cyber attack; such sharing and collaboration increasingly are expected elements of cyber risk management programs.
Yet, the FCC refuses to cooperate or share information. They won’t respond to Freedom of Information Act (FoIA) requests, citing an ongoing internal investigation of the DDoS attacks.
Frankly, I’m concerned by the FCC’s unwillingness to discuss its cybersecurity efforts, but I also wondered if this was a good or bad strategy overall. Should organizations keep their security efforts under wraps? I took my questions to Carl Herberger, vice president of security at Radware, who immediately pointed out that the FCC highlights the issue of whether or not we should create a national cybersecurity disclosure law for both businesses and government organizations. In certain states, security breach notification laws require private companies to detail potential breaches and other cyberattacks, holding them to a standard of transparency. However, this does not exist at a national level for businesses or the government. He believes there is an implicit need to establish clear and objective rules for what should be made public. He added:
This would ensure that we are holding the FCC and other government organizations to important requirements for cybersecurity, and it would help us to better understand attacks as they occur and prevent them in the future. Additionally, by making the nature of attacks and the vulnerabilities behind them more public, we could motivate open debate about the best way to protect ourselves, where the vulnerabilities are, and how to ensure that potential targets are more secure in the future.
I think Pai’s response to Congress was vague and that the FCC should be more clear about cybersecurity within the agency. What do you think? Should government agencies be more forthcoming about how they protect their networks and websites? Should they be more willing to share and collaborate?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba