FCC needs to fix its cybersecurity practices, GAO finds

A government watchdog found key security deficiencies in the Federal Communications Commission's IT systems, including the public comment system, according to a report out Friday.

Why it matters: The FCC relies on feedback from the public to help shape policy, but its system for collecting it has been marred by fake comments and outages during high-profile debates — most publicly in the fight over net neutrality.

Driving the news: The Government Accountability Office identified problems in core security functions related to identifying cyber risks; protecting the systems from threats; detecting and responding to cyber attacks; and recovering from them. The agency made 136 recommendations to help shore up the FCC's systems.

• The FCC, which received a non-public version of the report in September 2019, had implemented 63% of them as of November, with 41 outstanding and another 10 partially implemented.
• The FCC told GAO it has created plans to address the outstanding recommendations by April 2021.
• "Until FCC fully implements these recommendations and resolves the associated deficiencies, its information systems and information will remain at increased risk of misuse, improper disclosure or modification, and loss," GAO said in the report.

Flashback: The FCC blamed distributed denial of services attacks for commenting system outages during the net neutrality debate in 2017, but an internal investigation by the agency's Inspector General later found that no such attacks occurred.

• House Energy & Commerce Committee Chairman Frank Pallone and Senate Commerce communications subcommittee Ranking Member Brian Schatz had called for a GAO investigation into the alleged cyberattacks when they were first reported, as well as into the FCC's overall cybersecurity practices.
• GAO credited the agency with bolstering the commenting system after the May 2017 disruptions, noting that the FCC had increased the system's capacity and performance.

What they're saying: Pallone said the GAO report found a "disturbing lack of security" that puts the FCC's systems at risk, and called on Chairman Ajit Pai to act swiftly to fix the vulnerabilities.

• "Until the FCC implements all of the remaining recommendations, its systems will remain vulnerable to failure and misuse," Pallone said in a statement.
• FCC spokesman Brian Hart said the agency has now addressed 94 of the recommendations. "We have been engaged in a major, multi-year strategic effort to modernize our IT capabilities and deliver secure, scalable, and reliable networks for both our internal operations and our public-facing systems," Hart said in a statement.

What's next: FCC Managing Director Mark Stephens told the GAO in March that the agency is in the process of upgrading its public commenting system and another system reviewed in the report.

• "The new versions of these applications will not have the security deficiencies that you have identified in their current versions," Stephens wrote.