Federal watchdog finds cybersecurity vulnerabilities in FCC systems

The Government Accountability Office (GAO) on Friday urged the Federal Communications Commission (FCC) to take steps to boost the security of its comment submission process following a review that revealed dozens of cyber vulnerabilities. 

In a report compiled by the GAO, which was originally finalized in September but made public Friday, the agency detailed 136 recommendations for how the FCC could improve its Electronic Comment Filing System (ECFS). 

This system is used by the public to propose changes to regulations, and was overwhelmed in May 2017 following a surge in comments being submitted, temporarily disrupting the electronic comment system.

The GAO undertook its review of the FCC’s security for the ECFS following this incident after requests from numerous Democratic lawmakers. 

“GAO identified program and control deficiencies in the core security functions related to identifying risk, protecting systems from threats and vulnerabilities, detecting and responding to cyber security events, and recovering system operations,” the government watchdog wrote in the report. 

The GAO gave credit to the FCC for addressing 63 percent of its recommendations since September, but warned that the agency was at risk until all the identified problems are dealt with.

“Until FCC fully implements these recommendations and resolves the associated deficiencies, its information systems and information will remain at increased risk of misuse, improper disclosure or modification, and loss,” GAO warned. 

A response to the GAO’s findings from FCC Managing Director Mark Stevens was included in the report, with Stevens vowing the agency would address its cybersecurity shortcomings in full by April 2021. 

“We acknowledge the nine non-technical and 127 technical recommendations in this draft report,” Stevens wrote. “We have been working diligently to address them, prioritizing those recommendations that are most operationally practical to implement and those that will immediately improve our security.”

House Energy and Commerce Committee Chairman Frank Pallone Jr. (D-N.J.), one of the lawmakers to request the GAO review two years ago, said in a statement that the security shortcomings of the FCC were “disturbing.” Pallone called on FCC Chairman Ajit Pai to address his agency’s vulnerabilities.  

“Until the FCC implements all of the remaining recommendations, its systems will remain vulnerable to failure and misuse,” Pallone said. “Chairman Pai must act swiftly to fix these vulnerabilities and restore trust back into the ECFS and the FCC’s cybersecurity practices overall.”