Schatz, Pallone Call For An Independent Investigation Into Reported FCC Cyberattack
WASHINGTON – Today, U.S. Senator Brian Schatz (D-Hawai‘i), Ranking Member of the Senate Commerce Subcommittee on Communications, Technology, Innovation and the Internet, and U.S. Representative Frank Pallone, Jr. (D-N.J.), Ranking Member of the House Committee on Energy and Commerce, called on the Government Accountability Office (GAO) to conduct an independent review of the reported attack on the Federal Communications Commission’s (FCC) Electronic Comment Filing System and the general state of cybersecurity at the FCC.
“While the FCC and the FBI have responded to Congressional inquiries into these DDos attacks, they have not released any records or documentation that would allow for confirmation that an attack occurred, that it was effectively dealt with, and that the FCC has begun to institute measures to thwart future attacks and ensure the security of its systems,” the lawmakers wrote. “As a result, questions remain about the attack itself and more generally about the state of cybersecurity at the FCC – questions that warrant an independent review.”
Following increased media coverage of the FCC’s net neutrality proceeding, the Commission reported that it was the victim of distributed denial-of-service-attacks (DDos), where bad actors flood a website with an overwhelming amount of online traffic in an effort to crash the site. These attacks may have prevented the public from accessing and commenting on current proceedings before the FCC. The net neutrality proceeding has also been inundated with fake comments, which undermines this and future rule-making processes.
To download a PDF copy of the letter, click here.
The full text of the letter follows:
The Honorable Gene Dodaro
Comptroller General of the United States
441 G Street, NW
Washington, DC 20548
Dear Mr. Dodaro:
On May 8, 2017, the Federal Communications Commission (FCC) announced that it was the victim of “multiple distributed denial-of-service (DDos) attacks.” According to FCC staff, these attacks targeted the FCC’s Electronic Comment Filing System (ECFS), the portal through which the public submits comments on ongoing proceedings. More specifically, it appeared that these attacks were designed to disrupt the ECFS system during a time period corresponding to the public comment period for the FCC’s Restoring Internet Freedom Notice of Proposed Rulemaking, an ongoing proceeding to undo current net neutrality protections.
As you are likely aware, this proceeding has garnered intense public interest. It appears that these attacks were meant to inhibit or limit public comment on this important proceeding, raising doubts about the efficacy of the FCC’s public comment process. Separately, the ECFS system has been flooded with fake comments related to the net neutrality proceeding, which undermines this critical component of the FCC’s rule-making process. The FCC’s lack of action in preventing or mitigating this issue is also cause for concern. In fact, taken together, these situations raise serious questions about how the public makes its thoughts known to the FCC and how the FCC develops the record it uses to justify decisions reached by the agency.
While the FCC and the FBI have responded to Congressional inquiries into these DDos attacks, they have not released any records or documentation that would allow for confirmation that an attack occurred, that it was effectively dealt with, and that the FCC has begun to institute measures to thwart future attacks and ensure the security of its systems. As a result, questions remain about the attack itself and more generally about the state of cybersecurity at the FCC – questions that warrant an independent review.
In light of these concerns, we request that the GAO examine the following questions:
- How did the FCC determine that a cyberattack took place on May 8th? What evidence did the security team provide to FCC CIO David Bray before his statement to the press on May 9th? What additional evidence did the FCC gather to further support its conclusions after that statement? What documentation did the FCC develop during its investigation of this reported attacked, and has it done any after-action reports or other evaluations that would help the FCC respond to future attacks of this nature?
- What processes and procedures does the FCC have in place to prevent or mitigate a cyberattack on the ECFS system like the one that reportedly occurred on May 8th? Are these processes in line with best practices/recommendations from the Department of Homeland Security and the National Institute of Standards and Technology? Were these processes followed during and after the May 8th attack?
- The reported May 8th attack raises questions about the general vulnerability of the ECFS. Is the ECFS designed in a manner that implements cybersecurity best practices? What are the risks associated with this attack vector? Can other FCC systems be accessed through ECFS vulnerabilities?
- The attack also raises questions about the security of other FCC’s systems. Are the FCC’s other public-facing data systems, like the spectrum auction systems, also at risk? Has the FCC evaluated the security of its other public-facing computer systems in light of the reported May 8th attack? Has it taken steps to mitigate any vulnerabilities in those systems?