Schatz, Wyden Question FCC On Reported 2017 Cyberattack


WASHINGTON – Today, U.S. Senators Brian Schatz (D-Hawai‘i) and Ron Wyden (D-Ore.) called on the Federal Communications Commission (FCC) to share more information about the reported distributed denial-of-service (DDoS) attack on the FCC’s website while it was open for comments on net neutrality last year.

The letter comes over a year after reports of a DDoS attack on the FCC’s website, which prompted an initial letter from Senators Wyden and Schatz that questioned FCC’s ability to defend against such an attack and blunt any impact it could have on people’s participation in the debate around net neutrality.

“Beyond your initial internal analyses that you reference in your June 15, 2017, response, have any subsequent FCC or third-party (e.g., vendor, contractor, or government agency) analyses or investigations verified that a cyberattack on ECFS occurred in 2017 and, if so, that the attack is best classified as a DDoS attack?” the senators wrote. “If not, why was no investigation conducted?  Please provide any and all reports, findings, and other relevant details of any such investigations.”

For a PDF copy, click here. The full text of the senators’ letter to Chairman Pai follows:

Dear Chairman Pai:

On May 9, 2017, we sent you a letter regarding alleged cyberattacks on the Federal Communication Commission’s Electronic Comment Filing System during that month.  There was also an ECFS issue involving the net neutrality proceeding in 2014.  In our letter we asked that you keep Congress fully briefed as to your investigation.

Beyond your initial internal analyses that you reference in your June 15, 2017, response, have any subsequent FCC or third-party (e.g., vendor, contractor, or government agency) analyses or investigations verified that a cyberattack on ECFS occurred in 2017 and, if so, that the attack is best classified as a DDoS attack?  If not, why was no investigation conducted?  Please provide any and all reports, findings, and other relevant details of any such investigations.

In response to our May 2017 letter you provided information to us about the 2017 event.  We request that you update, revise, and/or reaffirm in their entirety the responses that you previously provided.  In addition, clarify whether you continue to classify the May 7-8, 2017, event as a DDoS attack and the basis for your classification.

Does the FCC classify the 2014 event as a DDoS attack or attacks?  If so, please describe the nature of the attack and the basis for classifying it as a DDoS attack.

Have any FCC or third-party (e.g., vendor, contractor, or government agency) analyses or investigations concluded that a cyberattack occurred in 2014?  Please provide any and all reports, findings, and other relevant details of any such investigations.

Is the FCC fully cooperating with the Government Accountability Office review and evaluation of the FCC’s ECFS security and vulnerability to attack, including full access to the FCC’s accounts and data from any incidents as well as cooperation from relevant current and former FCC staff?

Please answer these questions in writing by June 27, 2018.  If you need to withhold any responsive information because it is confidential or classified please contact Andy Heiman and Eric Einhorn in our offices to schedule a briefing or make other appropriate arrangements regarding that information.

Sincerely, 

###