May 09, 2017

Wyden, Schatz Ask FCC For Details of Reported Cyberattack

Following a report of a DDoS attack on the FCC’s website, Senators Wyden and Schatz are asking Chairman Pai to answer questions on the ability of the FCC to mitigate such cyber-attacks

Chairman, Ajit Pai, to explain in more detail the nature of a reported cyberattack on May 8, including how it impacted the public’s ability to comment on a proposal to roll back net neutrality protections.

In their letter, the senators asked Chairman Pai if the FCC was prepared to defend against such distributed denial-of-service (DDoS) attacks, should they happen again. Distributed denial-of-service-attacks involve bad actors flooding a given website with more online traffic than it is prepared to handle in an effort to crash the site.  The senators also asked Chairman Pai to make alternative ways available for the public to comment; for example a dedicated email account in the net neutrality proceeding as was done in 2014.

“DDoS attacks against federal agencies are serious - and doubly so if the attack may have prevented Americans from being able to weigh in on your proposal to roll back net neutrality protections,” Wyden and Schatz wrote. “Any potentially hostile cyber activities that prevent Americans from being able to participate in a fair and transparent process must be treated as a serious issue.”

Read the letter here.

Specifically, Wyden and Schatz asked:

  1. Please provide details as to the nature of the DDoS attacks, including when the attacks began, when they ended, the amount of malicious traffic your network received, and an estimate of the number of devices that were sending malicious traffic to the FCC. To the extent that the FCC already has evidence suggesting which actor(s) may have been responsible for the attacks, please provide that in your response.
  2. Has the FCC sought assistance from other federal agencies in investigating and responding to these attacks? Which agencies have you sought assistance from? Have you received all of the help you have requested?
  3. Several federal agencies utilize commercial services to protect their websites from DDoS attacks. Does the FCC use a commercial DDoS protection service? If not, why not? To the extent that the FCC utilizes commercial DDoS protection products, did these work as expected? If not, why not?
  4. How many concurrent visitors is the FCC’s website designed to be able to handle? Has the FCC performed stress testing of its own website to ensure that it can cope as intended? Has the FCC identified which elements of its website are performance bottlenecks that limit the number of maximum concurrent visitors? Has the FCC sought to mitigate these bottlenecks? If not, why not?
  5. Did the DDoS attacks prevent the public from being able to submit comments through the FCC’s website? If so, do you have an estimate of how many individuals were unable to access the FCC website or submit comments during the attacks? Were any comments lost or otherwise affected?
  6. Will commenters who successfully submitted a comment—but did not receive a response, as your press release indicates—receive a response once your staff have addressed the DDoS and related technical issues?
  7. Does the FCC have all of the resources and expertise it needs in order to combat attacks like those that occurred on May 8?