Senators ask the FCC if it was truly targeted by DDoS attacks

Brian Schatz and Ron Wyden have given the FCC a deadline for its explanation.

US Senators Brian Schatz and Ron Wyden want to know once and for all whether the FCC truly suffered DDoS attacks in the middle of soliciting net neutrality comments in 2014 and 2017 like it claimed. If you'll recall, a couple of recent Gizmodo reports and an interview with former Chairman Tom Wheeler cast doubt on the veracity of those claims. The Senators have sent a letter to the commission, asking if any third-party entity confirmed that the outages it suffered those times were truly caused by DDoS. If they were, Schatz and Wyden want to know why no investigation was conducted.

Back when reports came out that the FCC didn't have written documentation of the event, the commission said that was completely untrue and that it has "voluminous documentation of this attack in the form of logs collected by [its] commercial cloud partners." It said the agency didn't share details about the attack, because doing so would undermine its security. The commission would have to share those details with the Senators, though, even if they're confidential. Schatz and Wyden also want to know whether the FCC is collaborating with the Government Accountability Office to look into its website's vulnerability to attacks. After all, if it's been infiltrated twice, something has to be done to tighten its security.

Here's a short version of what compelled the Senators to pen the letter, if you haven't been keeping tabs on the FCC's activities: the agency's website crashed in 2017, which prevented people from posting comments on chairman Ajit Pai's proposal to eliminate net neutrality rules. (His plan ultimately succeeded, and Obama-era net neutrality protections ended yesterday -- but that's another story.) After the 2017 outage happened, former FCC IT Chief David Bray told the media that it was caused by DDoS, and that there was a similar "attack after the 2014 [John Oliver] clip" about net neutrality.

Bray also said that former Chairman Tom Wheeler chose to keep the earlier event a secret "out of concern of copycats," but the ex-FCC chief recently denied that was the case. He said there was no cover-up, because there was nothing to cover. "We didn't want to say it [was a DDoS in 2014] because Bray had no hard proof that it was a DDoS attack. Just like the second time [in 2017]," former Wheeler adviser Gigi Sohn told Ars Technica. Bray eventually admitted that the concern about copycats was his own.

When Wheeler was asked during his interview with C-Span why the FCC would claim that there was a DDoS attack in 2014 when there wasn't one, he said: "I am the last person in the world to interpret the decision making of the Trump FCC." We might finally hear more about the FCC's motivations once it replies to the Senators: Schatz and Wyden are asking for a written explanation by June 27th.

Check out the letter in full below:

"Dear Chairman Pai:

On May 9, 2017, we sent you a letter regarding alleged cyberattacks on the Federal Communication Commission's Electronic Comment Filing System during that month. There was also an ECFS issue involving the net neutrality proceeding in 2014. In our letter we asked that you keep Congress fully briefed as to your investigation.

Beyond your initial internal analyses that you reference in your June 15, 2017, response, have any subsequent FCC or third-party (e.g., vendor, contractor, or government agency) analyses or investigations verified that a cyberattack on ECFS occurred in 2017 and, if so, that the attack is best classified as a DDoS attack? If not, why was no investigation conducted? Please provide any and all reports, findings, and other relevant details of any such investigations.

In response to our May 2017 letter you provided information to us about the 2017 event. We request that you update, revise, and/or reaffirm in their entirety the responses that you previously provided. In addition, clarify whether you continue to classify the May 7-8, 2017, event as a DDoS attack and the basis for your classification.

Does the FCC classify the 2014 event as a DDoS attack or attacks? If so, please describe the nature of the attack and the basis for classifying it as a DDoS attack.

Have any FCC or third-party (e.g., vendor, contractor, or government agency) analyses or investigations concluded that a cyberattack occurred in 2014? Please provide any and all reports, findings, and other relevant details of any such investigations.

Is the FCC fully cooperating with the Government Accountability Office review and evaluation of the FCC's ECFS security and vulnerability to attack, including full access to the FCC's accounts and data from any incidents as well as cooperation from relevant current and former FCC staff?

Please answer these questions in writing by June 27, 2018. If you need to withhold any responsive information because it is confidential or classified please contact Andy Heiman and Eric Einhorn in our offices to schedule a briefing or make other appropriate arrangements regarding that information.


Brian Schatz
Ron Wyden