House and Senate Democrats want the Government Accountability Office to investigate the FCC cyberattack the agency says knocked part of its comment filing system offline in May.
Hawaii Sen. Brian Schatz and New Jersey Rep. Frank Pallone asked the GAO this week to vet the FCC’s account of the incident, while expressing skepticism and frustration with the agency’s lack of cooperation in providing more details to Congress.
The cyberattack followed a “Last Week Tonight with John Oliver” segment, when Oliver called on viewers to submit comments opposing the Trump administration’s plan to scale back net neutrality rules. The FCC’s chief information officer and chairman submitted a timeline of the incident to Congress and the FBI has declined to investigate it.
But Democrats, who universally oppose the net neutrality repeal plan, aren’t satisfied. They raised further questions after the FCC told a news outlet in July it didn’t document the attack as it was occurring.
“While the FCC and the FBI have responded to congressional inquiries into these DDoS [distributed denial of service] attacks, they have not released any records or documentation that would allow for confirmation that an attack occurred, that it was effectively dealt with, and that the FCC has begun to institute measures to thwart future attacks and ensure the security of its systems,” lawmakers wrote to the GAO Thursday in a newly released letter.
The congressmen said they’re also concerned with the flood of fake public comments on the net neutrality proceeding, according to some reports as many as 7 million of the record 20 million.
“In fact, taken together, these situations raise serious questions about how the public makes its thoughts known to the FCC and how the FCC develops the record it uses to justify decisions reached by the agency,” the letter reads.
They go on to ask the GAO to examine how the FCC determined it was subjected to a cyberattack and its evidence, what the FCC has done to prevent cyberattacks, if the FCC website’s Electronic Comment Filing System can be used to infiltrate other parts of the agency, and if its other systems, especially those that are public-facing, have security vulnerabilities.
Lawmakers didn’t provide a timeline for the GAO to respond. They’ve also asked the FBI and the Department of Homeland Security’s National Cybersecurity and Communications Integration Center to investigate the incident.
Officials from the agency described the FCC cyberattack as a “non-traditional DDoS” that targeted a specific ECFS interface “normally used by automated programs or bots for bulk filings.” Hits to the interface increased 3,000 percent beginning around 11 p.m. on May 7, at the start of Oliver’s show.
Malicious traffic originated from cloud-based bots and was “not associated with IP addresses usually linked to individual human filers” and “effectively blocked or denied additional web traffic–human or otherwise–to the comment filing system.” Eventually the bot swarms peaked early May 8 at 30,000 requests per minute, “or three times the total daily traffic for any day in the previous sixty days” and the maximum the FCC’s commercial, cloud-based servers could handle.
The agency says it has “voluminous documentation of this attack in the form of logs collected by our commercial cloud partners,” but can’t release more than 200 pages discussing the incident because they contain “privileged or confidential . . . trade secrets and commercial or financial information.”