Dems want more data on FCC DDoS attacks

Two lawmakers on key tech committees are asking for a probe into an alleged attempt to disrupt Federal Communications Commission systems while the comment period for the ongoing network neutrality proceeding was underway.

Rep. Peter Vallone (D-N.J.), ranking member on the House Energy and Commerce Committee, and Sen. Brian Schatz (D-Hawaii), who sits on the Senate Commerce Committee, are seeking an investigation from the Government Accountability Office.

"While the FCC and the FBI have responded to Congressional inquiries into these DDos attacks, they have not released any records or documentation that would allow for confirmation that an attack occurred, that it was effectively dealt with, and that the FCC has begun to institute measures to thwart future attacks and ensure the security of its systems," Vallone and Schatz wrote in a letter to GAO chief Gene Dodaro. "As a result, questions remain about the attack itself and more generally about the state of cybersecurity at the FCC – questions that warrant an independent review."

The FCC's Electronic Comments Filing System (EFCS) experienced a 3,000 percent boost in traffic in a brief period that spanned from 11 p.m. on May 7 to 1 a.m. on May 8, according to a record prepared by FCC CIO David Bray and sent in reply to a request from Sen. Ron Wyden (D-Ore.).

The spike took place at the same time as HBO comedian John Oliver urged users to flood the FCC with comments supporting the continuation of the network neutrality policy, which is opposed by the Trump administration, the current FCC chairman Ajit Pai and Republican majorities in the House and Senate.

However, the FCC report notes that the traffic spike was experienced by the API system of the EFCS, while Oliver's show pointed viewers to the web link.

At the time, Bray described the event as a DDoS attack. "These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host. These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC."

Vallone and Schatz want to know how the FCC came to determine the nature of the event, and are seeking details on coordination between the FCC CIO and the FCC security team, any mitigation procedures that were are in place to guard against such events, and whether the EFCS vulnerability points to any other security issues with regulatory agency's public-facing systems.

The concern on the part of net neutrality advocates is that opponents might be taking steps to either block legitimate commentators or to flood the EFCS with fake comments.

Server logs of the incident were never publicly released, because FCC officials claimed they contained personally identifiable information on users not connected with the attack.

Evan Greer of Fight for the Future told ZDNet in June that "if the fake comments -- many of which are using real people's names and addresses without their permission -- were submitted using the FCC's API, that means they should absolutely have information about who is committing this act of fraud."

The FCC declined to comment for this story.