According to a May 8 press release, Commissioner Ajit Pai claimed the FCC had fallen victim to a massive DDOS attack during the commenting period for his proposed rollback of Net Neutrality rules. The release directly addressed an outage on the FCC’s website that prevented would-be commenters from posting their thoughts on the issue. If true, and a DDOS attack was indeed carried out on the FCC, this would constitute a major disruption in the agency’s rule making proceedings. Lawmakers, including Senator Ron Wyden (D-Ore.) and Senator Brian Schatz (D-Hawaii), are now probing for answers about the FCC DDOS attack.
In an open letter published on May 9, senators Brian Schatz (D-Hawaii), Al Franken (D-Minn.), Patrick Leahy (D-Vt.), Ed Markey (D-Mass.) and Ron Wyden (D-Ore.) expressed their concern about the alleged FCC DDOS attack. “Any cyberattack on a federal network is very serious,” the senators explained in their letter. “This particular attack may have denied the American people the opportunity to contribute to what is supposed to be a fair and transparent process, which in turn may call into question the integrity of the FCC’s rulemaking proceedings.”
As a means to acquire clarity about the FCC DDOS attack, the senators compiled a list of seven questions for the commissioner. The questions ranged from asking for a complete technical report on the attack to future preparedness for a repeat attack. Other questions seek to understand the volume of potential comments that may have been denied as a result of the attack. They expect a response no later than June 23. In the letter, the senators asked the FCC to make available alternate means to comment on the proposed rules change via email, as was done in 2014, until the full investigation into the FCC DDOS attack is completed.
The FCC has come under scrutiny in past weeks over their assertion that they were affected by a DDOS attack. Net Neutrality activists have claimed the FCC purposefully throttled comments during a spike in traffic to their site to prevent the public from participating in the normal procedures for rule making. This notion has been reinforced by the fact that the FCC website crashed briefly after John Oliver aired his dedicated show on the subject. In his show, he gave his viewers a unique domain name, gofccyourself.com, to direct would-be commenters directly to the comments section for net neutrality. This caused a massive spike in traffic and comments.
Despite scrutiny, some experts on DDOS attacks have publicly voiced their support for the FCC claim. As reported in the technology publication Ars Technica, Cloudflare Information Security Chief Marc Rogers thinks the FCC’s assertions are legitimate, and said, “I am a little surprised that people are challenging the FCC’s decision to call this a DDOS.” His conclusions were made based on FCC CIO David Bray’s more in-depth explanation of how the attack worked and what the FCC documented.
The FCC DDOS attack does warrant more investigation. In their letter to the FCC, the five signatories outlined several questions specific to the FCC’s preparedness for a future attack. One of the questions reads, “Does the FCC have all the resources and expertise it needs in order to combat attacks like those that occurred on May 8?” Another asks, “Several federal agencies utilize commercial services to protect their websites from DDOS attacks. Does the FCC use a commercial DDOS protection service? If not, why not? To the extent that the FCC utilizes commercial DDOS protection products, did these work as expected? If not, Why not?”
If the FCC DDOS attack occurred in the presence of adequate security measures, it could serve as a means to reevaluate the security measures in place for other government agencies. Such attacks, if not properly protected against, could further disrupt regular government operations. Within this context, it is of the utmost importance that the FCC conduct a thorough review of the attack and develop a means to repel such an attack in the future. What an investigation may also reveal is the possibility that the FCC was, in fact, ill equipped to handle such an attack, and may expose deficiencies in the agency’s processes that other government agencies do not have.
The response to the senate inquiry into the matter is due by June 23. In the meantime, the FCC plans to move forward on its regular schedule, with the next major milestone in the Net Neutrality rules rollback expected in mid-August.