A pair of Democratic senators has asked FCC chairman Ajit Pai for more information on what the FCC has said were multiple DDoS attacks on its website that affected comments being posted there.
FCC chief information officer Dr. David Bray said the attacks “made it difficult for legitimate commenters to access and file with the FCC.”
The key docket in terms of activity that could have been interrupted is net neutrality, where the FCC still managed to post more than half a million comments since last week, attack or no. Among the senators’ questions was whether any comments were prevented from being submitted and if so how many.
Sens. Ron Wyden of Oregon and Brian Schatz of Hawaii, the latter the ranking member of the Senate Communications Subcommittee, sent a letter to Pai about the May 8 attack (which came in the wee hours of the morning following the May 7 airing of John Oliver’s call for a flood of comments in support of net neutrality).
They asked about the FCC’s defenses against such an attack should it be repeated and that the chairman insure there were other ways to comment as a workaround, a dedicated email account for example.
“Any potentially hostile cyber activities that prevent Americans from being able to participate in a fair and transparent process must be treated as a serious issue.”
Specifically, they wanted information on the following by June 8:
- “Please provide details as to the nature of the DDoS attacks, including when the attacks began, when they ended, the amount of malicious traffic your network received, and an estimate of the number of devices that were sending malicious traffic to the FCC. To the extent that the FCC already has evidence suggesting which “actor(s) may have been responsible for the attacks, please provide that in your response.
- “Has the FCC sought assistance from other federal agencies in investigating and responding to these attacks? Which agencies have you sought assistance from? Have you received all of the help you have requested?
- “Several federal agencies utilize commercial services to protect their websites from DDoS attacks. Does the FCC use a commercial DDoS protection service? If not, why not? To the extent that the FCC utilizes commercial DDoS protection products, did these work as expected? If not, why not?
- “How many concurrent visitors is the FCC’s website designed to be able to handle? Has the FCC performed stress testing of its own website to ensure that it can cope as intended? Has the FCC identified which elements of its website are performance bottlenecks that limit the number of maximum concurrent visitors? Has the FCC sought to mitigate these bottlenecks? If not, why not?
- “Did the DDoS attacks prevent the public from being able to submit comments through the FCC’s website? If so, do you have an estimate of how many individuals were unable to access the FCC website or submit comments during the attacks? Were any comments lost or otherwise affected?
- “Will commenters who successfully submitted a comment — but did not receive a response, as your press release indicates — receive a response once your staff have addressed the DDoS and related technical issues?”
While the letter did not question whether such an attack had happened, others have.
“We think it’s more than just coincidence that the FCC would cite a DDoS attack at the same time that John Oliver’s call to make public comment on the FCC website in favor of net neutrality went viral,” said Rashad Robinson, executive director of Color Of Change, a big Title II fan. “That said, we certainly hope to see a full investigation into what happened in order to ensure the integrity and full transparency of a key federal agency. But the unfortunate reality is that, after everything this administration has done to steal our rights as Americans, we wouldn't be surprised if this was merely an attempt to label the democratic exercise of free speech as a cyberattack.”
— Broadcasting & Cable