EXECUTIVE SUMMARY:
Back in May, John Oliver went on a net neutrality rant on his show “Last Week Tonight” and encouraged viewers to flood the FCC with comments. Since then, a series of events has unfolded, sparking confusion and skepticism.
The FCC claimed that a DDoS attack had taken down its net neutrality public comments site. But, when asked for evidence of the attack, the FCC refused, sparking doubt and criticism with the media.
As a result, two Democratic congressmen have written a letter to ask the Government Accountability Office (GAO) to investigate, asking the following questions:
1. How did the FCC determine that a cyberattack took place on May 8th? What evidence did the security team provide to FCC CIO David Bray before his statement to the press on May 9th? What additional evidence did the FCC gather to further support its conclusions after that statement? What documentation did the FCC develop during its investigation of this reported attack, and has it done any after-action reports or other evaluations that would help the FCC respond to future attacks of this nature?
2. What processes and procedures does the FCC have in place to prevent or mitigate a cyberattack on the ECFS [Electronic Comment Filing System] like the one that reportedly occurred on May 8th? Are these processes in line with best practices and recommendations from the Department of Homeland Security and the National Institute of Standards and Technology? Were these processes followed during and after the May 8th attack?
3. The reported May 8th attack raises questions about the general vulnerability of the ECFS. Is the ECFS designed in a manner that implements cybersecurity best practices? What are the risks associated with this attack vector? Can other FCC systems be accessed through ECFS vulnerabilities?
4. The attack also raises questions about the security of other FCC systems. Are the FCC’s other public-facing data systems, like the spectrum auction systems, also at risk? Has the FCC evaluated the security of its other public-facing computer systems in light of the reported May 8th attack? Has it taken steps to mitigate any vulnerabilities in those systems?
