In early May, the Federal Communications Commission (FCC) was hit with Distributed Denial of Service (DDoS) bot attacks that took down its comment system for a couple of hours.
One oddity of the assault was that it seemingly coincided with HBO comedian John Oliver’s clarion call for viewers to submit comments in support of the current rules on net neutrality, which FCC chairman Ajit Pai has vowed to weaken and roll back.
In late June, Frank Pallone (D-NJ) asked Attorney General Jeff Sessions and Acting FBI Director Andrew McCabe to investigate the incident, specifically initiating an inquiry into whether the bots launched thousands of fake anti-net neutrality comments (via ZDNet).
Those behind the filings “may be attempting to influence federal policy by publicly misrepresenting the views of innocent victims,” Pallone said (via Deadline Hollywood). “As part of its online comment filing system, the FCC is also publicly listing these victims’ private information, including their addresses, making this situation more urgent.”
At the same time, nearly 30 people wrote Pai claiming that their names has been falsely attached to comments they didn’t make.
DDoS: What Are the Facts?
In the wake of the DDoS attacks, it seems Pai has some explaining to do. After all, the rising consensus among security pros is that DDoS blitzes present the most imposing security threat we’ll face going forward with the real potential to prompt major outages worldwide.
In letters sent 10 days ago to ranking Congressional members on the House Energy and Commerce and Government Reform committees, Pai offered no details about how the FCC had dealt with the “disruption of the FCC’s systems by outside parties.”
The chairman said he had directed the FCC CIO to “take appropriate measures to continue securing the comment filing system and to report back to my staff routinely on this work.”
Okay, still nothing there. Let’s try another.
“Although I cannot guarantee that we will not experience further attempts to disrupt our systems, our staff is constantly monitoring and reviewing the situation so that everyone seeking to comment on our proceedings will be afforded the opportunity to do so.”
An FAQ With Limited Answers
Not enough. Maybe there's some substance in a Q&A Pai attached to his letters. Here we get a few tidbits:
Q: What “additional solutions” is the FCC pursuing to “further protect the system?”
We can’t say: “Given the ongoing threats to disrupt the Commission’s electronic comment filing system it would undermine our system’s security to provide a specific roadmap of the additional solutions…”
CSPs: “We can state that the FCC’s IT staff has worked with commercial cloud providers to implement internet-based solutions to limit the amount of bot-related activity if another bot-driven event occurs.”
Analytics: “The FCC also instituted a more predictive model for assessing the number of incoming comments and bot driven activity to ensure we will have more cloud-based resources available within a shorter time period to respond to potential surges in activity.”
Controls: “In addition, the FCC implemented a control feature that recognizes when there is heavy bot traffic.”
Nothing much to see: “The FCC consulted with the FBI following this incident and it was agreed that this was not a 'significant cyber incident'...It is important to note the May 7-8 disruption was not a system 'hack' or intrusion and at no point was the Commission’s network cybersecurity breached.”
Lets be clear...all of those measures taken are well and good and appropriate. But the big question obviously left unanswered: Do the FCC’s actions rise to the level of the expected escalating DDoS threat? In other words, do they know what's really going to hit them?