FCC Declines to Provide 'Specific Roadmap' for Cyberattack Response Plans

D-N.J., House Oversight Committee ranking member Elijah Cummings, D-Md., and other House Democrats. Pallone and other lawmakers repeatedly pushed for further information on the circumstances behind a reported May 8 distributed denial-of-service attack against ECFS that occurred during the comment period on the NPRM on rolling back its 2015 net neutrality rules and reclassification of broadband as a Communications Act Title II service (see 1705170067, 1706280044 and 1707070039). “Given the ongoing nature of the threats to disrupt the Commission’s electronic comment filing system, it would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred,” Bray said in a memo to lawmakers accompanying letters from FCC Chairman Ajit Pai. “FCC’s IT staff has worked with commercial cloud providers to implement Internet-based solutions to limit the amount of disruptive bot-related activity if another bot-driven event occurs.” The cloud-based infrastructure supporting ECFS is “provided by our commercial partners,” the memo said. “FCC IT staff has notified its cloud providers of the need to have sufficient 'hardware resources' available to accommodate high-profile proceedings.” The May 8 DDoS attack doesn’t qualify as a “significant cyber incident” under current White House definitions and thus didn’t require a Federal Information Security Management Act-based notification to Congress, the memo said. The FCC consulted with the FBI in making the determination, Bray said. Pai told lawmakers he “cannot guarantee that we will not experience further attempts to disrupt our systems, [but] our staff is constantly monitoring and reviewing the situation so that that everyone seeking to comment on our proceedings will be afforded the opportunity to do so.”