FCC Declines to Provide 'Specific Roadmap' for Cyberattack Response Plans
FCC Chief Information Officer David Bray declined to provide specific details on the agency's plans to protect its Electronic Comment Filing System against future cyberattacks. The refusal was in response to queries from House Commerce Committee ranking member Frank Pallone,…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
D-N.J., House Oversight Committee ranking member Elijah Cummings, D-Md., and other House Democrats. Pallone and other lawmakers repeatedly pushed for further information on the circumstances behind a reported May 8 distributed denial-of-service attack against ECFS that occurred during the comment period on the NPRM on rolling back its 2015 net neutrality rules and reclassification of broadband as a Communications Act Title II service (see 1705170067, 1706280044 and 1707070039). “Given the ongoing nature of the threats to disrupt the Commission’s electronic comment filing system, it would undermine our system's security to provide a specific roadmap of the additional solutions to which we have referred,” Bray said in a memo to lawmakers accompanying letters from FCC Chairman Ajit Pai. “FCC’s IT staff has worked with commercial cloud providers to implement Internet-based solutions to limit the amount of disruptive bot-related activity if another bot-driven event occurs.” The cloud-based infrastructure supporting ECFS is “provided by our commercial partners,” the memo said. “FCC IT staff has notified its cloud providers of the need to have sufficient 'hardware resources' available to accommodate high-profile proceedings.” The May 8 DDoS attack doesn’t qualify as a “significant cyber incident” under current White House definitions and thus didn’t require a Federal Information Security Management Act-based notification to Congress, the memo said. The FCC consulted with the FBI in making the determination, Bray said. Pai told lawmakers he “cannot guarantee that we will not experience further attempts to disrupt our systems, [but] our staff is constantly monitoring and reviewing the situation so that that everyone seeking to comment on our proceedings will be afforded the opportunity to do so.”