Democrats on the House Commerce and Oversight committees jointly urged the GAO on Friday to examine the FCC's IT and cybersecurity practices, after the May distributed denial-of-service (DDoS) on the FCC website that is believed to have affected comments in the net neutrality proceeding (see 1705170067). The Democrats, including House Commerce ranking member Frank Pallone, D-N.J., and House Oversight ranking member Elijah Cummings, D-Md., also cited concerns about reports that some comments on the FCC's May net neutrality NPRM were filed under stolen identities. Fourteen people claimed last month that comments were submitted fraudulently under their names in support of a rollback of the 2015 net neutrality rules (see 1705250064). “Cybersecurity and other problems can have a direct functional impact on the mission of the FCC,” the Democrats said in a letter to Comptroller General Gene Dodaro, citing "the agency’s cybersecurity preparedness and problems with the FCC’s ability to take public comments in its net neutrality proceeding.” Communications Subcommittee ranking member Mike Doyle, D-Pa.; Oversight Government Operations Subcommittee ranking member Gerald Connolly, D-Va.; Commerce Oversight Subcommittee ranking member Diana DeGette, D-Colo.; and Oversight IT Subcommittee ranking member Robin Kelly, D-Ill., also signed the letter. They asked the GAO to determine whether the FCC's website issues identified as a DDoS attack were caused by a cyberattack and whether the agency has taken sufficient steps to deal with the attack. The lawmakers asked GAO to assess whether the FCC is taking sufficient steps to protect the electronic commenting filing system and other systems from DDoS attacks, and whether the agency is coordinating with the Department of Homeland Security and others to investigate and respond to the May cyberattack and to determine how many users were unable to access the FCC's website during the incident and identify whether the FCC is able to sufficiently accommodate comment filings in high-profile proceedings. FCC Chairman Ajit Pai told Democratic lawmakers last month that the FCC was the victim of a “non-traditional” DDoS attack in the May incident, and the agency didn't have the technical option of blocking or removing the bots hitting ECFS' application program interface and instead increased API capacity (see 1706280044). The FCC and GAO didn't comment.

In response to the WannaCry ransomware that affected hundreds of thousands of computers worldwide last month (see 1705180032 and 1705160038), House and Senate lawmakers proposed bipartisan legislation that would establish baseline, voluntary cyber hygiene best practices that would be publicly accessible online. In a joint news release, Reps. Susan Brooks, R-Ind., and Anna Eshoo, D-Calif., and Sens. Orrin Hatch, R-Utah, and Ed Markey, D-Mass., said the Promoting Good Cyber Hygiene Act would direct the Department of Homeland Security, the FTC and the National Institute of Standards and Technology to create those standards and consider measures such as multifactor authentication and data loss prevention. Eshoo said experts suggested 90 percent of successful cyberattacks are due to system administrators "overlooking" cyber hygiene and security management. She said the attacks cost the U.S. economy "half a trillion dollars annually" in identity theft, exposed financial data and other things.

The FCC electronic comment filing system was the victim May 8 of a "non-traditional" directed denial-of-service attack, Chairman Ajit Pai said in letters released Tuesday to Sens. Ron Wyden, D-Ore., and Brian Schatz, D-Hawaii, in response questions the two asked after last month's ECFS cyberattack (see 1705090063). Pai said the DDoS attack targeted the ECFS application program interface that's normally used by automated programs or bots for bulk filings. The FCC didn't have the technical option of blocking or removing the bots hitting the API and instead increased API capacity. Pai said the agency "continue[s] to research additional solutions to strengthen ECFS' controls." Pai said the FCC has multiple commercial services and tools for protecting its systems from DDoS and other cyberattacks, but "the non-traditional DDoS that we experienced is quite different than typical attacks in that it used legitimate commercial providers to introduce bots and poorly structured queries to overload the system." Pai said the cloud-based ECFS typically receives close to 10,000 comments a day, but its record is more than 400,000 comments on May 11, "showing the system can scale to accommodate a large number of visitors when other external factors are not present." House Communications Subcommittee ranking member Frank Pallone, D-N.J., separately urged the DOJ and FBI to investigate whether comments filed under stolen identities broke federal law (see 1706280043).

House Commerce Committee ranking member Frank Pallone, D-N.J., urged the DOJ and FBI to investigate whether comments on the FCC May NPRM on a potential rollback of the 2015 net neutrality order and reclassification of broadband as a Communications Act Title II service filed under stolen identities violated federal law. Fourteen people claimed last month that comments were submitted fraudulently under their names in support of a rollback of the rules (see 1705250064). Additional claims since allege comment astroturfing and filings using false names (see 1705310019 and 1706070017). Pallone said in a Wednesday letter to Attorney General Jeff Sessions and acting FBI Director Andrew McCabe he's concerned by reports that about 450,000 identical comments submitted to docket 17-108 used information obtained from data breaches. “I am deeply concerned that the sheer number of these potentially false comments suggest a coordinated attempt to materially mislead the FCC, and therefore a coordinated attempt to break federal law,” Pallone told Sessions and McCabe. “I urge you to take swift action to investigate who may be behind these comments and, if appropriate under applicable federal law and regulations, prosecute the people behind these fraudulent comments.” Pallone and other House Democrats wrote commissioners and Department of Homeland Security National Cybersecurity and Communications Integration Center Director John Felker seeking information about the May distributed denial-of-service attacks on the FCC website believed to have affected comments in the net neutrality proceeding (see 1705170067 and 1706260059). Separately this week, the commission released its response to other members of Congress on the attack (see 1706280044).

Ranking Democrats on a number of House committees and subcommittees wrote FCC commissioners and John Felker, director-National Cybersecurity and Communications Integration Center (NCCIC), Department of Homeland Security, asking for information about the May distributed denial-of-service attacks on the FCC website believed to have affected comments in the net neutrality proceeding (see 1705170067). Noting allegations that numerous comments in the net neutrality docket were forged (see 1705250064), the FCC letter's signers asked the agency "to examine these serious problems and irregularities that raise doubts about the fairness, and perhaps even the legitimacy, of the FCC's process in its net neutrality proceeding." Both were released Monday. The FCC letter sought answers to a variety of questions by July 17, including what steps the agency is pursuing to protect its electronic comment filing system, how the commission and FBI jointly determined the attack didn't rise to the level of an incident that would necessitate FBI involvement, and whether the agency contacted DHS's NCCIC Hunt and Incident Response Team about the cyberattacks -- and if it didn't, why not. The Felker letter also set a July 17 deadline as it asked for NCCIC to provide copies of all communications between it and the FCC on the May cyberattacks, plus any forensic analyses by and recommendations from NCCIC. The letter also requested a July 19 briefing. Signers were House Commerce Committee ranking member Frank Pallone, D-N.J., Communications and Technology Subcommittee ranking member Mike Doyle, D-Pa.; Oversight and Government Reform ranking member Elijah Cummings, D-Md.; Oversight and Investigations Subcommittee ranking member Diana DeGette, D-Colo.; Information Technology Subcommittee ranking member Robin Kelly, D-Ill.; and Government Operations Subcommittee ranking member Gerald Connolly, D-Va. The FCC didn't comment.

Intel joined Team8, the Israeli cybersecurity “syndicate” with members including AT&T, Cisco, Microsoft, Nokia and Qualcomm, Team8 said in a Wednesday announcement. Intel will work with Team8 to secure future computing, IoT, mobile, automotive and cloud technologies, it said: “Intel and Team8 will collaborate to identify security gaps in future networks, technologies and infrastructures with a view to developing new cyber paradigms to address these challenges.”

Fifty-two percent of more than 1,000 consumer-facing websites analyzed for their privacy and security practices qualified for the Online Trust Alliance's honor roll, a 5 percent improvement from last year, said an OTA news release Tuesday outlining its ninth annual audit. OTA, which began operating May 1 as an initiative of the Internet Society, said most websites in the consumer services category qualified for the honor roll (76 percent), followed by internet retailers (48 percent), news and media (48 percent), ISPs and email providers (46 percent), government (39 percent) and banks (27 percent). Among the top 50 sites praised are: Airbnb, Fitbit, the FCC, several Alphabet/Google sites including Gmail and YouTube, Instagram, Microsoft Outlook, Snapchat and Twitter. OTA analyzed websites between mid-April and end of May. Internet Society Chief Internet Technology Officer Olaf Kolkman said there has been an increase in sites using end-to-end encryption, showing it's becoming the "norm for site traffic."

NTIA seeks comment by July 13 on actions that could help address automated and distributed threats to the digital ecosystem (see 1706090008) as part of executive order 13800 (the Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure), said the agency in Tuesday's Federal Register.

Three recommendations from a recent Department of Health and Human Services task force report on enhancing cybersecurity in the healthcare sector "stand out," blogged Internet Security Alliance CEO Larry Clinton and Senior Director Stacey Barrack. They are: identifying scalable governance best practices and developing executive education programs; requiring current and future federal cybersecurity regulations be harmonized; and incentivizing the sector to implement leading practices. Increased regulation "may actually be hurting" efforts to improve security since few experts have time to address compliance, they wrote Monday. Plus, a "dynamic system" -- possibly with grant and tax incentives and "good actor credits" -- is "desperately" needed to motivate the sector to implement improvements, they said. The report, promoted in HHS officials' testimony during a House hearing last week (see 1706070040), shows government "is slowly, but surely" starting to understand the problem and its need to work with industry, wrote Clinton and Barrack.

NTIA is seeking comment on how to improve industry's ability to lessen threats from automated and distributed attacks like botnets and what role government should take. The agency posted the request Thursday on its website, and comments will be due 30 days after it's published in the Federal Register. "Left unchecked, without meaningful progress, these new classes of automated and distributed attacks could be a serious risk to the entire ecosystem," the notice said. "Since poorly considered action would likely create significant unnecessary costs and unintended consequences, substantial, carefully considered action must be considered." NTIA also said the Department of Commerce will host a public workshop on improving communications systems and outcomes to help guide implementation of Executive Order 13800 (the Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure). The workshop will be at the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence July 11-12.