Two Democratic members of Congress today called for an independent investigation into the Federal Communications Commission's claim that it suffered DDoS attacks on May 8, when the net neutrality public comments system went offline.

"While the FCC and the FBI have responded to Congressional inquiries into these DDoS attacks, they have not released any records or documentation that would allow for conﬁrmation that an attack occurred, that it was effectively dealt with, and that the FCC has begun to institute measures to thwart future attacks and ensure the security of its systems," the lawmakers wrote in a letter to the US Government Accountability Office (GAO) today. "As a result, questions remain about the attack itself and more generally about the state of cybersecurity at the FCC—questions that warrant an independent review."

The letter requesting a GAO investigation was written by Senator Brian Schatz (D-Hawaii) and Rep. Frank Pallone (D-N.J.).

The letter was first reported today by Gizmodo, which recently published an extensive article titled, "Senior US Official Claimed the FCC Got 'Hacked' After Security Professionals Found No Proof." That article covers a similar incident that happened in 2014 during a previous net neutrality proceeding.

In the 2017 case, the FCC has repeatedly thwarted efforts to obtain more details on the attacks and the commission's response to them. The FCC said it was hit by DDoS attacks just after a John Oliver show on HBO triggered a sudden rush of comments on Chairman Ajit Pai's plan to overturn net neutrality rules. Pro-net neutrality activists have expressed skepticism about the FCC's claims.

Schatz and Pallone also said the FCC has not acted to prevent or mitigate the problem of fake comments flooding the net neutrality docket. "[T]aken together, these situations raise serious questions about how the public makes its thoughts known to the FCC and how the FCC develops the record it uses to justify decisions reached by the agency," Schatz and Pallone wrote to the GAO.

Schatz and other Senate Democrats previously asked the FBI to find out who was behind attacks on the FCC's public commenting system.

Many questions

In today's letter, the lawmakers asked GAO head Gene Dodaro to investigate these questions:

1. How did the FCC determine that a cyberattack took place on May 8th? What evidence did the security team provide to FCC CIO David Bray before his statement to the press on May 9th? What additional evidence did the FCC gather to further support its conclusions after that statement? What documentation did the FCC develop during its investigation of this reported attack, and has it done any after-action reports or other evaluations that would help the FCC respond to future attacks of this nature? 2. What processes and procedures does the FCC have in place to prevent or mitigate a cyberattack on the ECFS [Electronic Comment Filing System] like the one that reportedly occurred on May 8th? Are these processes in line with best practices and recommendations from the Department of Homeland Security and the National Institute of Standards and Technology? Were these processes followed during and after the May 8th attack? 3. The reported May 8th attack raises questions about the general vulnerability of the ECFS. Is the ECFS designed in a manner that implements cybersecurity best practices? What are the risks associated with this attack vector? Can other FCC systems be accessed through ECFS vulnerabilities? 4. The attack also raises questions about the security of other FCC systems. Are the FCC’s other public-facing data systems, like the spectrum auction systems, also at risk? Has the FCC evaluated the security of its other public-facing computer systems in light of the reported May 8th attack? Has it taken steps to mitigate any vulnerabilities in those systems?

We asked the FCC for comment on the Democrats' letter this morning, but a commission spokesperson declined to comment.

The FCC has said that its internal systems were not hacked. Instead, the public comments website was flooded with traffic from "external actors," the commission said, just after the May 8 incident.

There are now more than 20 million comments on Pai's plan. Pai has said that the "raw number" of comments is less important than the "substantive comments." He also suggested that only evidence regarding broadband infrastructure investment would cause him to change his mind about repealing net neutrality rules.