387 RONWYDEN OREGON COMMITTEES: RANKING MEMBER OF COMMriTEE ON RNANCE tinitrd ~tatrs ~rnatr WASHINGTON, DC 20510-3703 COMMriTEE ON FlNANCE COMMriTEE ON BUDGET COMMriTEE ON ENERGY & NATURAL RESOURCES SELECT COMM!lTEE ON Ll'ITEWGENCE JOINT COMMnTEE ON TAXATION 221 DIRKSEN SENATE OFFICE BUILDING WASHINGTON, DC 20510 (202) 224- 5244 The Honorable Ajit Pai Chairman Federal Communications Commission 445 l21h Street, SW Washington, DC 20554 Dear Chairman Pai: May 9, 2017 According to your May 8 press release, you claim the Federal Communications Commission (FCC) has recently been the victim of"multiple distributed denial-of-service attacks (DDos)". DDoS attacks against federal agencies are serious-and doubly so if the attack may have prevented Americans from being able to weigh in on your proposal to roll back net neutrality protections. As you know, it is critical to the rulemaking and regulatory process that the public be able to take part without unnecessary technical or administrative burdens. A denial-of-service attack against the FCC's website can prevent the public from being able to contribute to this process and have their voices heard. Any potentially hostile cyber activities that prevent Americans from being able to participate in a fair and transparent process must be treated as a serious issue. As such, we ask you to keep Congress fully briefed as to your investigation. Please, by June 8, 2017 answer the following questions. In the meantime, please make available alternative ways for the public to comment; for example, a dedicated email account on the net neutrality proceeding as was done in 2014. 1. Please provide details as to the nature of the DDoS attacks, including when the attacks began, when they ended, the amount of malicious traffic your network received, and an estimate of the number of devices that were sending malicious traffic to the FCC. To the extent that the FCC already has evidence suggesting which actor(s) may have been responsible for the attacks, please provide that in your response. 2. Has the FCC sought assistance from other federal agencies in investigating and responding to these attacks? Which agencies have you sought assistance from? Have you received all of the help you have requested? 3. Several federal agencies utilize commercial services to protect their websites from DDoS attacks. Does the FCC use a commercial DDoS protection service? If not, why not? To 911 NE 11TH AVENUE SUITE 630 PORTLAND. OR 97232 (503) 326- 7 525 405 EAST 8TH AVE SUITE 2020 EUGENE, OR 97401 (541) 431-0229 SAC ANNEX BUILDING 105 FIRST SUITE 201 LA GRANDE, OR 97850 (541) 962-7691 U.S COURTHOUSE 310 WEST 6TH ST ROOM 118 MEDFORD, OR 97501 (541) 858-5122 HTTP:/ !WYDEN .SENATE. GOV PRINTED ON RECYCLED PAPER THE JAMISON BUILDING 131 NW HAWTHORNE AVE SUITE 107 BEND, OR 97701 (541) 330- 9142 707 13TH ST. SE SUITE 285 SAUEM, OR 97301 (503) 589-4555 the extent that the FCC utilizes commercial DDoS protection products, did these work as expected? If not, why not? 4. How many concurrent visitors is the FCC's website designed to be able to handle? Has the FCC performed stress testing of its own website to ensure that it can cope as intended? Has the FCC identified which elements of its website are performance bottlenecks that limit the number of maximum concurrent visitors? Has the FCC sought to mitigate these bottlenecks? If not, why not? 5. Did the DDoS attacks prevent the public from being able to submit comments through the FCC's website? If so, do you have an estimate of how many individuals were unable to access the FCC website or submit comments during the attacks? Were any comments lost or otherwise affected? 6. Will commenters who successfully submitted a comment-but did not receive a response, as your press release indicates-receive a response once your staff have addressed the DDoS and related technical issues? 7. Does the FCC have all of the resources and expertise it needs in order to combat attacks like those that occurred on May 8? Sincerely. United States Senator k~ _f..k~ BRIAN SCHATZ United States Senator