An FCC working group will recommend by year-end the appropriate r...

letter. After several agencies suffered a distributed denial-of-service attack, Rockefeller wrote Genachowski in July for information about the FCC’s plans for responding to and mitigating cybersecurity incidents, how it tests its emergency recovery plans, how often it probes its systems for vulnerabilities and whether contractors provide assurances that their systems can’t be used for backdoor attacks. The commission released the exchange last week. In his response last month, Genachowski said most of the information comes from a September report by the FCC. He said the commission follows guidance from US-CERT and federal continuity of operations directives about responding to cybersecurity incidents and keeping operations going. It uses continuous scanning for vulnerabilities and uses NIST criteria to rank its vulnerabilities, Genachowski said. The FCC has made agreements to ensure that cybersecurity is dealt with in contracts and its interconnections with other agencies, he said. “With respect to cyber security issues that occur in the public communications networks, the FCC is much more limited in its ability to detect, monitor and analyze cyber attacks outside the FCC,” Genachowski said. It uses information reported publicly or by other government agencies to get information about the workings of IP-based networks, he said. The commission can grant temporary authorizations or exemptions to industry members to minimize attacks, but it doesn’t have procedures dealing with “purely cyber-based” attacks such as a denial-of-service, Genachowski said. The FCC is hiring a chief information security officer, he added.