There’s no evidence that the Federal Communications Commission’s website was deliberately attacked when millions of people sought to post comments about the agency’s then-proposed rollback of net neutrality rules, according to an Inspector General report that alleges the agency misled members of Congress about what happened.
“The May 7-8, 2016 degradation of the FCC’s [Electronic Comment Filing System] was not, as reported to the public and to Congress, the result of a DDoS attack,” according to the report, which appears to incorrectly identify the year of the incident (it occurred last year).
“At best, the published reports were the result of a rush to judgment and the failure to conduct analyses needed to identify the true cause of the disruption to system availability. Rather than engaging in a concerted effort to understand better the systematic reasons for the incident, certain managers and staff at the Commission mischaracterized the event to the Office of the Chairman as resulting from a criminal act, rather than apparent shortcomings in the system.”
The FCC’s comments website became overwhelmed after comedian and HBO host John Oliver asked his viewers to submit comments in favor of net neutrality. The FCC initially blamed the downtime on a distributed denial of service attack, where devices deliberately overwhelm a site with spurious traffic so legitimate users can’t get through. FCC Chairman Ajit Pai has since blamed the issue on former FCC CIO David Bray, who reportedly first raised the alarm about the issue. Bray left the FCC the following month, and Pai has since pointed out that he was hired during the Obama presidency.
“With respect to the report’s findings, I am deeply disappointed that the FCC’s former Chief Information Officer (CIO), who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people,” Pai said in a statement. “This is completely unacceptable. I’m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn’t feel comfortable communicating their concerns to me or my office.”
When contacted by Fast Company, a representative for People-Centered Internet, a San Francisco-based group where Bray now serves as executive director, said Bray had not been contacted by the OIG.
“Dr. Bray has not been contacted by the FCC IG and has not seen their reported findings,” the representative said. “There has not been any outreach to ask what he had seen, observed, or concluded during the events more than a year ago in May 2017.”
The OIG report found that there’s no evidence a DDoS attack caused the problem and found the FCC never internally handled the event as a cybersecurity issue. Internal emails made reference to the Oliver report, and a URL the show had set up to redirect viewers to the FCC comment page, as well as programming issues that made the load more intense.
“Our investigation did not substantiate the allegations of multiple DDoS attacks alleged by Bray,” according to the OIG report. “While we identified a small amount of anomalous activity and could not entirely rule out the possibility of individual DoS attempts during the period from May 7 through May 9, 2017, we do not believe this activity resulted in any measurable degradation of system availability given the miniscule scale of the anomalous activity relative to the contemporaneous voluminous viral traffic.”
The FCC also subsequently misled members of Congress about what happened, according to the report.
“As a result of our reviews and the findings articulated above, we determined the FCC, relying on Bray’s explanation of the events, misrepresented facts and provided misleading responses to Congressional inquiries related to this incident,” according to the report.
The OIG referred the alleged false statements to Washington federal prosecutors as a possible criminal matter, but on June 7 they declined to prosecute, according to the report.