As it wrestled with accusations about a fake cyberattack last spring, the Federal Communications Commission (FCC) purposely misled several news organizations, choosing to feed journalists false information, while at the same time discouraging them from challenging the agency’s official story.
Internal emails reviewed by Gizmodo lay bare the agency’s efforts to counter rife speculation that senior officials manufactured a cyberattack, allegedly to explain away technical problems plaguing the FCC’s comment system amid its high-profile collection of public comments on a controversial and since-passed proposal to overturn federal net neutrality rules.
The FCC has been unwilling or unable to produce any evidence an attack occurred—not to the reporters who’ve requested and even sued over it, and not to U.S. lawmakers who’ve demanded to see it. Instead, the agency conducted a quiet campaign to bolster its cyberattack story with the aid of friendly and easily duped reporters, chiefly by spreading word of an earlier cyberattack that its own security staff say never happened.
The FCC’s system was overwhelmed on the night of May 7, 2017, after comedian John Oliver, host of HBO’s Last Week Tonight, directed his audience to flood the agency with comments supporting net neutrality. In the immediate aftermath, the agency claimed the comment system had been deliberately impaired due to a series of distributed denial-of-service attacks (DDoS). Net neutrality supporters, however, accused the agency of fabricating the attack to absolve itself from failing to keep the system online.
The system similarly crashed after Oliver ordered his viewers to the FCC website in 2014. The FCC, at the time led by Democrat Tom Wheeler, determined that the comment system had been affected by a surge of internet traffic. The issue was compounded, sources told Gizmodo, by a weakness in the system’s out-of-date software.
Importantly, the agency never blamed a malicious attack for the system’s downtime in 2014—not in any official statement.
But in May 2017, under the Trump-appointed chairman, Ajit Pai, at least two FCC officials quietly pushed a fallacious account of the 2014 incident, attempting to persuade reporters that the comment system had long been the target of DDoS attacks. “There *was* a DDoS event right after the [John Oliver] video in 2014,” one official told reporters at FedScoop, according to emails reviewed by Gizmodo.
David Bray, who served as the FCC’s chief information officer from 2013 until June 2017, assured reporters in a series of off-the-record exchanges that a DDoS attack had occurred three years earlier. More shocking, however, is that Bray claimed Wheeler, the former FCC chairman, had covered it up.
According to emails from Bray to reporters, Wheeler was concerned that if the FCC publicly admitted there was an attack, it would likely incite “copycats.”
“That’s just flat out false,” said Gigi Sohn, former counselor to Chairman Wheeler. “We didn’t want to say it because Bray had no hard proof that it was a DDoS attack. Just like the second time.”
Bray’s exchanges with reporters, which took place via email, were obtained by American Oversight, a watchdog group, under the Freedom of Information Act (FOIA). Gizmodo reviewed the more than 1,300 pages of records last week.
The FCC has not responded to requests for comment.
In August, Gizmodo revealed that Bray had been the anonymous source behind reports that the FCC had been “hacked” in 2014. Multiple FCC sources—including a security contractor who worked on the comment system at the time—confirmed that no evidence was ever found showing a malicious attack caused the system’s downtime during Oliver’s show.
Multiple sources said that Bray, the senior official responsible for maintaining the comment system, had alone pushed the cyberattack narrative internally. When he was unable to produce proof, they said, he reached out to a reporter. After requesting anonymity, Bray contradicted the agency’s official story, claiming an attack was responsible. The conflicting accounts led to confusion in the press over whether Oliver’s call to action was actually responsible for the FCC’s technical failures.
“The security team was in agreement that this event was not an attack,” a former FCC security contractor told Gizmodo of the 2014 outage. “The security team produced no report suggesting it was an attack. The security team could not identify any records or evidence to indicate this type of attack occurred as described by Bray.” The contractor’s statements were supported by Sohn and confirmed by two other sources with knowledge of the matter who asked not to be named or quoted.
“I have seen no evidence of a DDoS attack on the FCC comment system,” FCC Commissioner Jessica Rosenworcel told Gizmodo. “But I did see millions of Americans write in to the FCC to stop its misguided effort to roll back net neutrality. It’s time for the agency to own up to what really happened.”
Bray is not the only FCC official last year to push dubious accounts to reporters. Mark Wigfield, the FCC’s deputy director of media relations, told Politico: “there were similar DDoS attacks back in 2014 right after the Jon Oliver [sic] episode.” According to emails between Bray and FedScoop, the FCC’s Office of Media Relations likewise fed cooked-up details about an unverified cyberattack to the Wall Street Journal.
The Journal apparently swallowed the FCC’s revised history of the incident, reporting that the agency “also revealed that the 2014 show had been followed by DDoS attacks too,” as if it were a fact that had been concealed for several years. After it was published, the Journal’s article, authored by tech reporter John McKinnon, was forwarded by Bray to reporters at other outlets and portrayed as a factual telling of events. Bray also emailed the story to several private citizens who had contacted the FCC with questions and concerns about the comment system’s issues.
In doing so, the FCC was apparently using the Journal as a way to bolster its own unsubstantiated claims, which the agency’s security staff, and its former leadership, had internally dismissed.
In several emails, the FCC encouraged journalists to compare the 2017 incident to a DDoS attack on the Pokémon Go mobile game a year before. Michael Krigsman, a columnist for ZDNet, took the bait, despite the FCC continuing to withholding any proof an attack occurred. Krigsman wrote, unqualifiedly: “It’s similar to the distributed denial of service attack on Pokemon Go in July 2016.”
(In later exchanges with Bray, Krigsman turned on one of his own colleagues, who had published a story about the FCC’s refusal to release proof there was an attack. In one email, Krigsman encouraged the FCC to demand a correction for the story, while instructing Bray to complain to his colleague’s boss. Amazingly, Krigsman then encouraged the FCC to publicly admonish his own publication.)
Krigsman’s own flattering piece about Bray was, like the Journal’s report, circulated to security reporters and described as a “good article that does get the technical facts correct on what happened.”
Bray’s claim that Wheeler knew that DDoS attacks had occurred, but withheld it from the public “out of concern of copycats,” is an allegation that has never been made publicly. It is also refuted by numerous former and current FCC officials with whom Gizmodo spoke recently and over the past year.
Wheeler declined our request to comment.
Bray’s claim about Wheeler also appears in a draft copy of a blog post written by Bray on Chairman Pai’s behalf. It appears to have never been published online. One line from the draft reads: “This happened in 2014, though at the time we chose not to talk about the automated programs denying service to the commenting system since we didn’t want to invite copycats.”
As with Bray’s claim about a 2014 attack, the FCC has repeatedly failed to present any evidence that its servers—which, unlike in 2014, now reside on a cloud infrastructure—were bombarded by malicious traffic following Oliver’s net neutrality segment last year. However, in response to inquiries from Senators Ron Wyden and Brian Schatz last year, the FCC stated that the disruption was caused by what it called “a non-traditional DDoS attack.” (Bray was also the first official to claim a DDoS attack occurred in May 2017.)
The agency said it detected “patterns of disruptions that show abnormal behavior outside the scope of a lobbying surge,” which it said included an “extremely high level of atypical cloud-based traffic” directed toward the comment system’s API interface. “From our analysis of the logs, we believe these automated bot programs appeared to be cloud-based and not associated with IP addresses usually linked to individual human filers,” the agency said.
The FCC has refused to release any documentation showing an investigation into the comment system’s downtime occurred. According to the FCC, the FBI declined to investigate the matter, saying it “did not appear to rise to the level of a major incident that would trigger further FBI involvement.” The FBI declined to confirm or deny any contact with the FCC about the issue.
The fact that an investigation at the FCC would have been carried out by an official who had earlier refused to accept the formal findings of the FCC’s own security professionals, and then anonymously leaked claims contradicting them, only further casts suspicion on the FCC’s story.
Last July, the agency refused to release more than 200 pages of documents related to the incident in response to a FOIA request filed by Gizmodo. In a formal letter, the agency claimed that while its IT staff had observed a cyberattack taking place, those observations “did not result in written documentation.” A federal watchdog investigation, which is ongoing, followed in October.
In the more than 1,300 emails released to American Oversight last month, the FCC redacted every internal conversation about the 2017 incident between FCC employees, citing either attorney-client communications or deliberative process privilege. (The FOIA exemption appears to be very liberally applied, as it is typically reserved for discussions in which “governmental decisions and policies are formulated.”)
The agency also redacted every discussion between staff last year regarding how to respond to inquiries about the incident from U.S. senators; all internal discussions about how to respond to members of the press; as well as an internal newsletter from the day after the agency claims it was attacked.
Demonstrating how overeager the agency is to redact emails from public records, its attorneys also redacted a year-old Politico newsletter in full:
In addition to being acquired by American Oversight, the records were produced in a lawsuit brought by BuzzFeed reporter Kevin Collier, who told Gizmodo that he intends to challenge the redactions in court. (Collier is represented pro bono by New York attorney Dan Novack, who also represents Gizmodo in an ongoing case against the FBI.)
“Some of these messages are probably correctly redacted, but avoiding potential embarrassment is not a legitimate reason for the government to conceal an email,” Austin Evers, American Oversight’s executive director, said. “We were skeptical of the FCC’s explanations about its online comment system issues last May, and it’s clear that we still don’t have the full story about what happened.”
Read the full collection of FCC emails below.
Got a tip about the FCC? Contact the reporter: firstname.lastname@example.org
Update, 11:30am: Added a comment from FCC Commissioner Jessica Rosenworcel to the story.
Update, 4:10pm: Bray has responded to this report in a Medium post here.
Update, 8/7/2017: The FCC Office of the Inspector General (OIG) concluded through investigation that there was no cyberattack against the FCC’s comment system in May 2017.
“The May 7-8, 2016 degradation of the FCC’s ECFS was not, as reported to the public and to Congress, the result of a DDoS attack,” the OIG report states. “At best, the published reports were the result of a rush to judgment and the failure to conduct analyses needed to identify the true cause of the disruption to system availability.”