An investigation by the Federal Communication Commission’s own inspector general officially refutes controversial claims that a cyberattack was responsible for disrupting the FCC’s comment system in May 2017, at the height of the agency’s efforts to kill off net neutrality.
The investigation also uncovered that the FCC provided false information to members of Congress regarding advice provided (or not provided) by FBI to the FCC after the incident.
A report from the inspector general’s office (OIG) released Tuesday finds that the comment system issues were not caused by a cyberattack, as the FCC has alleged for over a year, but more likely by a combination of “system design issues” and a massive surge in legitimate traffic, which came after Last Week Tonight host John Oliver told millions of TV viewers to flood the FCC’s website with pro-net neutrality comments.
Investigators were unable to “substantiate the allegations of multiple DDoS attacks” alleged by then-FCC Chief Information Officer David Bray, the report says. “At best, the published reports were the result of a rush to judgment and the failure to conduct analyses needed to identify the true cause of the disruption to system availability.”
“While we identified a small amount of anomalous activity and could not entirely rule out the possibility of individual DoS attempts during the period from May 7 through May 9, 2017, we do not believe this activity resulted in any measurable degradation of system availability given the minuscule scale of the anomalous activity relative to the contemporaneous voluminous viral traffic.”
“Today’s IG report exposes FCC Chairman Ajit Pai’s general willingness to ignore logic and contradictory evidence when doing so supports his preconceived notions and political agenda,” Jessica J. González, Free Press deputy director and senior counsel, told Gizmodo. “In this case, the former chief information officer’s story was obviously flawed, but Pai and his office didn’t hesitate to pass along that story and dismiss its critics.”
The focus of the OIG investigation was initially centered on the allegations that the FCC was targeted by DDoS attacks, the report states. But it eventually shifted after OIG became concerned that three FCC officials may have broken the law by lying to members of Congress.
The matter was officially referred to the U.S. Justice Department in December, but after reviewing information and interviews related to the case, the U.S. Attorney’s Office in Washington declined to prosecute.
Among those interviewed by OIG is a security contractor who worked for the FCC and whose name is redacted. Described as someone who was “in a position to evaluate the traffic that caused the disruption,” the contractor provided detailed descriptions to investigators of the procedures for mitigating unanticipated traffic spikes, both real and malicious.
Asked if they believed the May 7 incident was caused by a burst of “flash traffic”—a traffic spike driven by “sudden popularity, extremely effective marketing or viral social media interest”—or multiple DDoS attacks as the FCC had alleged, the contractor said they believe that “the majority of the traffic observed during the incident” was the result of “flash traffic” and other volume issues resulting from system design flaws.
Asked how the FCC responded to the incident, the contractor said: “The FCC did not respond to the event internally in a manner consistent with the severity of the event as stated in the press release.”
FCC Management was aware The Last Week Tonight with John Oliver program was considering an episode on the Net Neutrality proceeding but did not share that information with the CIO or IT group.
The OIG report further describes an interview with two FBI employees, one a special agent and another who worked with the FBI cyber task force in Washington. Both appear to implicate the FCC in providing false information to members of Congress, specifically when describing what the FBI agents and FCC officials discussed after the incident.
In a letter to Senators Ron Wyden and Brian Schatz (signed by Pai and containing numerous responses to questions allegedly authored by Bray), the FCC said that the FBI had “agreed this was not a ‘significant cyber incident’ consistent with the definition contained in Presidential Policy Directive-41,” which codifies how federal agencies respond to cyber events. FCC mentioned PPD-41 to lawmakers as a way to explain why Homeland Security wasn’t contacted, as required, in the wake of a cyberattack.
The FBI employees, who said they had spoken to Leo Wong, FCC’s chief information security officer, said they could not confirm the accuracy of the FCC’s description of that conversation. The FBI does not categorize cyberattacks as “significant” or insignificant, the agents said, adding the bureau only cares whether a crime has been committed. What’s more, Presidential Policy Directive-41 was never brought up, they said.
The FBI did not “discuss criteria” regarding whether Homeland Security should be informed of the purported attack, the report states, and “certainly did not agreed” that any criteria had been met. OIG concludes the FBI interview by stating that, before FCC could in good faith declare a cyberattack occurred, “much work would have had to have been completed first, including a thorough analysis of the logs.”
After Gizmodo reported last summer that the FCC had no written analysis confirming a DDoS attack occurred, FCC spokesman Brian Hart issued a statement saying reports that the FCC lacked written documentation of the attack were “categorically false.” Hart further blasted as “inaccurate” and “misleading” articles that questioned whether the now-debunked cyberattack happened.
Tony Summerlin, an FCC strategic advisor, told the investigators that, at the time of the incident, he had argued extensively with Bray over the language used in the FCC’s press release disclosing the purported attack. In particular, Summerlin took issue with Bray announcing that “deliberate attempts by external actors” were responsible for bringing the comment system down.
FCC Chairman Ajit Pai sought to distance himself from any of the institutional failings described by the inspector general’s report ahead of its release on Monday, placing full blame at the feet of his former chief information officer and his subordinates. In a statement on Monday, Pai accused Bray of providing him with “inaccurate information” about the May 2017 incident, which Pai then personally relayed to members of Congress.
In a June 2017 letter, for example, Pai informed Wyden and Schatz that the FCC’s comment system had been disrupted by a “cyber-based attack.”
Accompanying the letter were responses to questions Wyden had sent the FCC about the incident. The answers, which Pai said at the time had prepared by Bray, described a “non-traditional DDoS attack” carried out by “automated bots” targeting the comment system’s API.
“From our analysis of the logs, we believe these automated bot programs appeared to be cloud based and not associated with IP addresses usually linked to individual human filers,” the FCC told Wyden. “We found that the bots initiated API requests with the system and then via their high-speed, resource intensive requests, effectively blocked or denied additional web traffic-human or otherwise-to the comment filing system.”
As they investigated the incident, however, the FCC inspector general’s office said it discovered the FCC “had not defined the event internally as a cyber security incident,” that the matter had not been referred to the Department of Homeland Security, and that “none of the documents required under the FCC’s Standard Operating Procedures (SOP) for Incident Response had been prepared.”
The OIG report concludes:
The May 7-8, 2016 degradation of the FCC’s ECFS was not, as reported to the public and to Congress, the result of a DDoS attack. At best, the published reports were the result of a rush to judgment and the failure to conduct analyses needed to identify the true cause of the disruption to system availability. Rather than engaging in a concerted effort to understand better the systematic reasons for the incident, certain managers and staff at the Commission mischaracterized the event to the Office of the Chairman as resulting from a criminal act, rather than apparent shortcomings in the system. While several in the Commission were on notice that “Last Week Tonight with John Oliver” was planning to air a segment that could generate a significant public response, that information did not reach the FCC IT group. Had such notice been provided, the IT group may have been able to take steps to ameliorate or prevent ECFS system degradation.
A statement issued to Gizmodo on Bray’s behalf by a friend said that Bray had not been contacted by the OIG. “There has not been any outreach to ask what he had seen, observed, or concluded during the events more than a year ago in May 2017,” the friend said.
Asked why Bray was not questioned by investigators, the FCC did not respond.
As Gizmodo first reported last year, Bray had previously leaked baseless claims that the FCC was struck by another cyberattack in 2014. He was also the first official at the agency to publicly claim the comment system had been attacked last May.
“This report shows that the American people were deceived by the FCC and Chairman Pai as they went about doing the bidding of Big Cable,” Sen. Wyden said in a statement late Tuesday. “It appears that maintaining a bogus story about a cyberattack was convenient cover to ignore the voices of millions of people who were fighting to protect a free and open internet.”
Wyden continued: “Americans face higher prices for streaming services and other content as a result of Chairman Pai’s repeal of net neutrality protections, and it’s going to sting even worse knowing they were lied to about it by their government. The fact that Chairman Pai and the FCC came clean only after their story was debunked by the inspector general is disappointing, but it’s sadly unsurprising in this administration.”
Read the complete Office of Inspector General report below:
Correction: A previous version of this article incorrectly identified Tony Summerlin as having previously served as the federal CIO. That was Tony Scott. We regret the error.