
An investigation by the Federal Communication Commissionâs own inspector general officially refutes controversial claims that a cyberattack was responsible for disrupting the FCCâs comment system in May 2017, at the height of the agencyâs efforts to kill off net neutrality.
The investigation also uncovered that the FCC provided false information to members of Congress regarding advice provided (or not provided) by FBI to the FCC after the incident.
A report from the inspector generalâs office (OIG) released Tuesday finds that the comment system issues were not caused by a cyberattack, as the FCC has alleged for over a year, but more likely by a combination of âsystem design issuesâ and a massive surge in legitimate traffic, which came after Last Week Tonight host John Oliver told millions of TV viewers to flood the FCCâs website with pro-net neutrality comments.
Investigators were unable to âsubstantiate the allegations of multiple DDoS attacksâ alleged by then-FCC Chief Information Officer David Bray, the report says. âAt best, the published reports were the result of a rush to judgment and the failure to conduct analyses needed to identify the true cause of the disruption to system availability.â
It continues:
âWhile we identified a small amount of anomalous activity and could not entirely rule out the possibility of individual DoS attempts during the period from May 7 through May 9, 2017, we do not believe this activity resulted in any measurable degradation of system availability given the minuscule scale of the anomalous activity relative to the contemporaneous voluminous viral traffic.â
Advertisement
âTodayâs IG report exposes FCC Chairman Ajit Paiâs general willingness to ignore logic and contradictory evidence when doing so supports his preconceived notions and political agenda,â Jessica J. GonzĂĄlez, Free Press deputy director and senior counsel, told Gizmodo. âIn this case, the former chief information officerâs story was obviously flawed, but Pai and his office didnât hesitate to pass along that story and dismiss its critics.â
The focus of the OIG investigation was initially centered on the allegations that the FCC was targeted by DDoS attacks, the report states. But it eventually shifted after OIG became concerned that three FCC officials may have broken the law by lying to members of Congress.
The matter was officially referred to the U.S. Justice Department in December, but after reviewing information and interviews related to the case, the U.S. Attorneyâs Office in Washington declined to prosecute.
Advertisement
Among those interviewed by OIG is a security contractor who worked for the FCC and whose name is redacted. Described as someone who was âin a position to evaluate the traffic that caused the disruption,â the contractor provided detailed descriptions to investigators of the procedures for mitigating unanticipated traffic spikes, both real and malicious.
Asked if they believed the May 7 incident was caused by a burst of âflash trafficââa traffic spike driven by âsudden popularity, extremely effective marketing or viral social media interestââor multiple DDoS attacks as the FCC had alleged, the contractor said they believe that âthe majority of the traffic observed during the incidentâ was the result of âflash trafficâ and other volume issues resulting from system design flaws.
Advertisement
Asked how the FCC responded to the incident, the contractor said: âThe FCC did not respond to the event internally in a manner consistent with the severity of the event as stated in the press release.â
They added:
FCC Management was aware The Last Week Tonight with John Oliver program was considering an episode on the Net Neutrality proceeding but did not share that information with the CIO or IT group.
Advertisement
The OIG report further describes an interview with two FBI employees, one a special agent and another who worked with the FBI cyber task force in Washington. Both appear to implicate the FCC in providing false information to members of Congress, specifically when describing what the FBI agents and FCC officials discussed after the incident.
In a letter to Senators Ron Wyden and Brian Schatz (signed by Pai and containing numerous responses to questions allegedly authored by Bray), the FCC said that the FBI had âagreed this was not a âsignificant cyber incidentâ consistent with the definition contained in Presidential Policy Directive-41,â which codifies how federal agencies respond to cyber events. FCC mentioned PPD-41 to lawmakers as a way to explain why Homeland Security wasnât contacted, as required, in the wake of a cyberattack.
The FBI employees, who said they had spoken to Leo Wong, FCCâs chief information security officer, said they could not confirm the accuracy of the FCCâs description of that conversation. The FBI does not categorize cyberattacks as âsignificantâ or insignificant, the agents said, adding the bureau only cares whether a crime has been committed. Whatâs more, Presidential Policy Directive-41 was never brought up, they said.
Advertisement
The FBI did not âdiscuss criteriaâ regarding whether Homeland Security should be informed of the purported attack, the report states, and âcertainly did not agreedâ that any criteria had been met. OIG concludes the FBI interview by stating that, before FCC could in good faith declare a cyberattack occurred, âmuch work would have had to have been completed first, including a thorough analysis of the logs.â
After Gizmodo reported last summer that the FCC had no written analysis confirming a DDoS attack occurred, FCC spokesman Brian Hart issued a statement saying reports that the FCC lacked written documentation of the attack were âcategorically false.â Hart further blasted as âinaccurateâ and âmisleadingâ articles that questioned whether the now-debunked cyberattack happened.
Tony Summerlin, an FCC strategic advisor, told the investigators that, at the time of the incident, he had argued extensively with Bray over the language used in the FCCâs press release disclosing the purported attack. In particular, Summerlin took issue with Bray announcing that âdeliberate attempts by external actorsâ were responsible for bringing the comment system down.
Advertisement
FCC Chairman Ajit Pai sought to distance himself from any of the institutional failings described by the inspector generalâs report ahead of its release on Monday, placing full blame at the feet of his former chief information officer and his subordinates. In a statement on Monday, Pai accused Bray of providing him with âinaccurate informationâ about the May 2017 incident, which Pai then personally relayed to members of Congress.
In a June 2017 letter, for example, Pai informed Wyden and Schatz that the FCCâs comment system had been disrupted by a âcyber-based attack.â
Accompanying the letter were responses to questions Wyden had sent the FCC about the incident. The answers, which Pai said at the time had prepared by Bray, described a ânon-traditional DDoS attackâ carried out by âautomated botsâ targeting the comment systemâs API.
Advertisement
âFrom our analysis of the logs, we believe these automated bot programs appeared to be cloud based and not associated with IP addresses usually linked to individual human filers,â the FCC told Wyden. âWe found that the bots initiated API requests with the system and then via their high-speed, resource intensive requests, effectively blocked or denied additional web traffic-human or otherwise-to the comment filing system.â
As they investigated the incident, however, the FCC inspector generalâs office said it discovered the FCC âhad not defined the event internally as a cyber security incident,â that the matter had not been referred to the Department of Homeland Security, and that ânone of the documents required under the FCCâs Standard Operating Procedures (SOP) for Incident Response had been prepared.â
The OIG report concludes:
The May 7-8, 2016 degradation of the FCCâs ECFS was not, as reported to the public and to Congress, the result of a DDoS attack. At best, the published reports were the result of a rush to judgment and the failure to conduct analyses needed to identify the true cause of the disruption to system availability. Rather than engaging in a concerted effort to understand better the systematic reasons for the incident, certain managers and staff at the Commission mischaracterized the event to the Office of the Chairman as resulting from a criminal act, rather than apparent shortcomings in the system. While several in the Commission were on notice that âLast Week Tonight with John Oliverâ was planning to air a segment that could generate a significant public response, that information did not reach the FCC IT group. Had such notice been provided, the IT group may have been able to take steps to ameliorate or prevent ECFS system degradation.
Advertisement
A statement issued to Gizmodo on Brayâs behalf by a friend said that Bray had not been contacted by the OIG. âThere has not been any outreach to ask what he had seen, observed, or concluded during the events more than a year ago in May 2017,â the friend said.
Asked why Bray was not questioned by investigators, the FCC did not respond.
As Gizmodo first reported last year, Bray had previously leaked baseless claims that the FCC was struck by another cyberattack in 2014. He was also the first official at the agency to publicly claim the comment system had been attacked last May.
Advertisement
âThis report shows that the American people were deceived by the FCC and Chairman Pai as they went about doing the bidding of Big Cable,â Sen. Wyden said in a statement late Tuesday. âIt appears that maintaining a bogus story about a cyberattack was convenient cover to ignore the voices of millions of people who were fighting to protect a free and open internet.â
Wyden continued: âAmericans face higher prices for streaming services and other content as a result of Chairman Paiâs repeal of net neutrality protections, and itâs going to sting even worse knowing they were lied to about it by their government. The fact that Chairman Pai and the FCC came clean only after their story was debunked by the inspector general is disappointing, but itâs sadly unsurprising in this administration.â
Read the complete Office of Inspector General report below:
Advertisement
Correction: A previous version of this article incorrectly identified Tony Summerlin as having previously served as the federal CIO. That was Tony Scott. We regret the error.