On Thursday, the Federal Communications Commission fired back against negative coverage of its response to a public records request filed by Gizmodo in May.
“Media reports claiming that the FCC lacks written documentation of its analysis of the May 7-8 non-traditional DDoS attack that took place against our electronic comment filing system are categorically false,” FCC spokesman Brian Hart said in a press release.
Hart’s statements were circulated to reporters shortly after Gizmodo reached out to the agency regarding unpublished comments by Senator Ron Wyden, who, in an email, had expressed disapproval over the agency’s handling of the alleged cyberattacks that overwhelmed its public comment website this spring. The FCC website faced a barrage of traffic on May 8 after comedian John Oliver, host of HBO’s Last Week Tonight, asked his viewers to submit comments to the agency in support of Obama-era rules enforcing net neutrality. The regulations make it illegal for ISPs to block or slow traffic to certain websites and services.
In his statement, Hart blasted what he called “inaccurate” and “misleading reports” about the alleged cyberattack.
On Wednesday, Gizmodo reported the agency’s refusal to release more than 200 pages of documents related to said attack in response to a Freedom of Information Act (FOIA) request. Further, the FCC stated that it had no records related to an analysis being performed on its systems during the attack, seemingly contradicting previous remarks from one of its staff the following day.
Despite Hart’s statement Thursday, Gizmodo’s report did not claim that the FCC “lacks written documentation” of the attack—only that the FCC had stated, in writing, that it held no records of any kind related to the so-called “analysis” cited by its official in the immediate aftermath of the incident.
According to a letter later written by FCC Chairman Ajit Pai, the “peak activity triggering the comment system’s unavailability” began on May 7, at around 11pm ET. On May 8, at about 2pm, the agency published a statement in which Chief Information Officer Dr. David Bray said, “Beginning on Sunday night at midnight, our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDoS).” (Emphasis ours)
On May 22nd, Gizmodo filed its FOIA request, a section of which sought out copies of “any records related to the FCC ‘analysis’ (cited in Dr. Bray’s statement) that concluded a DDoS attack had taken place.” In a letter on Wednesday, the agency responded: “IT staff have confirmed there are no records responsive to this portion of the request. The analysis referred to stemmed from real time observation and feedback by Commission IT staff and did not result in written documentation.”
Taken at its word, the FCC’s statement means that for a period of about 15 hours, no one in the agency’s IT department wrote a single email or memo, nor did they take down any notes of any kind about the cyberattack that, according to Chairman Pai, caused a malicious 3000-percent increase in network traffic. “The result,” he said, “was that new human users were blocked from visiting the comment filing system.”
Gizmodo did not simply request a copy of the “analysis” referenced by Dr. Bray, however; citing the federal law, it had asked the agency to turn over any records even “related to” the analysis of which Bray spoke. In its statement on Thursday, FCC spokesman Brian Hart said, “Given that the Commission’s IT professionals were in the midst of addressing the attack on May 8, that analysis was not reduced to writing. However, subsequent analysis, once the incident had concluded, was put in writing.”
Presumably, this “subsequent analysis” is in someway “related to” information that the agency’s employees would have gleaned while being otherwise too engrossed in cyberwarfare to jot anything down.
Prior to the statement by FCC’s Hart on Thursday afternoon, Senator Ron Wyden had stated in an email that the agency’s response to Gizmodo’s FOIA request raised “legitimate questions about whether the agency is being truthful when it claims a DDoS attack knocked its commenting system offline.” The Oregon senator said it was critical that the agency produce evidence of the attack, if only so independent experts could verify and learn something from it.
He continued: “If the FCC did suffer a DDoS attack and yet created no written materials about it, that would be deeply irresponsible and cast doubt on how the FCC could possibly prevent future attacks. On the other hand, if FCC is playing word games to avoid responding to FOIA requests, it would clearly violate Chairman Ajit Pai’s pledge to increase transparency at the FCC.”
So as not to mislead or confuse the FCC, Gizmodo elaborated at some length about what it meant when it said it was requesting “records” related to the attack:
“Gizmodo seeks all responsive records regardless of format, medium, or physical characteristics. In conducting your search, please understand the terms ‘records,’ ‘communications,’ and ‘documents’ in their broadest sense, to include any written, typed, recorded, graphic, printed, or audio material of any kind. We seek records of any kind, including electronic records, audiotapes, videotapes, and photographs, as well as letters, emails, facsimiles, telephone messages, voice mail messages and transcripts, notes, or minutes of any meetings, telephone conversations or discussions. Our request includes any attachments to these records. No category of material should be omitted from search, collection, and production.”
What’s more, the records related to Bray’s so-called “analysis” were only one of six categories of material sought. The request further included any agency emails referencing “DDoS,” “astroturfing,” “spam,” and “net neutrality,” in addition to any related calendar entries, visitor logs, meeting minutes, orders, memoranda, or written views concerning the FCC’s comment system. Also requested were all records related to a May 9th letter authored by Senators Wyden and Brian Schatz regarding the attack.
Yet, somehow the FCC could not produce a single document from the day the cyberattack is said to have occurred. It released one email from a reporter asking for a comment about Schatz and Wyden’s letter. Another short one concerning the same letter between two FCC staffers was entirely redacted, because its disclosure would, the agency said, expose its “decision making process in such a way as to discourage candid discussion within the agency and thereby undermine the agency’s ability to perform its functions.”
(The FCC believes that the public would react poorly if details emerged about how it planned to respond to the senator’s questions.)
The FCC’s refusal to produce records of any true relevance reflects pressure from the agency’s upper echelon to limit the disclosure of information about the incident to a handful of public statements. Its justifications for concealing more than 200 pages of responsive FOIA records run the gamut of the federal statute’s permitted exemptions: many of the documents are said to contain either “trade secrets” or “privileged and confidential” information. Others were withheld because doing otherwise, the FCC asserted, might reveal “discussion of the Commission’s IT infrastructure and countermeasures.” Although the law requires the agency’s attorneys to review each document individually, and only redact the portions of the text that truly deserve to be withheld, more than 92 percent of the documents it identified as relevant to the attack were withheld from the public in full.
It would be hard for a government agency to do more to give off the impression that it was engaged in a cover up. That’s troubling given the rise of questions over the FCC’s integrity.
In fact, reports emerging in the wake of the cyberattack suggest that the FCC public comment system is already wholly compromised. Spambots are said to have inundated the website with fake letters, according to multiple sources. Hundreds of thousands of identical messages can be viewed there—some containing the names and addresses of Americans who, when contacted by reporters, have claimed that their identities must’ve been stolen. Even opponents of net neutrality, who enjoy the support of Chairman Pai, admit that the system is “unmanageable and meaningless.”
Earlier this month, one conservative group claimed that hundreds of thousands of recent comments were all submitted using the same address in Russia.
When approached by reporters and asked if the FCC intends to filter out the slew of blatantly counterfeit comments—many reportedly penned by the likes of “Wonder Woman” and “Joseph Stalin”—both Chairman Pai and his spokesperson tellingly refused to provide an answer straight up. “Generally speaking, this agency has erred on the side of openness,” said Pai, expressing an eager acceptance of the charade that has become the agency’s rulemaking process. Americans hoping to have an impact on the net neutrality debate might be better off tossing their comments down the nearest wishing well.
“Today, we begin the process of making the FCC more open and transparent,” Pai told reporters earlier this year. Yet, this week the FCC rejected a separate public records request filed by the National Hispanic Media Coalition (NHMC), which sought the text of more than 47,000 complaints filed by Americans against internet service providers for potentially violating net neutrality rules. NHMC has argued that the complaints may be crucial to understanding what effect rolling back net neutrality may have on consumers. The FCC, which has argued that the request is “unreasonably burdensome” on its staff, agreed to release 1,000 complaints; however, the documents only showed the provider’s response and how the issue was resolved.
“It should give the public pause,” the group said, “that the agency with exclusive control over regulating internet service providers refuses to share such information with the public.”
On Tuesday, the Trump White House formally endorsed Pai’s plans to rollback net neutrality, which critics say will result in internet providers like Verizon and Comcast curtailing their customers’ access to certain websites and services—concerns which Pai has openly criticized as “hysterical prophecies of doom.”
Regardless, those are the genuine fears of some of the internet’s biggest companies, all steadfast supporters of net neutrality—Apple, Google, Amazon, Microsoft, Facebook, Twitter, Netflix, and many others among them.
Update, 8/7/2018: The FCC Office of the Inspector General (OIG) concluded through investigation that there was no cyberattack against the FCC’s comment system in May 2017.
“The May 7-8, 2016 degradation of the FCC’s ECFS was not, as reported to the public and to Congress, the result of a DDoS attack,” the OIG report states. “At best, the published reports were the result of a rush to judgment and the failure to conduct analyses needed to identify the true cause of the disruption to system availability.”