It’s been over a year since Ajit Pai and the Federal Communications Commission claimed that the agency’s comment filing system was subjected to a cyberattack during the height of last year’s net neutrality debate. But after waves of speculation from both the public and Congress, the commission has finally come clean. According to a report published by the agency’s inspector general yesterday, there was no distributed denial of service (DDoS) attack, and this relaying of false information to Congress prompted a deeper investigation into whether senior officials at the FCC had broken the law.
On May 7th of last year, comedian John Oliver ran a segment on his show, Last Week Tonight, prompting viewers to leave pro-net neutrality comments on the commission’s “Restoring Internet Freedom” proceeding. The proceeding, which was eventually approved in December, rolled back the former administration’s rules codifying core net neutrality principles like banning service providers from throttling user internet speeds and blocking lawful online content. Oliver directed people both watching his show and following him on Twitter to flood the FCC’s website with the use of memorable links like gofccyourself.com and justtellmeifimrelatedtoanazi.com. That night, the FCC’s filing system crashed.
By the following morning, senior officials at the commission concluded that “some external folks attempted to send high traffic in an attempt to tie-up the server,” according to emails uncovered by the inspector general. The suggestion was that rather than being shut down by a surge of valid complaints, the site was flooded by fabricated traffic. The assertion came from former chief information officer David Bray. And despite several people disputing his unsubstantiated conclusion in email chains, the DDoS theory was passed on to commissioners, like Pai, who told members of Congress that what happened that evening was “classified as a non-traditional DDoS attack.”
Even if the suggestion that the shutdown was tied to a DDoS attack was made in good faith, the commission should have known better. The FCC knew Oliver planned to run a net neutrality segment on his show. The report recounts a producer of Last Week Tonight reaching out to give the agency a “heads up” days prior to running the episode. This email had been forwarded to the FCC’s chief of staff Matthew Berry, and after discussions with other employees, the agency decided not to respond.
The report does mention that neither Bray nor IT had been notified of the episode prior to it airing, but in email correspondences with other FCC officials, Bray is asked to consider whether the shutdown was the result of Oliver’s program. The commission also knew that Oliver’s show had the power to move enough viewers to crash their system. Just three years prior, Oliver ran a similar segment that media reports said may have shut down the site as well.
In the days following the 2017 FCC
event, members of Congress began to question whether there had been a DDoS attack. In a letter to Pai, Sens. Ron Wyden (D-OR) and Brian Schatz (D-HI) asked a variety of detailed questions in an attempt to get both the agency’s timeline and story straight. On June 15th, Congress received answers, but the inspector general determined that much of what Pai said was untrue. The report states that “in its response to the Wyden-Schatz letter, the FCC made several specific statements that we believe misrepresent facts about the event or provide misleading information.” It was determined that the commission misled Congress when it came to the nature of the alleged attack, the time it occurred, and, most prominently, the agency’s conversations with the FBI following the event.
In his response, Pai told the congressmen that Bray had been directed to consult with the FBI. And after discussing the alleged DDoS attack, it was determined that it didn’t “rise to the level of a major incident that would trigger further FBI involvement.” But after conversations with the agent who spoke with Bray, the inspector general determined that the bureau never classifies cyberattacks as “major” or not and that the only purpose of those conversations is to determine whether a crime was committed. The IG report also notes that at the time of Bray’s conversation with the FBI, the commission hadn’t completed enough analysis for the event to even be considered a DDoS under bureau standards.
And that evidence never came. “We learned very quickly there was no analysis supporting the conclusion” that it was a DDoS attack, the report said. That’s when the focus of the OIG investigation pivoted from the alleged cyberattack to the FCC officials and how they may have broken the law by providing false information to Congress. It wasn’t until December that the Justice Department was sought to handle the case. After reviewing the information provided by the OIG, the law enforcement body decided not to prosecute. The DOJ declined to comment on the matter.
Pai responded to the report on Monday, a day before it was released to the public, by passing the buck onto chief information officer Bray and the former administration:
I’m pleased that this report debunks the conspiracy theory that my office or I had any knowledge that the information provided by the former CIO was inaccurate and was allowing that inaccurate information to be disseminated for political purposes. . . It has become clear that in addition to a flawed comment system, we inherited from the prior Administration a culture in which many members of the Commission’s career IT staff were hesitant to express disagreement with the Commission’s former CIO in front of FCC management.
After the Office of the Inspector General report was first released, members of Congress and advocacy organizations condemned the commission and Ajit Pai for not correcting the false information sooner. Rep. Mike Doyle (D-PA), who signed a letter probing the agency for answers early on in the investigation, penned a tweet stating, “This is unacceptable behavior from a federal agency, and unbecoming behavior from its leadership.”
In Pai’s defense, he does note that he was asked by the Office of the Inspector General to yield from talking about the investigation while it was still undergoing. At the House Energy and Commerce oversight hearing of the agency last month, Pai deflected inquiries from lawmakers regarding the event, citing the ongoing investigation.
Report from @FCC IG says high traffic due to @iamjohnoliver report on #NetNeutrality was not a cyberattack -- and that lying to Congress is a crime. This is unacceptable behavior from a federal agency, and unbecoming behavior from its leadership. https://t.co/IEePjFxgD4— Mike Doyle (@USRepMikeDoyle) August 7, 2018
The toughest condemnation of Pai’s actions came from Fight for the Future, a net neutrality advocacy organization, which called for Pai to step down. “Ajit Pai should resign. These new revelations from the FCC’s internal investigation are a smoking gun,” the group said in a statement. “They clearly show that the FCC chairman knew months ago that there had never been a cyber attack on the FCC’s comment system, but did nothing, allowing the false narrative to spread in a cynical attempt to downplay the overwhelming opposition to his attack on net neutrality.”
The release of the IG report also provides significant ammo for senators on the Commerce, Science, and Transportation Committee to press commissioners at its FCC oversight hearing next week. Sen. Schatz, who sent out the initial letter to the agency alongside Wyden, sits on the committee and is an outspoken critic of the commission and its move to reverse net neutrality last winter.
Update August 8th, 6:25PM ET: The Justice Department declined to comment on the FCC providing false information to Congress.