On Tuesday, the Federal Communication Commission’s inspector general released the results of an investigation concluding that its electronic commenting system most likely did not shut down due to a cyberattack, contrary to the agency’s previous claims. For the past year, the FCC has been asserting that multiple distributed-denial-of-service (DDoS) attacks were responsible for the system’s two-day outage in the run-up to the commission’s repeal of net neutrality, an explanation that many open internet activists found unconvincing. The inspector general’s report substantiates those suspicions:
While we identified a small amount of anomalous activity and could not entirely rule out the possibility of individual DoS attempts during the period from May 7 through May 9, 2017, we do not believe this activity resulted in any measurable degradation of system availability given the miniscule scale of the anomalous activity relative to the contemporaneous voluminous viral traffic.
Instead, investigators concluded that the comment system was probably unable to withstand the influx of comments that stemmed from John Oliver’s Last Week Tonight segment on net neutrality, in which the comedian urged viewers to take to the FCC’s website to express their opposition to the repeal. The inspector general’s analysis found that the “spikes in web traffic coinciding exactly with the timing of: (1) the release of information during the Oliver’s episode; (2) the release of the episode on The Last Week Tonight with John Oliver YouTube channel; and (3) tweets about that release.”
The report also suggests that lack of communication may have contributed to the outage. One of its findings reads, “FCC Management was aware The Last Week Tonight with John Oliver program was considering an episode on the Net Neutrality proceeding but did not share that information with the CIO or IT group.” Investigators uncovered emails from a Last Week Tonight producer notifying the FCC management of the segment, along with emails containing a Politico article about the upcoming segment. Yet they found no conclusive evidence that management had alerted IT to prepare. This would be Oliver’s second segment on net neutrality; he had previously done one in 2014, which also resulted in an overload of the FCC’s comment system. A witness told investigators that the FCC’s former chief information officer, David Bray, was “furious” that he had not been notified about the segment.
FCC chairman Ajit Pai had preempted the release of Wednesday’s report by issuing statement on Tuesday in which he blamed Bray. Pai said, “I am deeply disappointed that the FCC’s former Chief Information Officer (CIO), who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people.” Pai continued to deflect blame in the comments he submitted for the report, blaming not only Bray, but also FCC strategic advisor Tony Summerlin and deputy CIO Christine Calvosa for not mentioning that they disagreed with the DDoS theory during a meeting in 2017.
As TechCrunch points out, it is true that Bray was the first to suggest that a cyberattack felled the system, yet Pai’s FCC has continued to assert this erroneous claim even after Bray left and in the face of skepticism from former FCC officials and Congress. Pai’s FCC additionally refused to provide evidence that an attack occurred when Gizmodo filed a Freedom of Information Act request. The inspector general’s report further suggests that Pai incorrectly informed Sens. Ron Wyden and Brian Schatz in a letter that the FBI had concluded that the outage was not a “significant cyber incident.” The investigators write that FBI agents did not corroborate Pai’s claim.
FCC commissioner Jessica Rosenworcel, currently its sole Democrat, also tweeted out her reaction to the investigation: