An investigation by the FCC’s Office of Inspector General found that the FCC made a number of false statements in a May 2017 press release and in responses to congressional requests for additional information about delays experienced by users of the FCC’s electronic comment filing system (ECFS) on May 7 and 8, 2017.
The investigation “did not substantiate the allegations” made in May 2017 by then FCC Chief Information Officer David Bray that the ECFS had suffered delays as a result of multiple DDoS (distributed denial of service) attacks, according to the report on the OIG investigation released today.
Instead, report concluded that “[t]he degradation of ECFS system availability was likely the result of a combination of: (1) ‘flash crowd’ activity resulting from the Last Week Tonight with John Oliver episode that aired on May 7, 2017 through the links provided by that program for filing comments in the proceeding; and (2) high volume traffic resulting from system design issues.”
The ECFS usage delay occurred in the wake of a May 7, 2017, broadcast in which Mr. Oliver encouraged viewers to file comments in the FCC’s restoring Internet freedom (RIF) proceeding. Within a half hour of the broadcast, ECFS “experienced a significant increase in the level of traffic attempting to access the system, resulting in the disruption of system availability,” the public version of the OIG report said, with traffic to the system increasing more than 3,000% between May 7 and May 8.
The FCC issued a press release on May 8 with a statement by Mr. Bray saying that analysis revealed that the FCC had been the subject of multiple DDoS attacks.
“While we identified a small amount of anomalous activity and could not entirely rule out the possibility of individual DoS attempts during the period from May 7 through May 9, 2017, we do not believe this activity resulted in any measurable degradation of system availability given the miniscule scale of the anomalous activity relative to the contemporaneous voluminous viral traffic. In order to assess incoming traffic as a DDoS, we need to identify coordination and intent. Coordination is a key requirement in a DDoS; coordination can occur via a single command and control computer (in the case of a botnet) or preplanned actions from a group online. Evidence of coordination in a DDoS may include identical requests, identical user-agents, or large waves of simultaneous activity. We found no evidence of such coordination. During our discussion with FBI SA [name redacted] on May 15, 2017, we specifically asked if the FBI was aware of any intelligence suggesting there was a coordinated attack, and we were advised the FBI had no such intelligence,” the OIG report said.
In response to a letter from Sens. Ron Wyden (D., Ore.) and Brian Schatz (D., Hawaii) last year, the FCC had said that it had “determined that this disruption is best classified as a non-traditional DDoS attack. Specifically, the disrupters targeted the comment filing system application programming interface (API), which is distinct from the website, and is normally used by automated programs or bots for bulk filings.”
However, the OIG report said, “This statement is not accurate. This statement makes a distinction between the web-based ECFS interface and the API interface and claims the API interface was targeted during the event. As explained above, we found no evidence that the API interface was targeted during the event. While we recognize it was the level of API activity that ultimately resulted in the disruption to ECFS during the event, we determined this API activity was generated through the web-based ECFS interface.”
The FCC letter to Sens. Wyden and Schatz also misstated the time at which the “peak activity” began, and offered a misleading explanation of the nature of the “DDoS attacks” that implied the traffic increase “must not have been related to the John Oliver episode,” the OIG report said. It also said that statements in the FCC letter about analyzing server logs to draw conclusions about automated bots “are not accurate and raise questions about the accuracy of additional statements the FCC made about the event. We were not able to identify any evidence that FCC staff or contractors analyzed server logs or conducted any substantive analysis.” Other statements in the letter identified as inaccurate by the OIG related to discussions FCC staff had with an FBI official.
The heavily redacted 46-page report, plus attachments, includes redacted emails from FCC officials including Mr. Bray, Mr. Summerlin, and FCC Chief of Staff Matthew Berry, including one in which Mr. Bray told Mr. Berry, “we’re 99.9% confident this was external folks deliberately trying to tie-up the server to prevent others from commenting and/or create a spectacle,” and adding that Mr. Oliver’s video “triggered the trolls. Normal folks cannot manually file a comment in less than a millisecond over and over and over again, so this was definitely high traffic targeting ECFS to make it appear unresponsive to others.”
FCC Chairman Ajit Pai revealed yesterday that the report had been completed, saying in a statement that he was “deeply disappointed that the FCC’s former Chief Information Officer (CIO), who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people” (TR Daily, Aug. 6).
In a written response included with the report, FCC Chairman Ajit Pai said that “on the afternoon of July 24, 2017, I held a meeting in my office with Tony Summerlin and Christine Calvosa to discuss the status of ECFS. FCC Chief of Staff Matthew Berry also attended this meeting. Among other topics, we discussed the incident that occurred on May 7-8, 2017. During this meeting, consistent with what my office had been repeatedly told by then-Chief Information Officer David Bray, Mr. Summerlin reaffirmed to me that this incident had been caused by bots rather than individuals attempting to file comments with the Commission, and he explained why that was the case. Moreover, during this meeting, neither Mr. Summerlin nor Ms. Calvosa said anything that suggested that they disagreed with the explanation Mr. Bray had provided to my office and to Congress about what happened on May 7-8, 2017. For these reasons, I was surprised and disappointed when I learned of the findings of the Office of Inspector General's investigation.”
Sen. Wyden responded to the release of the report with criticism for the Commission and Chairman Pai, suggesting that last year’s suggestion that the ECFS delays were due to a DDoS attack was an effort to distract attention from filings by commenters who opposed the RIF proposal.
“This report shows that the American people were deceived by the FCC and Chairman Pai as they went about doing the bidding of Big Cable. It appears that maintaining a bogus story about a cyberattack was convenient cover to ignore the voices of millions of people who were fighting to protect a free and open internet. Americans face higher prices for streaming services and other content as a result of Chairman Pai’s repeal of net neutrality protections, and it’s going to sting even worse knowing they were lied to about it by their government. The fact that Chairman Pai and the FCC came clean only after their story was debunked by the inspector general is disappointing, but it's sadly unsurprising in this administration,” Sen. Wyden said.
In a statement, Free Press Deputy Director and Senior Counsel Jessica González said, “Today’s IG report exposes the Pai FCC’s general willingness to ignore logic and contradictory evidence when doing so supports his preconceived notions and political agenda. In this case, the former chief information officer’s story was obviously flawed, but Pai and his office didn’t hesitate to pass along that story and dismiss its critics.”
Ms. González added, “In his response to the inspector general’s report, Pai throws former CIO David Bray under the bus and tries to blame the prior administration for hiring him. But Bray worked for Pai at the time of these incidents, and later statements describing the supposedly ‘voluminous documentation’ for this attack came from Pai’s hand-picked spokesman.”
She added, “Pai and his staff seem to think that this bombshell report somehow vindicates them, by suggesting they had no knowledge that the claims he and his spokespeople repeated were false. If that were the case, then Pai is such an incompetent chairman that he has no control over his agency, and no inclination to tell the truth, even when evidence shows that he’s flat out wrong.” —Lynn Stanton, [email protected]
Interested in submitting an article?
Submit your information to us today!Learn More