After a year of investigation, a truth that many news outlets and net neutrality advocates have been shouting about since 2017 has been proven. During its open comment period on the repeal of Obama-era net neutrality rules, the FCC’s commenting system didn’t go down due to a distributed denial of service attack, as the FCC repeatedly claimed, but instead simply due to too much traffic.
Last week, the Inspector General published a long-awaited investigation into the supposed cyber-attack and the FCC’s actions. The report confirmed that the FCC’s former Chief Information Officer was the one who first came up with the attack, despite a clear lack of evidence. FCC Commission Ajit Pai tried to pin the blame on the CIO in a statement, saying that he is “deeply disappointed” that the CIO “provided inaccurate information about this incident to me, my office, Congress, and the American people.”
But in testimony before Congress today, Pai failed to explain why the FCC continued to push the line about a DDoS attack for months after the incident, despite a continued lack of evidence, and refusals from the FCC’s CIO to accept help from the FBI or other branches of government.
“The tech community said that doesn’t make any sense…Sen. Wyden and I said it didn’t make sense…You told Congress a federal crime was committed,” Sen. Brian Schatz asked Pai. “Why didn’t you entertain any of those quite reasonable doubts that were out there?”
“It just seems odd that the moment your CIO says something, that you run with it and you ran with it quite aggressively all the way up until… last week when you said, “Well, I was duped.” That’s very hard to digest,” Schatz said. “I’m trying to figure out, did you ever have any doubt between the point at which your CIO told you something and the point at which the IG told you it was wrong?”
Ajit Pai stuck to his line that the Inspector General had requested confidentiality during the investigation, preventing him from telling anyone or even setting the record straight to Congress in a confidential way.
“Once we knew what the conclusions were, it was very hard to stay quiet,” Pai said. “We wanted the story to get out not only because it vindicated what we’d been saying, that we had relied on the chief information officer’s representations, but also because otherwise we knew that members of this committee, including potentially you, would think, ‘well, he knew something was wrong but he didn’t tell us about it.'”
Pai is framing the issue as being solely limited to the former CIO, but the entire FCC ardently defended its line about a cyberattack, going so far as to seemingly lie to the press about the existence of evidence (which has never been seen). In July 2017, a spokesperson for the FCC said in a statment that “Media reports claiming that the FCC lacks written documentation of its analysis of the May 7-8 non-traditional DDoS attack that took place against our electronic comment filing system are categorically false.”
“Moreover, the FCC has never stated that it lacks any documentation of this DDoS attack itself. And news reports claiming that the Commission has said this are without any basis and completely irresponsible. In fact, we have voluminous documentation of this attack in the form of logs collected by our commercial cloud partners.”