FCC net neutrality cyberattack wasn't real, says internal report

The FCC's Office of Inspector General says the crash wasn't "the result of a DDoS attack," as reported to Congress and the public.

CNET staff
3 min read
FCC Chairman Ajit Pai

FCC Chairman Ajit Pai

Alex Wong/Getty Images

An internal Federal Communications Commission report released Tuesday contradicted the agency's earlier claim that a cyberattack was to blame for the failure of its online commenting system at the height of the net neutrality debate, suggesting instead that the agency hadn't adequately prepared for a flood of visitors.

The report, by the FCC's Office of Inspector General, said the early May outage wasn't "the result of a DDoS attack," as the commission said shortly after the comment section was overwhelmed for two days. The outages to the FCC site's electronic comment filing system followed a segment on John Oliver's Last Week Tonight that directed viewers to the agency's comment pages.

The FCC knew about the segment before it aired, the OIG's report said, adding that the information wasn't shared with the commission's tech staff.

"While several in the commission were on notice that Last Week Tonight with John Oliver was planning to air a segment that could generate a significant public response, that information did not reach the FCC IT group," the report said.

The OIG's conclusion comes a day after FCC Chairman Ajit Pai issued a statement blaming the cyberattack assertion on a former FCC official hired by the Obama administration. Pai was appointed head of the agency by President Donald Trump shortly after Trump took office. 

Pai didn't offer an alternative explanation for the crash but said the agency's former CIO had asserted that distributed denial-of-service (DDoS) attacks were the cause. 

In an emailed statement, David Bray, the former CIO, said the OIG hadn't contacted him and that he hadn't had the opportunity to share what he observed or concluded during the incident.

Bray added that "swift response ensured the commenting system was up more than 99.4 percent of the time for the total commenting period." 

In its report, the OIG said it couldn't verify the claim of a cyberattack. 

Our investigation did not substantiate the allegations of multiple DDoS attacks alleged by Bray. While we identified a small amount of anomalous activity and could not entirely rule out the possibility of individual DoS attempts during the period from May 7 through May 9, 2017, we do not believe this activity resulted in any measurable degradation of system availability given the miniscule scale of the anomalous activity relative to the contemporaneous voluminous viral traffic.

...We learned very quickly that there was no analysis supporting the conclusion in the [FCC] press release, there were no subsequent analyses performed, and logs and other material were not readily available.

The OIG report said "the FCC did not respond to the event internally" in a manner consistent with the severity of the incident.

Following the initial crash, the FCC explicitly blamed DDoS attacks. Here's the agency's original statement:

Beginning on Sunday night at midnight, our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDoS). These were deliberate attempts by external actors to bombard the FCC's comment system with a high amount of traffic to our commercial cloud host. These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC. While the comment system remained up and running the entire time, these DDoS events tied up the servers and prevented them from responding to people attempting to submit comments. We have worked with our commercial partners to address this situation and will continue to monitor developments going forward.

You can read the OIG's Tuesday report in full below.