FCC's net neutrality DDoS attack didn't happen. Here's what you need to know

We finally have answers about what really happened following the FCC's allegations of a cyberattack on its commenting system.

Marguerite Reardon Former senior reporter
Marguerite Reardon started as a CNET News reporter in 2004, covering cellphone services, broadband, citywide Wi-Fi, the Net neutrality debate and the consolidation of the phone companies.
Marguerite Reardon
11 min read
Chip Somodevilla / Getty Images

Net neutrality may be dead, but questions remain about how seriously the Federal Communications Commission considered comments from the public.

The FCC's system for submitting those comments was a hot mess.

Two million of the 22 million comments submitted used stolen identities, some for people who were dead, including actress Patty Duke, who died in 2016. Nearly 8 million comments used email domains associated with FakeMailGenerator.com. About half a million were sent from Russian email addresses. And of the emails that came from legitimate email addresses, the vast majority were form letters originating from the same pro- and anti-net neutrality groups.

Then there was the controversy over a supposed cyberattack on the comment system that temporarily shut down the platform on exactly the same day thousands of net neutrality supporters responded to comedian John Oliver's call to flood the agency with comments.

That supposed cyberattack has been confirmed to be false, after more than a year of speculation, following the release of a report by the agency's internal watchdog, the Office of Inspector General. 

The "degradation" of the FCC's comment system "was not, as reported to the public and to Congress, the result of a DDoS attack," the report states

FCC Chairman Ajit Pai, on the day before the report's release, blamed the misreporting on the previous administration's leadership, saying the former FCC chief information officer was responsible for providing inaccurate information to the public.

Watch this: FCC Chairman Ajit Pai comes clean on DDoS attack claim

"I'm pleased that this report debunks the conspiracy theory that my office or I had any knowledge that the information provided by the former CIO was inaccurate," Pai said. 

Fight for the Future, a pro-net neutrality organization that earlier this year helped spearhead the "Red Alert" protests across the internet, condemned Pai's remarks.

"Pai attempts to blame his staff, but this happened on his watch, and he repeatedly obstructed attempts by lawmakers and the press to get answers. The repeal of net neutrality was not only unpopular, it was illegitimate," deputy director Evan Greer said in a statement.

FCC Chairman Tom Wheeler Testifies To House Committee On The FCC's Net Neutrality Rule

Ajit Pai (right), at the time an FCC commissioner, and then-FCC Chairman Tom Wheeler testify before Congress in 2015.

Chip Somodevilla / Getty Images

The whole debacle has highlighted some shortcomings in developing public policy in the digital age where hundreds of thousands, if not millions, of comments can be filed with the click of a button and flood a docket, and any name can be used to submit a comment. Clearly, this is not what Congress envisioned when it enacted the Administrative Procedure Act in 1946 to ensure the public had a say in crafting public policy.

The federal Government Accountability Office and the New York State Attorney General's office have launched investigations. Congressional Democrats have asked the FCC for answers. But so far, the FCC has been mum. Democrats, like FCC Commissioner Jessica Rosenworcel, have accused the agency of stonewalling the investigations.

"To put it simply, there is evidence in the FCC's files that fraud has occurred and the FCC is telling law enforcement and victims of identity theft that it is not going to help," she said in a statement in December. "Failure to investigate this corrupted record undermines our process for seeking public input in the digital age."

FCC officials declined to comment for this story.

So what does it mean for the controversial repeal of net neutrality? Could the tainted public record on net neutrality help in efforts to restore the rules? To help you understand what really happened and what it all means, CNET has put together this FAQ.

What's net neutrality again and how did we get here?

Net neutrality is the principle that all traffic on the internet should be treated equally, regardless of whether you're checking Facebook, posting pictures to Instagram, or streaming movies from Netflix or Amazon. It also means companies like AT&T, which just bought Time Warner, or Comcast, which owns NBC Universal, can't favor their own content over a competitor's.

Under the Obama administration, the FCC adopted rules in 2015 to protect these principles. The regulation prohibited broadband providers from blocking or slowing traffic and banned them from offering so-called fast lanes to companies willing to pay extra to reach consumers more quickly than competitors. To make sure the rules stood up to court challenges, the agency also put broadband in the same legal classification as the old-style telephone network, which gave the agency more power to regulate it.

Internet providers said the rules stifled investment, especially the new classification of broadband, which they feared would allow the government to set rates.

When Republican Ajit Pai took over as FCC chairman after Donald Trump became president, he drafted a proposal to roll back the 2015 rules.

What exactly was the public commenting on?  

The proposal that Pai put forward in spring 2017, called "Restoring Internet Freedom," rolled back the 2015 rules and restored the previous legal classification of broadband, to ensure the FCC couldn't regulate the internet.

The FCC voted on the proposal on Dec. 14, and the rules officially came off the books on June 11.

But before the vote, the agency was required under the Administrative Review Act to allow the public to comment on it. So from April until August last year, the public was able to submit comments to the public record via the FCC's website.

So what was the problem with the comments?

More than 22 million comments, a record, poured into the agency. But analysis of the comments showed that an overwhelming number of them were duplicates or submitted by automated bots. The Pew Research Center released a study in November stating that only 6 percent of those comments submitted were unique. The other 94 percent were submitted multiple times – in some cases, hundreds of thousands of times. In fact, the seven most-submitted comments (six of which argued against net neutrality regulations) comprise 38 percent of all the submissions during the comment period.

Duplicate submissions on its face is not a problem, if these duplicate submissions were really from concerned citizens. Letter writing campaigns in advocacy have been around for ages. The net neutrality advocacy group Fight for the Future allowed its supporters to click a button to submit a prewritten message, as did other groups who supported Pai's proposal. But it's suspected that some of these duplicate emails and some that used the same paragraph and sentence structure, but slightly different wording were submitted by automated bots. 

Then there were the 2 million comments submitted to the agency that used false identities.  Sens. Patrick J. Toomey, a Republican from Pennsylvania, and Jeff Merkley, a Democrat from Oregon, say they were among millions of Americans who were impersonated in public comments. And there were at least 400,000 comments that originated in Russia, according to the New York Attorney General's Office.

Watch this: Beer helps explain battle brewing over net neutrality

What about the alleged cyberattack? What's that all about?

On May 7, 2017, the FCC's comment system crashed after comedian John Oliver, host of HBO's Last Week Tonight, urged his audience to flood the agency with comments supporting net neutrality. Initially, FCC officials claimed the site went down due to a series of distributed denial-of-service attacks. But net neutrality supporters accused the agency of making up the attack and blamed the agency for failing to keep the system online.

A similar crash happened three years earlier when the Obama administration's FCC was first considering the rules. Just like in 2017, Oliver had told viewers to flood the FCC's website. At the time the FCC said the comment system failed due to a surge in internet traffic.

But some news outlets accused David Bray, the FCC's former chief information officer, of knowingly misleading journalists about the attack and even suggesting that the 2014 attack was also caused by a DDoS but that then-Chairman Tom Wheeler didn't want people to know for fear of copycat attacks. Earlier this month, Gizmodo said it had reviewed internal emails showing the FCC had made up the cyberattack. And Wheeler denies keeping quiet about a suspected a DDoS attack in 2014.

The FCC had declined to comment on any of this until the release of a report from the Office of Inspector General.

In a blog post responding to the Gizmodo story, Bray, who is no longer at the FCC, walked back his earlier claim, saying "whether the correct phrase is denial of service or 'bot swarm' or 'something hammering the Application Programming Interface' [API] of the commenting system  -- the fact is something odd was happening in May 2017."

What did the OIG's investigation find regarding the supposed cyberattack?

The Office of Inspector General said its "investigation did not substantiate the allegations of multiple DDoS attacks alleged by Bray." The report acknowledges there was some "small amount of anomalous activity," but it concluded that activity didn't cause "any measurable degradation of system availability."

The report went on to say that there had been "no analysis supporting the conclusion in the press release, there were no subsequent analyses performed, and logs and other material were not readily available."

The OIG report goes on to say that it "determined the FCC did not respond to the event internally in a manner consistent with the severity of the event suggested in the press release."

What is the FCC saying about the incident?

Pai has squarely put the blame on Bray, the agency's former CIO. In a statement Monday, Pai lambasted the former FCC official, who also served in the same position at the agency under President Barack Obama.

"I am deeply disappointed that the FCC's former Chief Information Officer (CIO), who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people," Pai wrote in a statement. "This report debunks the conspiracy theory that my office or I had any knowledge that the information provided by the former CIO was inaccurate and was allowing that inaccurate information to be disseminated for political purposes."

The former CIO notified his office on May 8 that "some external folks attempted to send high traffic in an attempt to tie-up the server from responding to others," Pai wrote. The chairman didn't name the former CIO, but Bray served in the position at that time.

Pai also said in his statement that FCC chief of staff Matthew Berry had asked the CIO if the incident was in fact caused by a DDoS attack, rather than a flood of people trying to reach the site at the same time. But Bray told Pai's office he was "99.9% confident this was external folks deliberately trying to tie-up the server to prevent others from commenting and/or create a spectacle."

What does the former FCC CIO have to say about all this?

On Monday, Bray said the FCC Inspector General hadn't contacted him and he hadn't yet seen the reported findings. He also said no one's reached out to him to ask what he observed or concluded during the incident.

Bray added that "swift response ensured the commenting system was up more than 99.4 percent of the time for the total commenting period."

What are others saying about the incident?

FCC Commissioner Jessica Rosenworcel, the only Democrat currently serving on the FCC,  called the claim of a DDoS attack "bogus," in a tweet on Tuesday. She said the OIG's report proves the claim was never credible.

Net neutrality advocacy group Fight for the Future, which was among the first to sound alarms around the claim there had been a DDoS attack, was skeptical about Pai's statement on Monday, saying the FCC failed in its responsibility to maintain a space for public opinion.


"Under Ajit Pai's leadership, the FCC sabotaged its own public comment process," Evan Greer, deputy director of Fight for the Future, said in a statement. "Pai attempts to blame his staff, but this happened on his watch, and he repeatedly obstructed attempts by lawmakers and the press to get answers."

Does any of this really matter in the fight to reinstate net neutrality?

Not really. While no one thinks a government agency should be lying to the public or that having a public record filled with fake comments from people using stolen identities is a good thing, it doesn't really affect the FCC's obligation in establishing policy. 

The Administrative Procedure Act doesn't require the FCC to consider, respond to or even read every single comment. It's only obligated to respond to substantive points made. So if 20 million of 22 million comments make the same argument, the agency only needs to respond once.

While there's nothing wrong with the public providing input on these issues, making the same argument over and over may not carry the same weight with policy makers at a federal agency, like the FCC, as a similar action would in Congress. By contrast, the job of Congress is to listen to constituents and represent their interests. So flooding members of Congress with letters, emails and phone calls can sway votes and create change.

"The FCC doesn't make rules by survey or through a popularity contest," said Matthew Schettenhelm, a legal analyst with Bloomberg Intelligence. "That one side may have had much more support matters little. FCC commissioners are appointed to make their own policy calls based on their own views of the facts and law."

The law simply requires the agency to consider "the relevant matter presented" and to take a "hard look" at issues raised, he added.

"The FCC will say it did that," he said. "It grappled with the substantive issues raised, and dedicated staff to screen the rest. And that will probably be enough."

So that's it? Millions of bogus comments and it doesn't really matter?

Net neutrality supporters argue that the FCC still has an obligation to ensure integrity in the public comment system. And they're disturbed that the agency has not helped in investigating these problems. Harold Feld, a lawyer at the consumer advocacy group Public Knowledge, says the FCC's refusal to cooperate with investigations from congressional Democrats and the New York Attorney General's Office may come back to bite the FCC as it heads to court to defend its repeal of net neutrality.

"We're in uncharted waters as far as the APA is concerned," he said. "I think the agency's refusal to respond when problems surfaced is going to hurt the FCC in court."

But Schettenhelm said net neutrality supporters will likely have to go further by showing that the agency missed something in its analysis due to the fraud present in the record.

"If they can show the comment system was so tainted that it caused the FCC to miss or misunderstand something important, they might get somewhere," he said. "Otherwise, challengers will effectively be asking for 'new law' on the point -- and that's never likely or easy."

What about FCC cyberattack-gate?

Schettenhelm says that's merely a distraction.

"I see the fight over the FCC's explanation of what caused the outage as more of a political critique than a legal one," he said. "Again, unless challengers can point to some distortion in how the FCC evaluated the facts and law, I doubt the issue gains much traction."

First published June 29, 5 a.m. PT.
Update, Aug. 7, 1:48 p.m. PT:
 Adds links to the OIG report and more information about the report's findings. 

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad services that will change your life.