A controversial claim by senior FCC officials that a cyberattack hobbled the agency’s comment system in May 2017 has been formally refuted by an investigation led by the FCC’s Office of Inspector General (IG).
The comment system’s downtown was likely due to a massive surge in online activity caused when Last Week Tonight host John Oliver directed his millions of viewers to flood the FCC’s website with pro-net neutrality comments, according to the IG report, in addition to “system design issues.”
Investigators were unable to “substantiate the allegations of multiple DDoS attacks” alleged by then-FCC Chief Information Officer David Bray, the report says.
“While we identified a small amount of anomalous activity and could not entirely rule out the possibility of individual DoS attempts during the period from May 7 through May 9, 2017, we do not believe this activity resulted in any measurable degradation of system availability given the minuscule scale of the anomalous activity relative to the contemporaneous voluminous viral traffic.”
FCC Chairman Ajit Pai sought to distance himself from any of the institutional failings described by the inspector general’s report ahead of its release, placing full blame at the feet of his former chief information officer, Dr. David Bray, and his subordinates. In a statement on Monday, Pai accused Bray of providing him with “inaccurate information” about the May 2017 incident, which Pai personally relayed to members of Congress.
In a June 2017 letter, for example, Pai informed Senator Ron Wyden of Oregon that the FCC’s comment system had been disrupted by a “cyber-based attack.”
Accompanying the letter were responses to questions Wyden had sent the FCC about the incident. The answers, which Pai said were prepared by Bray, described a “non-traditional DDoS attack” carried out by “automated bots” targeting the comment system’s API.
“From our analysis of the logs, we believe these automated bot programs appeared to be cloud based and not associated with IP addresses usually linked to individual human filers,” the FCC told Wyden. “We found that the bots initiated API requests with the system and then via their high-speed, resource intensive requests, effectively blocked or denied additional web traffic-human or otherwise-to the comment filing system.”
As they investigated the incident, however, the FCC inspector general’s office said it discovered the FCC “had not defined the event internally as a cyber security incident,” that the matter had not been referred to the Department of Homeland Security, and that “none of the documents required under the FCC’s Standard Operating Procedures (SOP) for Incident Response had been prepared.”
This is a developing story. Updates are coming.
Below is the complete Office of Inspector General Report.