Federal Communications Commission (FCC) Chairman Ajit Pai released a statement Monday backtracking on the agency’s previous position that its public comment system crashed due to a cyber attack that occurred May 7-8, 2017 after John Oliver of the Last Week Tonight show encouraged Americans to submit comments supporting net neutrality days before the FCC voted to repeal net neutrality rules.
The Office of the Inspector General (OIG) released a report detailing its investigation into the incident on Tuesday, finding that there was insufficient evidence for the crash to be termed a Distributed Denial-of-Service (DDoS) attack.
Last year, the FCC released a press release and told the press, the Federal Bureau of Investigation (FBI), and concerned lawmakers that the comment system crash was due to a DDoS attack. The FBI then asked the OIG to investigate.
But based on the report’s findings and email correspondence between FCC officials trying to figure out what happened at the time of the crash, it is still unclear whether the crash was due to an inundation of public comments (which had happened before under Chairman Tom Wheeler’s tenure) or whether the crash could have been due to a cyber attack.
At the time of the incident, according to the OIG report, “FCC traffic (bytes) delivered increased by 3,116% over normally observed levels. Prior to May 7, 2017, average daily traffic was approximately 172 GB/day. Between May 7 and 8, 2017, the FCC site served approximately 4.5 TB (4,505 GB) of traffic. The traffic observed appeared to be a mix of ‘human’ and automated traffic.”
The report calls the activity “flash crowd” activity, and said it may have crashed the site due to “site design issues.”
“We learned very quickly that there was no analysis supporting the conclusion [that it was a cyber attack] in the press release, there were no subsequent analyses performed, and logs and other material were not readily available,” the report reads. “We determined the FCC did not respond to the event internally in a manner consistent with the severity of the event suggested in the press release.”
According to the email correspondence between Bray and FCC contractor Tony Summerlin included in the OIG report, Summerlin emailed Bray on the morning of May 8 asking, “Where are these requests [to comment] coming from? This is ridiculous.”
To which Bray replied, “Closing the loop on this – as of 0845 the system was stabilized to address the increased high traffic. If asked, the system was never down – it was always up and running. However some external folks attempted to send high traffic in an attempt to tie-up the server from responding to others, which unfortunately makes it appear unavailable to everyone attempting to get through the queue. We should be prepared for more attempts like this. There is also the Box.com instance for bulk filers too as a backup should the system appear unavailable.”
He said later in the email correspondence that “We’re 99.9% confident this was external folks deliberately trying to tie-up the server to prevent others from commenting and/or create a spectacle. John Oliver invited the ‘trolls’ – to include 4Chan (which is a group affiliated with Anonymous and the hacking community). His video triggered the trolls. Normal folks cannot manually file a comment in less than a millisecond over and over and over again, so this was definitely high traffic targeting ECFS to make it appear unresponsive to others.”
The OIG report found there was “anomalous activity” at the time of the incident, but could not determine whether it was “malicious” or not.
Even though the report provides convincing evidence that Bray and the FCC did not conduct a thorough investigation of the incident, Bray clearly thought there was some malicious activity going on to prevent legitimate public comments from being posted, and decided to run with that theory rather than conduct the analysis necessary to confirm it.
Pai’s Monday statement blames former FCC Chief Information Officer David Bray for providing “inaccurate information about this incident to me, my office, Congress, and the American people. This is completely unacceptable. I’m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn’t feel comfortable communicating their concerns to me or my office.”
Stuart Madnick, a professor of information technology and engineering systems at MIT’s Sloan School of Management, told InsideSources that it is often quite difficult for organizations to know whether they’re being hacked or not, and software malfunctions can be easily misconstrued as cyber attacks.
“It’s very hard on organizations to actually tell what’s going on and to differentiate between natural problems and how to differentiate that from an actual cyber attack, so that issue is not a surprise,” he said. “You need really strong compelling evidence to distinguish between software malfunctioning [and a cyber attack].”
What’s odd about the FCC incident, he said, is that the FCC rushed to call it a cyber attack since the FCC had nothing to gain from calling it a cyber attack. Not only is it bad publicity, it looks especially bad because the FCC is supposed to be regulating the internet and telecom industry, but can’t seem to run its own website properly.
“When something like this happens, often executives are flustered and don’t know what to say,” Madnick said. “So in one sense they may have thought it was a cyber attack and just blurted it out. The other possibility is they knew it was on their part and they blamed it on a cyber attack [to deflect blame].”
According to Madnick, the second scenario is very likely simply because government agencies — apart from the military — are really bad about updating their IT systems and keeping pace with evolving technology. At the same time, this makes them even more susceptible to cyber attacks.
“Some big banks are spending billions of dollars a year on cybersecurity. I highly doubt the FCC has,” Madnick said.
The OIG report in conjunction with Pai’s statement do not suggest malicious intent on the part of the FCC to stop the general public from commenting on the net neutrality rules, on the contrary, it shows the FCC attempted to fix the problem to allow the public to comment, but did not properly handle the incident and then wasn’t honest about it to senators or the press.
This could raise additional concerns among lawmakers regarding the agency’s transparency, and could prompt more probes into the agency’s ability to adequately regulate sects of the tech industry if it can’t manage and properly analyze its own tech processes.
“[It] is a concern because so much of our livelihood is governed by these organizations,” Madnick said.
The FCC declined to comment for this story.