FCC Lied To Congress About Made-Up DDoS Attack, Investigation Found

| Educate!

Above Photo: Getty Images | Bloomberg. FCC Chairman Ajit Pai with his oversized coffee mug in November 2017.

Despite lies to Congress, US attorney declined to prosecute any FCC employees.

The Federal Communications Commission lied to members of Congress multiple times in a letter that answered questions about a “DDoS attack” that never happened, an internal investigation found.

The FCC made false statements in response to a May 2017 letter sent to FCC Chairman Ajit Pai by Sens. Ron Wyden (D-Ore.) and Brian Schatz (D-Hawaii). Pai sent a response to Wyden and Schatz the next month but apparently didn’t make the false statements himself.

Pai’s letter to Wyden and Schatz included an attachment in which then-FCC CIO David Bray responded directly to the senators’ questions. This part of the letter contained multiple false and misleading statements, according to the FCC Inspector General’s report released yesterday. The second half of this article will detail each of these false and misleading statements.

“[W]e determined the FCC, relying on Bray’s explanation of the events, misrepresented facts and provided misleading responses to Congressional inquiries related to this incident,” the IG’s report said.

Making false statements to Congress can be punished with fines or imprisonment, but the US Attorney’s office declined to prosecute any FCC employees, according to the IG report.

Pai yesterday said the investigation “debunks the conspiracy theory” that Pai himself was to blame for the FCC spreading false information. But even as lawmakers, reporters, and pro-net neutrality groups questioned the FCC’s false claims last year, Pai’s office scolded journalists who asked the FCC to publicly provide evidence.

After news reports in July 2017 about the FCC lacking documentation of the DDoS attack, Pai’s office told journalists that such reports were “completely irresponsible. In fact, we have voluminous documentation of this attack in the form of logs collected by our commercial cloud partners.”

But in reality, the FCC had “no evidence” of any “coordination and intent” behind the traffic hitting the comment system, the IG’s office found. “In order to assess incoming traffic as a DDoS, we need to identify coordination and intent,” the IG’s report said. “We found no evidence of such coordination.”

System’s poor design—not DDoS—led to outage

Contrary to the FCC’s repeated assertions, the agency’s public comments system went down on May 7 and 8 in 2017 because it wasn’t designed well enough to handle traffic from commenters opposing Pai’s plan to eliminate net neutrality rules. People were submitting comments en masse after comedian John Oliver asked viewers of his program Last Week Tonight to oppose Pai’s net neutrality repeal.

Bray seemingly didn’t want to admit Oliver’s role in the outage. “Bray regularly complained about the John Oliver episode for the remainder of his time as the FCC CIO,” the IG report said, attributing that detail to Tony Summerlin, an IT contractor who served as a senior advisor to Bray.

The IT team was unprepared for the rush of traffic caused by the John Oliver show. A producer from Oliver’s staff contacted Pai’s office about the show days before it ran, but Pai’s staff didn’t respond and apparently didn’t inform the IT department about the upcoming show.

“Bray was furious that he had not been informed about the John Oliver episode,” Summerlin told the IG’s office. Summerlin “also confirmed that Bray did, in fact, believe the John Oliver episode was to blame for the May 7 event,” the IG’s report said.

Despite that, Bray issued a statement on May 8 saying, “Our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDos). These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host.”

Pai’s Chief of Staff Matthew Berry told investigators that he “assumed the Oliver segment was the cause of the increased traffic on ECFS [Electronic Comment Filing System], but Bray told him that wasn’t so.”

Investigation changed focus

The IG’s investigation initially focused on who was behind the alleged attacks, but “shifted into an investigation of false statements made by Bray, Tony Summerlin, and [FCC Chief Information Security Officer] Leo Wong in responses to congressional inquiries,” the IG report said.

In Pai’s letter to Wyden and Schatz, the attachment with Bray’s answers included “several specific statements that we believe misrepresent facts about the event or provide misleading information,” the IG found.

“Because of the possible criminal ramifications associated with false statements to Congress,” the IG’s office said it “formally referred this matter to the Fraud and Public Corruption Section of the United States Attorney’s Office for the District of Columbia (USAO-DC) on January 4, 2018, and provided a briefing to the Chief of the Fraud and Public Corruption Section USAO-DC on January 18, 2018.”

However, “[o]n June 7, 2018, after reviewing additional information and interviews, USAO-DC declined prosecution,” the IG report said.

False statements to Congress

Bray’s responses contained in the attachment to Pai’s letter to the senators included six statements that the IG classified as “not accurate” and another classified as “misleading.”

We’ll go through the false and misleading statements one by one in this section.

False statement #1:

We have determined that this disruption is best classified as a non-traditional DDoS attack. Specifically, the disrupters targeted the comment filing system application programming interface (API), which is distinct from the website, and is normally used by automated programs or bots for bulk filings.

“This statement is not accurate,” the IG concluded. “[W]e found no evidence that the API interface was targeted during the event.”

False statement #2:

The peak activity triggering the comment system’s unavailability to most human filers appears to have started at approximately 11:00pm Eastern Standard Time (EST) on Sunday, May 7, 2017.

“This statement is not accurate,” the IG report said. In reality, the increased activity that disrupted the comment system began at 11:30pm, and Oliver’s show begins at 11pm each Sunday. Bray apparently provided the wrong time, making it appear that the “peak activity” began before Oliver urged viewers to submit comments.

False statement #3:

From our analysis of the logs, we believe these automated bot programs appeared to be cloud-based and not associated with IP addresses usually linked to individual human filers.

False statement #4:

In addition to the basic findings above, our IT staff found other markers of potential malicious intent.

“These statements are not accurate and raise questions about the accuracy of additional statements the FCC made about the event,” the IG wrote. “We were not able to identify any evidence that FCC staff or contractors analyzed server logs or conducted any substantive analysis.”

The IG’s office said it asked the FCC contractor who maintained the logs “about Bray’s claim of analysis supporting the malicious usage of bots.” That person “stated that while bots were one possible explanation, there was no analysis of which [the contractor] was aware to support those conclusions.” (The contractor’s name was redacted.)

False statement #5:

Following this attack, the FCC CIO directed the Chief Information Security Officer (CISO) to consult with the FBI. In speaking with the FBI, the conclusion was reached that, given the facts currently known, the attack did not appear to rise to the level of a major incident that would trigger further FBI involvement. The FCC and FBI agreed to have further discussions if additional events or the discovery of additional evidence warrant consultation.

“This statement is not accurate,” the IG wrote. While CISO Leo Wong spoke to the FBI, an FBI special agent “denies that a ‘conclusion was reached that… the attack does not appear to rise to the level of a major incident that would trigger FBI involvement.” Whether an attack was “major” or not had no bearing on whether it was a crime, the IG report said.

The FCC made a similarly false statement on the same topic in another letter that Pai sent to House lawmakers in July 2017, the IG report said. In an attachment to that letter containing Bray’s answers to lawmakers’ questions, the FCC falsely claimed that the FCC and FBI “agreed that this was not a ‘significant cyber incident’ consistent with the definition contained in Presidential Policy Directive-41 (PPD-41).” In reality, the FBI special agent told the IG that “all that matters is ‘was a crime committed or not'” and that there was not “enough information to reach any conclusion, especially since” there was no “information regarding what was in the logs.”

The IG report also pointed out a “misleading” statement in the letter to senators. That statement read:

[W]e would note that when John Oliver provided a link to encourage viewers to file comments on the evening of Sunday, May 7, 2017, that link directed traffic to the regular comment filing system and not to the API.

“This statement is misleading” because it implies “that the event must not have been related to the John Oliver episode,” the IG report said.

“Through our investigation, we have determined that the redirect URLs provided by the Last Week Tonight with John Oliver program did, in fact, generate a significant amount of internal API activity and it was this internal API activity (not Data.gov API activity), combined with the system design issues… that was likely the reason for the degradation of ECFS availability,” the IG report said.

Americans were “deceived by FCC and Chairman Pai”

Bray did not respond to a request for comment after the report came out yesterday.

Wyden issued a statement condemning the FCC and Pai for pushing a “bogus story” while repealing net neutrality rules:

This report shows that the American people were deceived by the FCC and Chairman Pai as they went about doing the bidding of Big Cable. It appears that maintaining a bogus story about a cyberattack was convenient cover to ignore the voices of millions of people who were fighting to protect a free and open Internet. Americans face higher prices for streaming services and other content as a result of Chairman Pai’s repeal of net neutrality protections, and it’s going to sting even worse knowing they were lied to about it by their government. The fact that Chairman Pai and the FCC came clean only after their story was debunked by the inspector general is disappointing, but it’s sadly unsurprising in this administration.

IG surprised by lack of documentation

The IG investigation’s original objective “was to identify the individuals and/or organizations responsible for the multiple DDoS attacks alleged by Bray,” the report said. The IG’s office thus “expected to rely on work performed by Commission staff or contractors in response to the event.”

Bray’s press release after the outage referred to an analysis, but “we learned very quickly that there was no analysis supporting the conclusion in the press release, there were no subsequent analyses performed, and logs and other material were not readily available,” the IG wrote.

The IG’s office ended up reviewing emails, “corresponding with IT staff and contractors, and finally conducting interviews” and found that “the FCC did not respond to the event internally in a manner consistent with the severity of the event suggested in the press release.”

For example, the FCC didn’t react internally as if it had faced a cyber attack. The agency did not follow its internal processes for responding to attacks, the report found:

Because the FCC determined that the severity of this event warranted a press release, and given the level of congressional and media attention to the event, we assumed the FCC would have classified the event internally as a cyber security incident and that [it] would have followed federal guidelines as well as FCC policies and procedures as part of the incident response process. As we attempted to collect available information related to the event, we discovered the FCC had not defined the event internally as a cyber security incident, that the matter had not been referred to US-CERT, and that none of the documents required under the FCC’s Standard Operating Procedures (SOP) for Incident Response had been prepared.