Internal Emails Reveal FCC Lied About DDoS Attack During Net Neutrality Comment Process – Report
The debate on net neutrality was going in full force last year around this time. John Oliver, the host of HBO's "Last Week Tonight" had directed his audience in May 2017 to flood the Federal Communications Commission (FCC)'s website expressing their support for the net neutrality protections.
With millions of comments pouring in, the agency announced a few weeks later that its Electronic Comment Filing System (ECFS) had been a target of a massive distributed denial of service (DDoS) attack. This attack was later on used to ignore the entire public comment process. Since then the public, reporters, and the lawmakers have demanded the FCC and its chairman, Ajit Pai, to release evidence if the attack did indeed occur.
"FCC conducted a quiet campaign to bolster its cyberattack story"
It now appears that the agency may have not only lied about the incident but also misled news organizations with false information, with at least two reporters taking the bait. A report by Gizmodo (based on redacted emails received through the Freedom of Information Act (FOIA) by American Oversight, a watchdog group) reveals how David Bray, FCC’s chief information officer between 2013 and June 2017 who was responsible for maintaining the comment system, pushed the cyberattack narrative.
The report and internal emails suggest that Bray tried to strengthen his cyberattack story with claims that the comment system had already been a victim of a similar attack back in 2014 when the agency was going through a similar public comment process before approving net neutrality rules. He even went on to blame the then-chairman of not revealing this attack publicly "out of concerns of copycats."
However, FCC security contractors and employees continue to suggest that there wasn't a cyberattack - neither in 2014 nor in 2017.
“I have seen no evidence of a DDoS attack on the FCC comment system,” FCC Commissioner Jessica Rosenworcel said.
The report further reveals that the 2014 cyberattack narrative to justify 2017 (non)cyberattack also appeared in a draft copy of blog post written on behalf of Ajit Pai. However, that draft was never published online. Since there was no evidence to support FCC's claims of a malicious attack, the agency simply sent these fabricated details to journalists, some of whom took the bait considering the agency's statement to be valid and truthful.
FCC has also redacted every discussion between its staff last year regarding how to respond to inquiries made by US senators and reporters citing attorney-client communications and deliberative process privilege.
"Some of these messages are probably correctly redacted, but avoiding potential embarrassment is not a legitimate reason for the government to conceal an email,” Austin Evers, executive director at American Oversight, said. "We were skeptical of the FCC’s explanations about its online comment system issues last May, and it’s clear that we still don’t have the full story about what happened."
In these times where every report gets called "fake news" and every tech failure is blamed on a "cyberattack" and then a "malicious attack by North Korea or Russia," it should be incumbent on government agencies to share all the evidence before making these claims. When an important subject is under debate like the net neutrality repeal, it becomes even more critical to provide the evidence - if not to the public, then at least to the lawmakers.
- More details and email screenshots over at Gizmodo