Editor’s Note: This story has been updated to reflect the release of the FCC IG’s report.
The saga has come to this: About 15 months after former Federal Communications Commission CIO David Bray first claimed that the agency had been a victim of a distributed denial of service (DDoS) attack, the agency’s inspector general has officially refuted this narrative.
In a report released on Tuesday, the IG found that “multiple Distributed Denial-of Service (DDoS) attacks did not occur.”
“As a result of our reviews… we determined the FCC, relying on Bray’s explanation of the events, misrepresented facts and provided misleading responses to Congressional inquiries related to this incident,” the report states.
FCC Chairman Ajit Pai put out a statement Monday to preempt the release of the IG report.
“I am deeply disappointed that the FCC’s former Chief Information Officer (CIO), who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people,” Pai said. “This is completely unacceptable.”
Pai said he’s also dismayed by what this drama reveals about FCC culture. “I’m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn’t feel comfortable communicating their concerns to me or my office.”
Bray, the “former CIO” not mentioned by name in the statement, served at the FCC from 2013 until October 2017. He now serves as executive director at People-Centered Internet, an organization that helps communities with tech projects.
Pai’s statement goes on to note with relief that the report did not find any evidence to support the “conspiracy theory” that Pai’s office knew about the alleged lies.
Commissioner Jessica Rosenworcel put out a similarly strident statement. “The FCC’s claim that it was the victim of a DDoS attack during the net neutrality proceeding is completely bogus,” she said. “It’s unfortunate that this agency’s energy and resources needed to be spent debunking this implausible claim.”
The incident took place after a segment on the HBO show “Last Week Tonight,” during which comedian John Oliver encouraged viewers to submit comments in support of Obama-era net neutrality rules to the agency’s Electronic Comment Filing System. The agency experienced a rush of traffic shortly thereafter. In a statement after the event, Bray said these weren’t ordinary site visitors but “deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host.”
“These actors were not attempting to file comments themselves,” Bray added. “Rather they made it difficult for legitimate commenters to access and file with the FCC.”
According to Pai’s statement, Bray said he was “99.9% confident” of this assessment.
But others quickly cast doubt. In the days following the incident, multiple cybersecurity experts told FedScoop’s sister publication, CyberScoop, that the claim seemed unfounded. “It appears the issue with the FCC is less of a DDoS attack, traditionally defined, and more of an issue of crowdsourcing comments generated by John Oliver and Reddit,” John Bambenek told CyberScoop.
Fight for the Future, a group that stands against the FCC’s rollbacks of Obama-era net neutrality rules, also called on the commission to release its logs for analysis by an independent security expert. Since then various members of Congress have become involved, even asking the FBI and Government Accountability Office to look into the issue.
In June Gizmodo reported that, in his email conversations with reporters, including some from FedScoop, Bray continued to insist that the event was a DDoS attack despite the fact that he never furnished any evidence. In fact, Bray went as far as to tell reporters from FedScoop that an incident in 2014, when web traffic from another John Oliver segment caused the comments system to crash, was also a DDoS attack, as seen in emails published by Gizmodo, which it obtained through a Freedom of Information Act request. Previously, Bray had said this incident was merely a weakness in the agency’s legacy systems — legacy systems that he, as CIO, was intent on overhauling.
Pai concludes that the whole story makes it “abundantly clear” that the FCC’s comments system needs an overhaul. “I’m therefore pleased that Congress last week approved a reprogramming request that provides us with the funding necessary to redesign ECFS,” he said. “We’re looking forward to getting that important project started.”
The IG’s report notes that while its investigation began as one looking at the alleged DDoS attacks, it eventually shifted to “an investigation of false statements” made in response to congressional questioning. In January 2018, the IG referred the issue to the Fraud and Public Corruption Section of the United States Attorney’s Office for the District of Columbia, the report states. In June the USAO declined to prosecute.
FedScoop could not reach Bray for comment prior to publication; attempts to reach him by email received an automated reply saying he had limited ability to respond.
This story is developing. FedScoop will update with new information as it becomes available.