Analysis The debacle surrounding a false cyberattack on US federal regulator the FCC is heading to Congress, with politicians accusing its chairman of a "dereliction of duty."
Four Democrats on the House Energy and Commerce Committee sent a letter [PDF] to Ajit Pai in advance of a hearing this Thursday demanding to know what he knew about the claimed attack and when he knew it.
A report by the FCC's Inspector General this month confirmed what most already suspected: that the collapse of the FCC's public comment system over the controversial net neutrality reversal wasn't a distributed denial of service (DDoS) attack – as the regulator claimed - but the result of a wave of people directed to the website by a TV program that was critical of the proposal.
Despite the official report [PDF] placing the blame for the false claims at the door of the FCC's former CIO and CISO, in the hyper-partisan world of Washington DC, lawmakers have decided to try to turn it into an attack on the Republican chair, Ajit Pai.
"We are deeply disturbed by the Federal Communications Commission's (FCC) Inspector General's Report of Investigation into the alleged distributed denial-of-service attacks," the letter to Pai reads.
"Given the significant media, public, and Congressional attention this alleged cyberattack received for over a year, it is hard to believe that the release of the IO's Report was the first time that you and your staff realized that no cyberattack occurred."
It then goes on to attack Pai personally, stating: "Such ignorance would signify a dereliction of your duty as the head of the FCC, particularly due to the severity of the allegations and the blatant lack of evidence."
Others have gone further, with net neutrality advocacy group Fight for the Future calling Pai "an embarrassment", accusing him of lying, demanding his resignation and arguing that the false accounts should cause Congress to "act immediately to overrule Ajit Pai's corrupt gutting of net neutrality."
While such aggressive tactics are not entirely surprising given Pai's own aggressive rhetoric against Democrats, and Fight for the Future in particular, they are nevertheless misguided.
While Pai has pushed through numerous questionable changes at the FCC, most controversially a series of changes seemingly designed to help media giant Sinclair Broadcasting, and although his actions on net neutrality have fallen far below what you would expect from the head of a federal regulator, in this case, Pai acted pretty much how you would hope and expect him to.
The FCC Inspector General report was unsparing in its criticism of the regulator, noting that despite repeated claims to the contrary there was no evidence that the FCC's IT team had properly analyzed the flood of requests to the comment filing system before concluding that it had been subject to a cyberattack.
The obvious cause of the system falling over was the result of a cable show – Last Week Tonight with John Oliver – actively encouraging viewers to visit the FCC site and lodge their views.
Logs of the FCC's systems showed a clear spike in traffic the moment that the show urged viewers to contact the FCC through a redirected domain name (gofccyourself.com), and other related spikes when the show reiterated its call over social media.
Regardless, Chief Information Officer (CIO) David Bray told FCC management that it had fallen over because "some external folks attempted to send high traffic in an attempt to tie-up the server from responding to others."
In fact Bray misread the situation entirely and decided that 4Chan - "which is a group affiliated with Anonymous and the hacking community" - was behind a denial of service attack based on the logic that "normal folks cannot manually file a comment in less than a millisecond over and over and over again, so this was definitely high traffic targeting." He had in fact misunderstood his own systems and was misreading the logs.
Ajit Pai's chief of staff David Berry was not convinced of this explanation, and asked for an assurance that it was an actual attack. "Are you confident it wasn't a bunch of John Oliver viewers?" he asked Bray directly in an email. Bray told him in response: "Yes, we’re 99.9 per cent confident this was external folks deliberately trying to tie-up the server."
As a result, faced with demands to explain why its system had fallen over, the FCC put out a statement the next day based on its CIO's conclusions. Despite Bray's assurances, the FCC release noted explicitly that its statement came from him and not the organization or the chair.
"Federal Communications Commission Chief Information Officer Dr. David Bray issued the following statement today regarding the cause of delays experienced by consumers recently trying to file comments on the FCC’s Electronic Comment Filing System (ECFS)," it started, before quoting him: "Beginning on Sunday night at midnight, our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDos)…"
Bray was of course wrong. But the report notes that one factor in the confusion may have been the fact that the FCC did not inform him that the TV show had actually warned the FCC ahead of time that it would be running a segment and that they might experience significant traffic that same day.
"During our interview with Tony Summerlin, Summerlin said: 'Bray was furious that he had not been informed about the John Oliver episode'," the report notes.
There was confusion over the exact time that the "attack" started – Bray became convinced it started earlier than the TV show when it fact it directly coincided. And then there was the fact that Bray continued to insist his team had carried out an "analysis" of the traffic but the inspector general's report noted there wasn't one.
"We expected to obtain and review the analysis referenced by Bray in the press release and to obtain and review logs and supporting documents for that and subsequent analyses," the report notes. "However, we learned very quickly that there was no analysis supporting the conclusion in the press release, there were no subsequent analyses performed, and logs and other material were not readily available."
This problem – where the organization's IT team was assuring management it had carried out an analysis and reached the correct conclusion – was continued in subsequent discussions and meetings. Even during the inspector general's investigations, FCC chief information security officer Leo Wong continued to insist that the conclusions were right, particularly when it came to the timing of the "attack."
The report also criticized Wong for misrepresenting a meeting between the FCC's IT staff and the FBI – which had been called into to discuss whether the attack warranted their attention.
There is a lot more detail in the report but the upshot is that, as big a debacle as it was, neither FCC chair Ajit Pai nor his immediate team, were responsible for the mess. They were in fact doing a professional job in difficult circumstances. They had:
- Sought an immediate explanation for the system falling over from the person in charge of the system.
- Double-checked that explanation before putting out a statement as soon as possible.
- Put out a statement specifically from the CIO rather than the organization itself of the chair – indicating a level of continued uncertainty
- Asked the FBI to talk to the FCC's IT team to see if they should get involved.
- Responded to lawmaker's requests for information by directing communications staff to talk directly to IT staff – and then allowed that information to go out without interfering with it.
- Held back from noting their own skepticism despite a critical roasting in the press and Congress, relying on the word of their own staff.
Although chair Pai was almost certainly informed about what was happening in general terms, the inspector general report appears to show that he did not micro-manage or over-involve himself in the process but instead trusted his IT and communications staff to handle what was a pretty embarrassing incident for the organization.
It appears as though Pai and his team were also open and compliant with the subsequent investigation by its inspector general (IG) – there doesn't appear to be any coded wording in the report that suggests otherwise – and it looks as though the IG was given all the assistance he needed to get to the bottom of things.
And then, when it emerged that Bray had clearly misled FCC management about the cause but more importantly about the fact that he had carried out a detailed analysis when he had not, he was replaced as CIO with no fuss and at the same time as there was a series of other changes at the organization. In other words, Pai didn’t hang him out to dry over a mistake.
All of which points to the sort of executive behavior that you would expect from an official in a powerful position. In fact, it may be the most professional that Pai has actually been since taking over the role. As obnoxious and puerile as he frequently is at public meetings and talks, Pai may be a good crisis leader, calm when others are losing their minds.
Denial of denial-of-service served: There was NO DDoS on FCC net neutrality commentsREAD MORE
The same crisis leadership was demonstrated when the question over approval of the Sinclair-Tribune merger reached his desk. Rather than push ahead and tie the regulator up in an unnecessary controversy, Pai took the decision to refer it to an independent administrative court – a decision that cost him political points, particular with the White House.
Of course once the crisis was over and the inspector general report on the "DDoS attack" was imminent, Pai reverted back to type, slamming Bray in a statement put out before the actual report was released.
"I am deeply disappointed that the FCC’s former Chief Information Officer (CIO), who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people," ranted.
"This is completely unacceptable. I’m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn’t feel comfortable communicating their concerns to me or my office."
He went on: "On the other hand, I’m pleased that this report debunks the conspiracy theory that my office or I had any knowledge that the information provided by the former CIO was inaccurate and was allowing that inaccurate information to be disseminated for political purposes."
Now the Democrats and net neutrality advocates are trying to make hay out of this situation – where a federal regulator was completely wrong about the cause of an embarrassing failure of its own systems.
And the FCC should be embarrassed. Particularly over the fact that FCC leadership consciously ignored a clear majority of comments that were opposed to its plan because it wasn't in their interests to do so.
That is a shameful failure of an organization that is supposed to be doing serious policy work in support of the American people rather than push through ideological positions or support the interest of large corporations.
But when it comes to the DDoS fake attack, it would be far better for critics to recognize that in this case the FCC chair and his team did what was right, even though it proved to be a disaster. ®