Gizmodo reports that the Federal Communications Commission (FCC) intentionally misled the press about an alleged cyberattack. Internal emails have revealed that senior officials at the FCC are looking for ways to cover up the speculation that such a cyberattack was carried out by the FCC itself.
When John Oliver, host of HBO’s Last Week Tonight, urged his viewers to flood the commission’s website with comments in support of net neutrality, the FCC’s system overloaded. The FCC originally blamed the crash on a series of distributed denial-of-service (DDoS) attacks, but net neutrality believed from the beginning that this was a falsehood concocted to vindicate them from their inability or disinclination to keep the system online during a surge of public comments.
A similar crash occurred in 2014 when Oliver told his viewers to flood the Obama-era FCC then led by Democrat Tom Wheeler. Wheeler claimed that the crash was a result of internet traffic surge that their out-of-data infrastructure could not handle, never blaming the incompetence on a malicious attack.
In May 2017, however, Trump-appointed FCC chairman Ajit Pai claimed that the 2014 crash was a result of a cyberattack carried out by DDoS. David Bray, who served as the FCC’s chief information officer from 2013 until June 2017, claimed that their was a DDoS attack involved in the 2014 crash as well, and that Wheeler, concerned that other agencies would begin to blame incompetencies on cyber attacks, actively tried to cover it up.
“That’s just flat out false,” said Gigi Sohn, former counselor to Chairman Wheeler. “We didn’t want to say it because Bray had no hard proof that it was a DDoS attack. Just like the second time.”
Bray, who was in charge of the comments section at the time, was later revealed as the anonymous source that clued reporters in on the fact that the 2014 crash was the result of a malicious attack. Multiple FCC sources—including a security contractor who worked on the comment system at the time—have confirmed that there is no evidence of such an attack.
“The security team was in agreement that this event was not an attack,” a former FCC security contractor told Gizmodo of the 2014 outage. “The security team produced no report suggesting it was an attack. The security team could not identify any records or evidence to indicate this type of attack occurred as described by Bray.” The FCC has been unable to produce any concrete evidence in support of Bray’s claims.
Gizmodo filed a Freedom of Information Act request last July, but the commission refused to release more than 200 pages regarding the incident. They claimed in a formal letter that while its IT staff had observed a cyberattack taking place, those observations “did not result in written documentation.” Regarding the 2017 incident, the FCC redacted every internal conversation in the more than 1,300 emails released to American Oversight, every discussion between staff last year regarding how to respond to inquiries about the incident from U.S. senators and members of the press, as well as an internal newsletter from the day after the agency claims it was attacked.
BuzzFeed reporter Kevin Collier has brought a lawsuit forward against the agency and plans to challenge these redactions in court. The commission justifies redactions through either attorney-client communications or deliberative process privilege.
“Some of these messages are probably correctly redacted, but avoiding potential embarrassment is not a legitimate reason for the government to conceal an email,” Austin Evers, American Oversight’s executive director, said. “We were skeptical of the FCC’s explanations about its online comment system issues last May, and it’s clear that we still don’t have the full story about what happened.”
“I have seen no evidence of a DDoS attack on the FCC comment system,” said FCC Commissioner Jessica Rosenworcel. “But I did see millions of Americans write in to the FCC to stop its misguided effort to roll back net neutrality. It’s time for the agency to own up to what really happened.”