The US Federal Communications Commission (FCC) has admitted that a cyberattack which allegedly took place during the height of the net neutrality debate did not exist.
The distributed denial-of-service (DDoS) attack was said to have taken place between May 7 – 8, 2017, at the same time that comedian John Oliver urged US citizens to flood the FCC’s Electronic Comment Filing System (ECFS) with their thoughts on the net neutrality debate.
The US agency said at the time that multiple DDoS attacks caused delays, disruptions, and prevented citizens from submitting their comments.
Former FCC Chief Information Officer (CIO) David Bray said at the time that the cyberattacks were “deliberate attempts by external actors” to make it “difficult for legitimate commenters to access and file with the FCC.”
No evidence or additional information on the attacks has ever been revealed to the public.
It now seems that the external threat actors, together with the DDoS attacks, were, instead, a complete fabrication.
An internal report, published by TechCrunch and released publicly on Tuesday, directly contradicted the US agency’s previous claims.
The document says that despite Congress and the public being told otherwise, the system crash was not the result of a DDoS attack.
Instead, “system design issues” meant the commenting system could not cope with the sheer volume of visitors urged by Oliver.
The report states: “At best, the published reports were the result of a rush to judgment and the failure to conduct analyses needed to identify the true cause of the disruption to system availability.”
“Rather than engaging in a concerted effort to understand better the systematic reasons for the incident, certain managers and staff at the Commission mischaracterized the event to the Office of the Chairman as resulting from a criminal act, rather than apparent shortcomings in the system.”
Spikes in Traffic
An investigation into the matter was conducted by the Office of the Inspector General (OIG) and found that spikes in traffic correlated to Oliver’s Last Week Tonight show.
Federal Communications Commission Chairman Ajit Pai said in a statement on Monday (.PDF) that the findings were “completely unacceptable” — laying the blame directly at Bray’s feet, alongside the Obama Administration.
“I am deeply disappointed that the FCC’s former Chief Information Officer (CIO), who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people,” Pai said.
The executive added that while he was disappointed that some working under the former CIO did not feel comfortable enough to raise queries over the situation and alleged DDoS, he was pleased that:
“This report debunks the conspiracy theory that my office or I had any knowledge that the information provided by the former CIO was inaccurate and was allowing that inaccurate information to be disseminated for political purposes.”
According to Pai, Bray had told the office that he, and those working beneath him, were “99.9% confident” that the system’s failure was caused by “some external folks deliberately trying to tie-up the server.”
The chairman has promised changes, starting with the revamp of the ECFS system, which has now been approved with funding from Congress.
In addition, Pai took the opportunity to comment on the operation of the office itself, alleging that he has “inherited from the prior Administration a culture in which many members of the Commission’s career IT staff were hesitant to express disagreement.”
Pai says that while this situation has improved over the course of the year, he hopes to encourage more staff to speak up and prevent a recurrence.
Despite promises to do better in the future, the moment of net neutrality repeal has passed. This has been highlighted by FCC Commissioner Jessica Rosenworcel, who said in a statement (.PDF) that the report simply says “what we knew all along,” that the cyberattack claims were “bogus.”
“Millions of Americans overwhelmed our online system because they wanted to tell us how important internet openness is to them and how distressed they were to see the FCC roll back their rights,” Rosenworcel added.
Bray is now the director of People-Centered Internet (PCI). According to Ars Technica, the organisation said that he has not seen the report, nor been asked for any input.