FCC Avoids Prosecution Denies DDoS for Lying to Congress

Despite the punishment for providing false information to Congress carrying a penalty of fines or imprisonment, the US Attorney’s office has declined to prosecute the US Federal Communications Commission’s (FCC) employees for their dishonesty.

The FCC has admitted to there being no existence of a previously claimed distributed denial-of-service (DDoS) cyber attack against their commercial cloud hosts during 7-8 May 2017. According to the Inspector General’s report, the FCC provided a factually incorrect and misleading report to members of Congress that deliberate and coordinated attacks on their online commenting system caused delays, crashes and prevented legitimate users from voicing their views.

The office of the CIO previously lashed out the “complete irresponsibility” of the media in claiming the FCC had no evidence of a distributed denial-of-service (DDoS) attack against the agency’s public comments system. They asserted they had well-documented logs from their commercial cloud partners.

FCC Chairman, Ajit Pai, blamed the Obama administration and then FCC CIO David Bray for the lies contained in a letter to Congress. Pai absolved himself of the blame for the FCC’s dishonesty and accused the former CIO of proving inaccurate information to the FCC, Congress and the American people.

The IG, however, found no evidence of coordination or intent behind the increased traffic hitting the FCC’s comment system. The cause of the crash was attributed to poor system design resulting in an inability in handling the influx of comments opposing Pai’s net neutrality plan. The massive increase in comments followed an appeal from comedian John Oliver on his Last Week Tonight show that requested viewers to voice their discontent over Pai’s net neutrality repeal.

Regardless of being advised that the increase in comments was a result of the request made by Oliver and occurring after the show was aired, David Bray insisted that the “attacks” were a malicious attempt to prevent access and engagement between commenters and the FCC.

Statement A:

The FCC stated that they suffered a non-traditional DDoS attack that specifically targeted the comment filing system application programming interface (API). This interface is separate from the website and is normally utilized by bulk entries by bots.

The IG concluded that this statement is incorrect and no evidence of the API being targeted exists.

Statement B:

The FCC stated that the peak activity of the attacks began at 23h00 (EST) on May 7, 2017.

The IG reported that this statement is false as the increased activity commenced at 23h30, after the start of the Last Week Tonight Show. The IG concluded that the falsification of the time of the attacks was an attempt to show they were not related to the request made by John Oliver on his show.

Statement C:

The FCC stated that they analyzed logs and verified that the attacks were from automated bots and not individual IP addresses. They further stated that other indicators of harmful intent were found.

The IG refuted these claims by stating that no evidence that the FCC had conducted any investigation or analysis was found.

Statement D:

The FCC stated that reporting and discussions with the FBI revealed that further action would be taken by the FBI if new evidence increased the severity of the crime.

The IG refutes this statement with a comment from the FBI that the severity of an incident has no bearing on whether a crime was committed or not.

The internal report further found that some managers and staff at the FCC chose to attribute blame to external criminal activity rather than acknowledging and addressing the cause of the systemic failure brought about by the volume of comments posted.

Pai highlighted that the FCC has suffered a culture in which subordinates were afraid to express disagreement with their superiors. He has committed to changes in the organizational culture and to technical upgrades to the comment filing system to prevent similar incapacity.