You might recall that when HBO comedian John Oliver originally addressed net neutrality on his show in 2014, the FCC website crashed under the load of concerned consumers eager to support the creation of real net neutrality rules. When Oliver revisited the topic last May to discuss FCC boss Ajit Pai's myopic plan to kill those same rules, the FCC website crashed under the load a second time. Both instances did a fantastic job highlighting how satire often tops traditional journalism in driving interest toward what can often be rather wonky tech policy issues.
But then something weird happened. In the midst of all the attention Oliver was receiving for his segment, the FCC issued a statement (pdf) by FCC Chief Information Officer David Bray, claiming that comprehensive FCC "analysis" indicated that it was a malicious DDoS attack, not angry net neutrality supporters, that brought the agency's website to its knees:
"Beginning on Sunday night at midnight, our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDos). These were deliberate attempts by external actors to bombard the FCC’s comment system with a high amount of traffic to our commercial cloud host. These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC."
But this claim that a DDoS disabled the FCC website at coincidentally the exact same time Oliver's segment was airing raised a few eyebrows among security experts, who noted they saw none of the usual online indicators pointing to a DDoS attack, nor any evidence of an attack via publicly-available logs. Security analysts noted the FCC provided no evidence to support their claim of an attack, and the agency has consistently and repeatedly refused to offer any additional hard detail, despite being prodded by several Senators on the subject.
Hoping to glean a little more information, Gizmodo recently filed a FOIA request asking for server logs or documents offering more insight into this supposed attack. What they found is that the FCC never conducted said "analysis" of the attack in the first place:
"The FCC now tells Gizmodo, however, that it holds no records of such an analysis ever being performed on its public comment system; the agency claims that while its IT staff observed a cyberattack taking place, those observations “did not result in written documentation."
Gizmodo's FOIA request asked for "all communications between employees in the offices of Chairman Ajit Pai and Commissioner Michael O’Rielly" concerning the alleged cyberattack, as well as copies of "any records related to the FCC 'analysis' (cited in Dr. Bray’s statement) that concluded a DDoS attack had taken place." What they got instead was 17 pages of heavy redactions and nonsense (including several user complaints about what Pai's been up to) and a rotating crop of excuses for why the FCC couldn't be more transparent about the alleged attack:
"The agency cited a variety of reasons for why it was refusing to release 209 documents related to the purported DDoS attack. Some of the records, it says, contain “trade secrets and commercial or financial information” which it deems “privileged or confidential,” citing the Trade Secrets Act. Other documents were withheld in an effort to “prevent injury to the quality of agency decisions,” citing a FOIA exemption that typically protects attorney-client communications but also extends to documents that reflect “advisory opinions, recommendations and deliberations” as part of the government’s decision-making processes."
It didn't take long for news outlets to highlight the FCC's refusal to be clear about what happened, prompting the agency to e-mail this press release to reporters, deriding said reports as "completely irresponsible":
"Media reports claiming that the FCC lacks written documentation of its analysis of the May 7-8 non-traditional DDoS attack that took place against our electronic comment filing system are categorically false. In its FOIA request, Gizmodo requested records related to the FCC analysis cited in Dr. David Bray’s May 8 public statement about this attack. Given that the Commission’s IT professionals were in the midst of addressing the attack on May 8, that analysis was not reduced to writing. However, subsequent analysis, once the incident had concluded, was put in writing. Indeed, analysis was made public in response to a request from Capitol Hill.
“Moreover, the FCC has never stated that it lacks any documentation of this DDoS attack itself. And news reports claiming that the Commission has said this are without any basis and completely irresponsible. In fact, we have voluminous documentation of this attack in the form of logs collected by our commercial cloud partners."
But while the FCC's statement proclaims the agency has oodles of documentation detailing the supposed DDoS (it just doesn't want to reveal it), that's the precise opposite of what the agency is telling reporters that have filed FOIA requests to get a hold of it:
The FCC in response to FoIA request: No "written documentation."
FCC PR: "voluminous documentation" that we refused to provide to Gizmodo pic.twitter.com/iMKPMnTJKC
— The real Jon Brodkin (@jbrodkin) July 20, 2017
So it seems like there's two options here. One is that there really was some kind of non-traditional DDoS attack, but the agency failed to conduct a detailed written analysis of what caused it, and despite boss Ajit Pai's breathless dedication to transparency, has zero interest in being up front about it.
The other possibility is the entire attack narrative was poorly-constructed bullshit, feebly designed to try and deflate the "John Oliver effect" in the media and downplay the volume of consumers pissed off about what Ajit Pai is up to. And now that Senators and reporters are pushing harder for actual evidence, the FCC is having to engage in some comical tap dancing to obfuscate the fact it made up a DDOS attack as a lame (and ineffective) PR ploy.
The former's certainly possible, but the latter's also in character. Either way, expect this and the agency's willful disregard of comment proceeding fraud to pop up in the inevitable lawsuits awaiting Ajit Pai when he rams through the final net neutrality killing vote later this year.