FCC’s Ajit Pai to testify about debunked DDoS attack at Senate hearing

Federal
Communications Commission Chairman Ajit Pai is likely to face
some tough questions at a congressional hearing this
week.
Ethan Miller/Getty
Images

• Federal Communications Commission Chairman Ajit Pai
  should expect some tough questions at a Senate hearing last
  week.
• Last week, the agency’s inspector general released a
  report into an incident last year in which the FCC’s servers
  became unavailable during the comment period over Pai’s repeal
  of the agency’s net-neutrality rules.
• At the time of the outage, Pai and the FCC told
  Congress and the public that it had been caused by a
  cyberattack.
• The report
  found no evidence to back
  that assertion. 
  In fact, investigators
  believed agency officials made false statements to Congress,
  and referred the case to federal prosecutors.
• The incident could play into a court case filed by
  activists seeking to overturn Pai’s repeal.

---

Ajit Pai is going to be in the hot seat this week — as well he
should be.

The chairman of the Federal Communications Commission is
set to testify Thursday in front of a Senate oversight
committee. He’s certain to have to respond to questions while
there about false statements he and some of his subordinates made
to lawmakers about an incident last year in which the agency’s
computer systems got overwhelmed during the comment period for
its then-ongoing net-neutrality proceeding.

Pai has tried to distance himself from those false statements,
blaming
them on the agency’s former chief information officer, David
Bray. But lawmakers are sure to want to know when Pai knew the
statements were false and why he didn’t retract them earlier.

Perhaps more importantly, lawmakers may well try to delve into
the role the incident played in Pai’s effort to overturn the
FCC’s net-neutrality rules. And the incident and Pai’s answers
about it could factor into ongoing court battle over his repeal
of those rules.

Pai’s expected grilling comes as a result of his and his agency’s
response to the FCC’s server outage last year. At the time, the
FCC was soliciting public comments for Pai’s proposal to repeal
the agency’s net-neutrality rules.

Net neutrality is at the heart of the current controversy

As you probably know by now, net neutrality is the principle that
all data on the internet should be treated the same. The FCC’s
rules barred internet service providers from blocking, slowing,
or speeding access to particular sites and services.

The FCC’s servers were overwhelmed after comedian John
Oliver focused on the net-neutrality debate in an episode of
“Last Week Tonight.”
HBO

While widely popular with the public, the rules were vehemently
opposed by the big telecommunications companies and by some
anti-regulatory Republicans — most notably Pai, who vowed to
repeal them even before becoming the chairman of the FCC. He
launched that effort soon after taking over as head of the agency
under President Donald Trump.

After proposing his repeal last year, Pai followed agency
protocol and opened up his proposal to public comment. In May of
last year, comedian John Oliver made the repeal effort the focus
of one of the episodes of his show, “Last Week Tonight.” Oliver
supports net neutrality and explained in the episode why viewers
should too. At the end of the episode, he encouraged viewers to
tell the FCC to abandon its effort to repeal its rules and
provided a custom web site address that would redirect them to
the agency’s comment page.

Immediately after the episode aired, the FCC’s comment system saw
a spike in traffic, with the site unavailable to many users in
the wake. To outside observers, it seemed clear that the site’s
unavailability was likely a result of “Last Week Tonight”
directing its viewers to the FCC’s site for the purpose of
registering their objections to the net-neutrality repeal effort.

The FCC blamed the outage on a cyberattack

But that’s not how the FCC portrayed things. The day after the
episode aired, the agency issued a statement attributed to David
Bray, its CIO, that blamed the system problems on “deliberate
attempts by external actors to bombard the FCC’s comment system.”
Bray said the effort came in the form of “multiple distributed
denial-of-service attacks,” better known as DDoS attacks. 

The charge was a loaded one. DDoS attacks have become a fairly
routine way for hackers to make a website appear offline and
unavailable to its users. But launching one against a US
government server is a federal crime. So by alleging that a DDoS
attack had brought down the FCC’s server, Bray triggered an
investigation by the agency’s inspector general, working in
coordination with the FBI.

The DDoS charge also helped to distract attention from the
popular outrage against the repeal effort. Instead of everyone
talking about all the comments flooding into the FCC site
opposing the repeal, the headlines focused on how the FCC site
was the victim of an alleged cyberattack.

“This certainly was a potential distraction, and it certainly
cast a shadow over what was a really enormous response from the
public in support of net neutrality,” said Harold Feld, a senior
vice president at Public Knowledge, an advocacy group that
opposed the repeal effort.

Despite the FCC’s assertion, consumer groups and reporters who
cover the agency quickly challenged its story, and Democratic
senators pressed it for more details. Even though critics argued
that the incident had none of the telltale signs of a DDoS
attack, the agency under Pai stuck to its guns — and attempted to
undermine the naysayers.

In public, it lambasted critics who reported that it didn’t have
any documentation of the attack. Meanwhile,
Gizmodo reports that behind the scenes, the agency worked
with friendly reporters to get out the notion that the FCC had
seen a similar attack in 2014 when it was considering the net
neutrality rules Pai was now trying to overturn.

The investigation showed otherwise

It turns out, though, that the FCC wasn’t hit with a DDoS attack
last year and likely wasn’t affected by one in 2014. Released
last week,
the inspector general’s report makes clear its investigation
found no evidence of a such an attack last year, and the agency
has released no evidence for one in 2014.

Sen. Ron Wyden, D-Oregon,
is among the lawmakers who have scrutinized the FCC’s claim that
the outage was caused by a cyberattack.
Aaron P. Bernstein/Getty Images

But the situation is worse than that for Pai and his agency. The
investigation found that FCC officials had little basis for
making their statements that there had been such an attack.
Contrary to the officials’ assertions to members of Congress that
their analysis had led them to that conclusion, the investigation
found they had done no “substantive” analysis at all.

In fact, the paucity of evidence for the attack was so clear so
early on, that the investigation quickly swiveled from being an
inquiry into a cyberattack into an examination of whether and why
FCC officials misled Congress. In January, the inspector
general’s was concerned enough that a crime had occurred that it
referred the matter to the Department of Justice. The DOJ later
declined to prosecute.

But all of this raises questions about Pai’s role in promulgating
and promoting — and waiting more than a year to recant — the now
discredited DDoS story.

The incident makes Pai look incompetent — or worse

At best, Pai comes across as being incompetent. The inspector
general’s office was able to knock down the DDoS story by just
pressing the FCC’s technology administrators for more details
about the outage and finding that they had no evidence to support
their claim.

When Bray made a similar claim about an outage in 2014, the FCC
at the time didn’t broadcast his conclusion. Why? Because agency
officials at the time actually examined his assertion and
concluded he didn’t have any evidence for it, as Gigi Sohn, a
counselor to then-FCC Chairman Tom Wheeler,
recounted to Gizmodo.

But lawmakers this week are likely to wonder much more than why
Pai didn’t push Bray and his staff for more details about the
outage. They’re also likely to press him for more information
about when he himself realized that his previous statements to
Congress about the incident were false and why he didn’t alert
legislators earlier. If the inspector general’s office had reason
to believe back in January that false statements were made,
there’s a good chance Pai knew back then too. He didn’t say
anything to correct the record until last week — a day before the
report was released.

In his statement, Pai blamed Bray and, in turn, the Obama
administration, which hired Bray. He also gave an excuse for not
speaking earlier about the misstatements — the inspector general
had asked that he not say anything about the investigation while
it was ongoing.

“It’s almost like has a placard on his desk that says, ‘the buck
doesn’t stop here unless I want it to,'” said Matt Wood, a policy
director at Free Press, an advocacy group that also opposed the
net-neutrality repeal effort.

It remains to be seen whether Pai’s excuses will wash with
Congress. For his part, Feld doesn’t buy them, particularly when
it comes to renouncing the assertion about the DDoS attack. There
were plenty of ways and an ample amount of time for Pai to do
that without jeopardizing the investigation, he said.

“He had a responsibility to inform the Congress as soon as he had
doubts,” said Feld. “He had a responsibility to inform Congress
and to inform the public.”

“Instead,” Feld continued, “he kept quiet.”

The incident could play a role not just in Congress, but the
courts

The false statements about the DDoS attack and Pai’s delay in
retracting them could linger long past Thursday’s hearing. For
one thing, should the Democrats recapture one or more houses of
Congress this fall, they’re likely to subject Pai to much more
critical scrutiny going forward than have their Republican
colleagues. It also might make them more likely to press forward
with legislation that would effectively overturn his repeal.

[Pai] had a responsibility to inform the Congress as soon as he
had doubts

But the whole incident over the server outage could also play a
role in the legal battle over the repeal. Free Press, Public
Knowledge, and other groups have sued the FCC to try to overturn
the new rules, which the agency passed in December and which
basically remove all net-neutrality protections.

When considering new rules, the FCC is required by law to take
public comments into account. As part of the case the groups are
making against the rules, they plan to argue that the agency
didn’t, in fact, make a good-faith effort to do that. Instead,
they plan to argue that it failed in its duty to seriously gather
and consider the public’s comments.

The groups will point at numerous examples of this, but one of
the examples will be the agency’s inability to handle the
comments coming in from “Last Week Tonight” viewers and falsely
ascribing that inability to a DDoS attack.

“If that were only thing, it wouldn’t be fatal on its own,” said
Feld. “But it’s part of a general pattern of the FCC failing to
conduct the process in an above-board way that adequately gave
the public a genuine opportunity to be heard.”

That’s why this is unlikely to be the last you hear about this
incident. Although, after Thursday, Aji Pai may wish he’d never
heard about it in the first place.