0.9 C
New York
Sunday, March 24, 2024

A Straightforward Timeline of the FCC's Twisty DDoS Debacle

For anyone watching the net neutrality debate unfold, it feels like a never-ending, ever-evolving complicated saga of a complicated topic. So, here’s one more tick to track in the timeline: earlier this month, the Federal Communications Commission’s Office of the Inspector General released a report saying the agency misled Congress and the public and last year when it claimed its site was the victim of a cyberattack in 2017.

This particular drama started last year, when comedian John Oliver urged viewers of his show, Last Week Tonight, to file comments through the FCC's website asking the FCC to preserve its net neutrality rules. The next day, the FCC's site went unresponsive. Rather than blaming the traffic generated by Oliver's show, the FCC claimed it was the victim of a "distributed denial of service," or DDoS, attack, meaning that someone had deliberately tried to overload its servers and cause them to crash.

Security experts, journalists, and Congress immediately questioned the claim, but FCC chair Ajit Pai assured both houses of Congress that the agency had evidence of an attack. Now, the FCC's Office of the Inspector General is saying those claims, which were written in part by former FCC chief information office David Bray, were misleading. "At best, the published reports were the result of a rush to judgment and the failure to conduct analyses needed to identify the true cause of the disruption to system availability,” the report concludes. “Rather than engaging in a concerted effort to understand better the systematic reasons for the incident, certain managers and staff at the Commission mischaracterized the event to the Office of the Chairman as resulting from a criminal act, rather than apparent shortcomings in the system."

In a statement ahead of the public release of OIG report, Pai placed the blame for misleading Congress on Bray. "I am deeply disappointed that the FCC’s former Chief Information Officer (CIO), who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the
American people," Pai wrote. "This is completely unacceptable. I’m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn’t feel comfortable communicating their concerns to me or my office."

Then, this week FCC chair Ajit Pai told the Senate that he knew the investigator general's office considered the explanation given to Congress misleading as far back as January, but was asked not to discuss the issue with anyone because of a potential criminal investigation into the matter.

Although the OIG report doesn't suggest that Pai deliberately misled Congress, it doesn't let FCC management off the hook entirely. According to the report, management knew in advance that Oliver was planning a net neutrality segment, but says there is no evidence that they shared this information with the IT staff, despite the fact that an episode of the show may have taken down the agency's comment system before.

Understanding the ins and outs of what went on, and who knew what and when, is confusing, so we've arranged a timeline of events to help explain, starting back in 2014, when, in a sort of deja vu moment, the FCC comment site crashed following a clip by John Oliver and Bray told the press that it was the result of a DDoS attack.

June 1, 2014: On his show Last Week Tonight, comedian John Oliver calls on viewers to file comments in support of net neutrality through the FCC's website. The FCC's comment system experienced an outage shortly after, and a spokesperson blamed "high volumes of traffic." In the following weeks, then FCC CIO David Bray frequently highlights the agency's aging software: the commenting system was nearly two decades old at the time.

June 10, 2014: Citing an anonymous source, Vice Motherboard reports that the outage was caused by a DDoS attack. The FCC quickly denied that the outage was caused by a malicious attack. Four years later, Gizmodo reports that Motherboard's source was David Bray.

July 15, 2014: The FCC comment system goes down again again ahead of the deadline to file a comment on the net neutrality proposal the FCC was considering at the time. The agency once again blames "heavy load" for the outage.

October 14, 2015: Bray tells Radio News that the agency had migrated more than 200 servers to a commercial cloud provider as part of an effort to modernize its infrastructure.

January 23, 2017: Ajit Pai is appointed FCC chair.

Spring, 2017: A producer for Last Week Tonight contacts the FCC regarding a follow-up segment on net neutrality. According to a recently released report from the FCC’s Office of the Inspector General (OIG), FCC management declined to speak with the producer, and there's no record that anyone alerted Bray or the agency's IT staff that another television segment was in the works.

May 7, 2017: John Oliver once again encourages viewers to file comments through the FCC, this time presenting two different URLs that forward users directly to the relevant page on the FCC's website.

May 8, 2017: The FCC comments site crashes. That same day, then Bray, still the FCC CIO, issues a press release claiming that the agency's analysis concluded that morning’s outage was caused by a DDoS attack, despite, according to the OIG report, being warned by an expert that the outage was probably caused by traffic generated by the television segment and not a DDoS attack. The OIG would later conclude that the outage was actually likely due to a 3,116 percent increase in traffic to the FCC comment system between May 7 and May 8, 2017.

May 9, 2017: Senators Ron Wyden (D-Oregon) and Brian Schatz (D-Hawaii) send Pai a letter requesting more information about the alleged attack.

June 5, 2017: Nextgov reports that Bray will leave the FCC in late July, 2017. Bray eventually takes a job as executive director of the non-profit People-Centered Internet initiative.

June 15, 2017: Pai sends a letter partially authored by Bray to the Senators calling the outage a "non-traditional DDoS attack." According to the OIG report, this letter contained a number of misleading technical claims, and misstated the timing of the comment system outage.

June 21, 2017: The OIG opens an investigation, initially into whether computer crimes had been committed and, if so, who committed them. But the investigation soon expands to determine what had caused the outage, what steps the FCC took in response, and the agency's explanation of the event.

July 19, 2017: Gizmodo reports that in response to a Freedom of Information request for more information about how the FCC concluded that the outage was caused by a malicious attack, the agency claimed not to have any records of its analysis of the incident.

July 24 2017: Pai takes a meeting with acting FCC CIO Christine Calvosa and FCC IT contractor Tony Summerlin, who reaffirmed Bray's account and did not indicate any disagreement with Bray's assessment, according to Pai's response to the Inspector General's report.

January 4, 2018: Concerned about laws against lying to Congress, the OIG refers its investigation into the response to the outage the United States Attorney’s Office for the District of Columbia. Pai later claims that he was asked at this time not to discuss the investigation with anyone.

June 5, 2018: In a blog post published in response to a Gizmodo story about emails Bray sent to reporters in 2017, Bray claims that "whether the correct phrase is denial of service or “bot swarm” or “something hammering the Application Programming Interface” (API) of the commenting system — the fact is something odd was happening in May 2017."

June 7, 2018: The US Attorney's Office declines prosecution, according to the Inspector General report.

August 6, 2018: Pai releases a statement blaming Bray for providing inaccurate information.

August 7, 2018: The Office of the OIG publishes its report concluding that, at best, the FCC rushed to judgement and failed to conduct appropriate analysis.

August 16, 2018: At a Senate oversight hearing, Pai confirms that he knew about the OIG's conclusion in January, but didn't update Congress because was asked not to discuss the issue with anyone.

Related Articles

Latest Articles