Following the release of the Office of the Inspector General’s report detailing how the alleged cyber attack crashing the Federal Communications Commission’s public comment system likely didn’t happen, Chairman Ajit Pai testified before the Senate Commerce Committee Thursday morning and deflected questions about the site’s crash by talking about Russian infiltration and fake accounts.
“Our claim that the agency suffered a DDoS attack following John Oliver’s report on net neutrality is not credible,” he told the committee. “And in the meantime this agency has ignored the fact that this public docket is flooded with fraud, including half a million comments from Russia and two million visit with stolen identities. I believe these things need to be fixed.”
The OIG report found that “FCC traffic (bytes) delivered increased by 3,116% over normally observed levels” after John Oliver of the Last Week Tonight show encouraged viewers to support net neutrality though the FCC’s public comment filing system.
Email correspondence between the FCC’s CIO at the time, David Bray, and FCC contractors showed that Bray immediately suspected foul play, but did not conduct the investigation necessary to confirm the suspicion.
In June 2014, the FCC — then under the jurisdiction of the Obama administration — said a similar crash happened when John Oliver encouraged viewers to comment regarding net neutrality. In a conference call to reporters in April 2017, Pai said the comment system has suffered from malicious activity in the past.
Sen. Brian Schatz (D-Hawaii) pressed Pai on how he handled the incident and asked why he didn’t tell the committee earlier that the cyber attack wasn’t a cyber attack, but Pai referred to the OIG’s ongoing investigation as the reason for remaining silent, saying he didn’t want to “stifle” the investigation.
“You declare to the world it was a DDoS attack, including communicating with Congress that a federal crime has been committed, and the thing I wonder about is given your expertise in the law and expertise in tech, why didn’t you entertain any of these quite reasonable doubts that were out in the community, out there among your former colleagues in the IT community?” Schatz asked. “It just seems odd that the moment your CIO says something you run with it, and you ran with it quite aggressively up to … the last week or the week before. That’s very hard to digest. Did you ever have any doubt between the point your CIO told you something was wrong and and the point at which the IG told you it was wrong?”
To which Pai replied, “I did what I thought was the right thing to do, which was stick by the OIG recommendation.”
Schatz also called Pai out for not answering the letter from him and Sen. Ron Wyden (D-Ore.) requesting more information following the FCC’s announcement of the cyber attack in May 2017.
“Did it ever occur to you to amend your statements and say, ‘I’ve got these doubts now, I’d like to modify my statements, in fact, I’d like to answer the letter that you sent me’?” Schatz asked.
“Because they had referred this matter for potential criminal prosecution, [the OIG said] do not say anything to anyone,” Pai replied.
While an inundation of malicious comments from Russia and fake accounts may have caused the comment system to crash, the OIG report was inconclusive about what exactly happened at the time of the incident, May 7-8, 2017.
Sen. Maria Cantwell (D-Wash.) then said she hopes the FCC is focusing on cybersecurity to better protect consumers and helping to lead cybersecurity initiatives, but “more importantly that this outlet is not just a front door portal for more attacks.”
But Pai said the FCC does not have the authority to address cybersecurity issues.
“Under current law, we are to operate under a consultative role with the Department of Homeland Security and other intelligence,” he said.
Commissioner Jessica Rosenworcel disagreed, telling Cantwell that the FCC does not need “additional authority” to tackle cybersecurity issues in the private sector.
“I think it’s part of our duty as public servants,” she said. “The first duty of the public servant is the public safety. Cybersecurity should be part of everything we do.”