FCC Chief: I Was Between a Rock and a Hard Place on Debunked DDoS Claim

Federal Communications Commission Chairman Ajit Pai wanted desperately to come clean to Congress after his agency wrongly blamed a deliberate cyberattack for overwhelming its public commenting system rather than a surge in public interest, he told lawmakers Thursday.

However, leveling with Congress would have meant undermining an internal watchdog investigation that concluded last week and that was considering criminal charges, Pai told members of the Senate Commerce Committee.

Given the conflict, Pai said, he decided to stay mum.

The May 2017 commenting system outage came after comedian John Oliver urged viewers to submit comments opposing new internet rules favored by the Trump administration that rolled back net neutrality. Those rules took effect in June.

The commenting system also failed during an earlier net neutrality debate in 2014 after a similar piece by Oliver – a failure that the commission publicly attributed to a dramatic public response.

After the 2017 outage, however, then-FCC Chief Information Officer David Bray claimed the system was brought down by multiple deliberate denial of service, or DDoS, attacks, a claim Pai repeated before Congress and elsewhere.

That claim was unfounded, according to the inspector general’s report, which faulted Bray but also faulted the agency more broadly for not sufficiently vetting the former CIO’s claims or responding appropriately to the alleged DDoS attack.

Pai responded to the report last week with a statement that laid most of the blame on Bray. Pai also faulted a culture “inherited from the prior administration” in which “many members of the Commission’s career IT staff were hesitant to express disagreement with the Commission’s former CIO in front of FCC management.”

Under questioning Thursday from Sen. Brian Schatz, D-Hawaii, Pai said he had early doubts about the DDoS explanation but was initially convinced by Bray’s confidence and the silence of other IT staff. After Pai learned the inspector general was questioning the DDoS claims, he said, there was no way to correct the record to Congress without undermining the investigation.

“The position I was in was: Do we breach the office of the inspector general’s request for confidentiality, in which case the accusation could be made we were jeopardizing an independent OIG investigation, including a potential criminal prosecution? Or do I adhere to the inspector general’s request?” Pai said. “That’s a difficult position to be in. I made the judgment that we had to adhere to the OIG request.”

Schatz, who has long questioned the DDoS explanation for the outage, was skeptical that Pai faced such a clear binary choice.

“I guess what I’m looking for is some measure of accountability as the chairman,” Schatz said. “I understand you were in a difficult position, but I can’t imagine there was not another way to thread this needle and deal with us in our oversight capacity.”

Pai replied that, if he had come forward and said the FCC no longer believed that a digital attack occurred, he could have “been accused of snipering an OIG investigation and potentially frustrating a criminal prosecution.”

According to the inspector general’s report, investigators referred the DDoS claim to the U.S. Attorney’s Office for the District of Columbia on Jan. 18 this year and the chief of the office’s fraud and public corruption section declined to prosecute anyone on June 7.

A spokesman for the People Centered Internet-Coalition coalition, where Bray now works, declined to comment on the report or the Senate hearing Thursday. An auto-response to Bray’s email address said that he is currently unable to respond to email in a timely way.