FCC admits it was never actually hacked

The FCC has come clean on the fact that a purported hack of its comment system last year never actually took place, after a report from its inspector general found a lack of evidence supporting the idea. Chairman Ajit Pai blamed the former chief information officer and the Obama administration for providing “inaccurate information about this incident to me, my office, Congress, and the American people.”

The semi-apology and finger-pointing are a disappointing conclusion to the year-long web of obfuscation that the FCC has woven. Since the first moment it was reported that there was a hack of the system, there have been questions about the nature, scale and response to it that the FCC has studiously avoided even under direct Congressional questioning.

It was so galling to everyone looking for answers that the GAO was officially asked to look into it. The letter requesting the office’s help at the time complained that the FCC had “not released any records or documentation that would allow for confirmation that an attack occurred, that it was effectively dealt with, and that the FCC has begun to institute measures to thwart future attacks and ensure the security of its systems.” That investigation is still going on, but one conducted by the FCC’s own OIG resulted in the report Pai cites.

The former CIO, David Bray, was the origin of the theory, but emails obtained by American Oversight in June show that evidence for it and a similar claim from 2014 were worryingly thin. Nevertheless, the FCC has continuously upheld the idea that it was under attack and has never publicly walked it back.

Pai’s statement was issued before the OIG publicized its report, as one does when a report is imminent that essentially says your agency has been clueless at best or deliberately untruthful at worst, and for more than a year. To be clear, the report is still unpublished, though its broader conclusions are clear from Pai’s statement. In it he slathers Bray with the partisan brush and asserts that the report exonerates his office:

I am deeply disappointed that the FCC’s former [CIO], who was hired by the prior Administration and is no longer with the Commission, provided inaccurate information about this incident to me, my office, Congress, and the American people. This is completely unacceptable. I’m also disappointed that some working under the former CIO apparently either disagreed with the information that he was presenting or had questions about it, yet didn’t feel comfortable communicating their concerns to me or my office. On the other hand, I’m pleased that this report debunks the conspiracy theory that my office or I had any knowledge that the information provided by the former CIO was inaccurate and was allowing that inaccurate information to be disseminated for political purposes.

Although an evaluation of Pai’s “conspiracy theory” idea must wait until the report is public, it’s hard to square this pleasure of the chairman’s with the record. At any time in the last year, especially after Bray had departed, it would have been, if not simple, then at least more simple than maintaining its complex act of knowledgelessness, to say that the CIO had made an error and there was no attack. Nothing like that has escaped the mouth of Chairman Pai.

One must assume the agency had reviewed the data. Bray left a long time ago; why did these subordinates of his fail to speak out afterwards? If the FCC had its doubts, why did it not say so instead of risking withering criticism by avoiding the question for months on end?

Some of the FCC’s reticence to speak out may have even been explained as part of the request by the inspector general not to discuss the investigation. That’s an easy out, at least for some of the time! But we haven’t heard that, that I know of at least, and it doesn’t explain the rest of the agency’s silence or misleading statements.

FCC Commissioner Jessica Rosenworcel urged everyone to move on with a quickness:

The Inspector General Report tells us what we knew all along: the FCC’s claim that it was the victim of a DDoS attack during the net neutrality proceeding is bogus. What happened instead is obvious—millions of Americans overwhelmed our online system because they wanted to tell us how important internet openness is to them and how distressed they were to see the FCC roll back their rights. It’s unfortunate that this agency’s energy and resources needed to be spent debunking this implausible claim.

Although moving forward is a good idea, accountability and an explanation for the last year of mystery would also be welcome.

Because it wasn’t a hack, it seems that the comment-filing system, though recently revamped, needs yet another fresh coat of paint to handle the kind of volume it saw during the net neutrality repeal. Plans for that are underway, Pai wrote. A separate investigation by the Government Accountability Office regarding fraud in the comment system will no doubt affect those plans.

I’ve contacted the FCC and its Office of the Inspector General for more information, including the report itself. I will update this post when I hear back.