The Federal Communications Commission chairman has known that his agency's claims about being hit by DDoS attacks were false for more than six months, but he says he could not correct the record publicly because of an internal investigation that didn't wrap up until this month.

The FCC Office of Inspector General (OIG) issued its report on the matter last week, finding that the FCC lied to Congress when it claimed that DDoS attacks caused a May 2017 outage that temporarily prevented net neutrality supporters from filing comments opposing Pai's plan to kill net neutrality rules. The false claims were made primarily by former Chief Information Officer David Bray, and Bray's false statements were sent to Congress in attachments to letters that Pai wrote to lawmakers.

At an FCC oversight hearing held today by the Senate Commerce Committee, Sen. Brian Schatz (D-Hawaii) pressed FCC Chairman Ajit Pai on his failure to correct those false statements until this month.

Schatz said to Pai:

The CIO tells you it's a DDoS attack, and you basically declared to the world that it's a DDoS attack, including communicating with Congress that a federal crime has been committed. And the thing that I wonder about, given your expertise in the law and your expertise in tech, why didn't you entertain any of those quite reasonable doubts that were out there in the community and out there among your former colleagues in the tech community? It just seems odd that the moment your CIO says something, that you run with it and you ran with it quite aggressively all the way up until... last week when you said, "Well, I was duped." That's very hard to digest. I'm trying to figure out, did you ever have any doubt between the point at which your CIO told you something and the point at which the IG told you it was wrong?

Pai: “It was very hard to stay quiet”

Pai told Schatz that he wanted to correct his agency's false statements to Congress months ago but could not because of a request made by the OIG.

Pai told Schatz:

On January 23 of 2018, I was informed by my chief of staff, who had been informed by the Office of Inspector General, that they had suspicions that the former chief information officer's statements to us and to Congress were inaccurate. The OIG then requested, because they had referred this matter for potential criminal prosecution to the Department of Justice, "do not say anything to anyone."

Making false statements to Congress can be punished with fines or imprisonment, but the US Attorney's Office declined to prosecute any FCC employees, according to the IG report.

Pai argued that the OIG's report cleared him of any wrongdoing, because it found that the FCC's false statements were made by the CIO rather than the chairman's office. Pai told Schatz that he wanted to tell Congress earlier but was hamstrung by the OIG's request for secrecy.

"Once we knew what the conclusions were, it was very hard to stay quiet," Pai said. "We wanted the story to get out not only because it vindicated what we'd been saying, that we had relied on the chief information officer's representations, but also because otherwise we knew that members of this committee, including potentially you, would think, 'well, he knew something was wrong but he didn't tell us about it.'"

Pai said that going public earlier would have opened him up to accusations that he jeopardized an ongoing investigation. Pai said:

The position I was in was, "Do we breach the Office of Inspector General's request for confidentiality," in which case the accusation perhaps from members of this committee would be, "He's jeopardizing an independent OIG investigation including potential criminal prosecution," or do I adhere to the independent inspector general's request? It's a difficult position to be in; I made the judgment that we had to adhere to the OIG's request even though I knew we would be falsely attacked for having done something inappropriate.

Pai has also faced criticism from House Democrats who want him to respond, in writing, to a series of questions by August 28. Last week, Pai blamed the spreading of false information on Bray and other employees hired by the Obama administration and said that he isn't to blame because he "inherited... a culture" from "the prior Administration" that led to the spreading of false information.

Bray left the FCC in October 2017 and is now executive director of People-Centered Internet. He did not answer questions from Ars after the OIG report was released.

Video of today's hearing is available at this link. The exchange between Schatz and Pai begins at around 1:13:08.

Schatz: “I’m looking for... accountability”

Despite the OIG's instructions, Schatz was not convinced that Pai had no other options. Schatz said he wanted Pai to come clean earlier given "the context of a quite partisan, quite hot battle around net neutrality, and the legitimacy of the participation of the public in this net neutrality process."

"I guess what I'm looking for is some measure of accountability as the chairman," Schatz told Pai. "I understand you were in a difficult position, but I can't imagine that there was not another way to thread this needle and deal with us in our oversight capacity."

Schatz faulted Pai for not publicly giving credence to doubts raised by observers long before the OIG report came out. In May 2017, most observers assumed that the outage was caused by an influx of comments triggered by comedian John Oliver asking viewers of his program Last Week Tonight to oppose Pai's net neutrality repeal, Schatz noted:

What strikes me as difficult to digest is there was an unprecedented number of comments that came in after the first John Oliver show that overwhelmed the system [in 2014], and then there was another batch of unprecedented communications to the FCC website [after a John Oliver show in May 2017], and everybody figured that it was the same as last time, just intuitively. And then your CIO said that it was a DDoS attack, and yet [Sen.] Ron Wyden and I and others in the legislative ranks said that doesn't make any sense; the tech community said that doesn't make any sense. I think a lot of people's first instinct was that it didn't make any sense. I understand your reliance on your CIO; I don't blame you for that. My question is, did you have any doubt at any time before the [OIG] report came out a couple of weeks ago?

Pai answered that he initially assumed the outage was caused by the John Oliver-related surge in comments. "My assumption [in May 2017] was that it was John Oliver's viewers," Pai said.

Pai continued:

Senator, I did have doubts, which is why I asked our chief of staff, who then asked our CIO explicitly, "Is this the result of John Oliver's viewers?" He said and I quote, "We are 99 percent confident this was external folks deliberately trying to tie up the server." And he continued, "this was definitely high traffic targeted at ECFS [electronic comment filing system] to make it appear unresponsive to others." Later on, on July 24, I had a meeting in my office with certain IT staff. We asked them again, "Are you confident that this is what happened?" They said "yes," essentially replicating what the former CIO said in his statement.

Republicans go easy on Pai

Pai did not face any criticism from Republicans on the Senate Commerce Committee today about the FCC's DDoS lies. Committee Chairman John Thune (R-S.D.) mentioned the inspector general's conclusions in his opening statement and said he "look[s] forward to hearing how the commission will prevent this in the future." But Thune made that comment only after praising Pai for his "leadership to improve the openness and transparency of commission processes," and he did not ask Pai any direct questions about the false statements to Congress during the hearing.

Pai did receive criticism from FCC Commissioner Jessica Rosenworcel, the commission's only Democrat.

"Too often our procedures fall short of what good governance requires," Rosenworcel told the Commerce Committee. "Our claim that the agency suffered a distributed denial-of-service attack following John Oliver's report on our net neutrality plans was not credible, as demonstrated by last week's report from the FCC Inspector General. And in the meantime, the agency has ignored the fact that this public docket is flooded with fraud—including half a million comments from Russia and two million individuals with stolen identities."