The Federal Communications Commission lied to members of Congress multiple times in a letter that answered questions about a "DDoS attack" that never happened, an internal investigation found.

The FCC made false statements in response to a May 2017 letter sent to FCC Chairman Ajit Pai by Sens. Ron Wyden (D-Ore.) and Brian Schatz (D-Hawaii). Pai sent a response to Wyden and Schatz the next month but apparently didn't make the false statements himself.

Pai's letter to Wyden and Schatz included an attachment in which then-FCC CIO David Bray responded directly to the senators' questions. This part of the letter contained multiple false and misleading statements, according to the FCC Inspector General's report released yesterday. The second half of this article will detail each of these false and misleading statements.

"[W]e determined the FCC, relying on Bray's explanation of the events, misrepresented facts and provided misleading responses to Congressional inquiries related to this incident," the IG's report said.

Making false statements to Congress can be punished with fines or imprisonment, but the US Attorney's office declined to prosecute any FCC employees, according to the IG report.

Pai yesterday said the investigation "debunks the conspiracy theory" that Pai himself was to blame for the FCC spreading false information. But even as lawmakers, reporters, and pro-net neutrality groups questioned the FCC's false claims last year, Pai's office scolded journalists who asked the FCC to publicly provide evidence.

After news reports in July 2017 about the FCC lacking documentation of the DDoS attack, Pai's office told journalists that such reports were "completely irresponsible. In fact, we have voluminous documentation of this attack in the form of logs collected by our commercial cloud partners."

But in reality, the FCC had "no evidence" of any "coordination and intent" behind the traffic hitting the comment system, the IG's office found. "In order to assess incoming traffic as a DDoS, we need to identify coordination and intent," the IG's report said. "We found no evidence of such coordination."

System’s poor design—not DDoS—led to outage

Contrary to the FCC's repeated assertions, the agency's public comments system went down on May 7 and 8 in 2017 because it wasn't designed well enough to handle traffic from commenters opposing Pai's plan to eliminate net neutrality rules. People were submitting comments en masse after comedian John Oliver asked viewers of his program Last Week Tonight to oppose Pai's net neutrality repeal.

Bray seemingly didn't want to admit Oliver's role in the outage. "Bray regularly complained about the John Oliver episode for the remainder of his time as the FCC CIO," the IG report said, attributing that detail to Tony Summerlin, an IT contractor who served as a senior advisor to Bray.

The IT team was unprepared for the rush of traffic caused by the John Oliver show. A producer from Oliver's staff contacted Pai's office about the show days before it ran, but Pai's staff didn't respond and apparently didn't inform the IT department about the upcoming show.

"Bray was furious that he had not been informed about the John Oliver episode," Summerlin told the IG's office. Summerlin "also confirmed that Bray did, in fact, believe the John Oliver episode was to blame for the May 7 event," the IG's report said.

Despite that, Bray issued a statement on May 8 saying, "Our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDos). These were deliberate attempts by external actors to bombard the FCC's comment system with a high amount of traffic to our commercial cloud host."

Pai's Chief of Staff Matthew Berry told investigators that he "assumed the Oliver segment was the cause of the increased traffic on ECFS [Electronic Comment Filing System], but Bray told him that wasn't so."

Investigation changed focus

The IG's investigation initially focused on who was behind the alleged attacks, but "shifted into an investigation of false statements made by Bray, Tony Summerlin, and [FCC Chief Information Security Officer] Leo Wong in responses to congressional inquiries," the IG report said.

In Pai's letter to Wyden and Schatz, the attachment with Bray's answers included "several specific statements that we believe misrepresent facts about the event or provide misleading information," the IG found.

"Because of the possible criminal ramifications associated with false statements to Congress," the IG's office said it "formally referred this matter to the Fraud and Public Corruption Section of the United States Attorney's Office for the District of Columbia (USAO-DC) on January 4, 2018, and provided a briefing to the Chief of the Fraud and Public Corruption Section USAO-DC on January 18, 2018."

However, "[o]n June 7, 2018, after reviewing additional information and interviews, USAO-DC declined prosecution," the IG report said.