In a blistering report, the Federal Communications Commission's Office of Inspector General not only faulted agency staff for providing inaccurate statements about disruptions to the FCC's online comments system in 2017, it also revealed that the OIG referred its findings to the Department of Justice.
The report said the agency's claim that it was the victim of a cyberattack in the incident was unfounded and that FCC staff did not respond internally as if such an attack had occurred at the time.
The DOJ ultimately declined to prosecute what the FCC inspector general's office had flagged as potential criminal ramifications related to misinformation given to federal lawmakers about the systems disruption.
The investigation stems from a May 2017 incident in which the FCC's online comment system began experiencing disruptions in advance of a commission vote on net neutrality rules. At the time, David Bray, who served as chief information officer at the agency, claimed the delays were the result of "deliberate attempts by external actors to bombard the FCC's comment system."
The OIG's newly released report found that the issues were actually caused by a combination of "system design issues" and high traffic that resulted from comedian and TV personality John Oliver encouraging viewers to visit the site and share their views on the issue during an episode of HBO (US)'s "Last Week Tonight with John Oliver."
The OIG's report said that the agency made "several specific statements that we believe misrepresent facts about the event or provide misleading information," in response to numerous inquiries about the incident from Congress. The inaccurate responses pertained to questions about the nature of the alleged attack, the time the alleged disruptions began happening and the analysis performed by the agency about the source of the attacks.
The inspector general's office referred the matter to the U.S. Attorney's Office for the District of Columbia, a division of the DOJ, for possible criminal violations. The DOJ performed interviews related to the FCC inspector general's findings but declined prosecution in June.
"The FCC did not define the event as a cybersecurity incident, did not refer the matter to US-CERT [United States Computer Emergency Readiness Team] in accordance with federal policy, and did not implement internal processes for responding to cybersecurity incidents," according to the inspector general's report. The report also faults the agency for jumping to conclusions about the cause of the disruptions without collaborating with appropriate experts and senior officials.
"The conclusion that the event involved multiple DDoS [distributed denial-of-service] attacks was not based on substantive analysis and ran counter to other opinions including those of the ECFS [Electronic Comment Filing System] subject matter expert and the Chief of Staff," the report said.
FCC Chairman Ajit Pai also faulted Bray in an Aug. 6 statement in advance of the report's release, saying he was "deeply disappointed" in Bray for providing inaccurate information.