Ajit Pai Knew FCC Cyberattack Was Fake For Seven Months But Kept Quiet

Ajit Pai Knew FCC Cyberattack Was Fake For Seven Months But Kept Quiet

Asked only once at a Senate hearing today about the fake security incident that’s needled his agency for more than a year, the chairman of the Federal Communications Commission, Ajit Pai, acknowledged for the first time knowing secretly for several months that his office likely fed US lawmakers false information.

At an oversight hearing largely dominated by discussions about the state of America’s broadband and mobile infrastructure, Pai explained that he was urged by the commission’s inspector general (IG) to keep under wraps details of an ongoing investigation.

“Do not say anything to anyone,” Pai told the committee, referring to the request he says he received from the IG’s office. Pai then asked lawmakers to put themselves in his shoes.

“It’s a difficult position to be in,” he said.

Released on August 8, the IG report found that senior FCC officials had misled Congress and the American public by first announcing, and later defending in letters to lawmakers, a claim that a distributed denial-of-service (DDoS) attack had crippled the commission’s comment system last May, amid efforts by its Republican members to roll back Obama-era net neutrality protections.

Investigators concluded after seven months that the DDoS claims were, at best, “a rush to judgement” and, moreover, the result of a failure to conduct any actual analysis required to conclude a cyberattack occurred.

In a statement released prior to the report, Pai sought to control the fallout, including accounts of his staffers misquoting FBI agents in written remarks to US senators, pinning the blame almost entirely on his former chief information officer, Dr David Bray, whom he said provided him with “inaccurate information”.

“Once we knew what the conclusions were it was very hard to stay quiet,” Pai said during a hearing with the Senate Committee on Commerce, Science and Transportation. The hearing was attended by the full commission — one Democrat and three Republicans.

“We wanted the story to get out,” he said, claiming, perplexingly, that it “vindicated” his office by blaming Bray. (The report also concluded that FCC leaders knew and failed to inform the commission’s contracted IT and security staff about an expected spike in web traffic that would be directed toward the FCC system by comedian John Oliver, host of HBO’s Last Week Tonight.)

Senator Brian Schatz, a Democrat and the only lawmaker to mention the IG report at today’s hearing, said it was difficult to digest that Pai had not been more critical of his CIO’s assessment, given the unprecedented number of comments received by the FCC after Oliver’s first net neutrality segment in 2014.

“I think a lot of people’s first instinct was it didn’t make any sense,” Schatz said of the DDoS diagnosis.

“My assumption was it was John Oliver’s viewers,” said Pai, adding that he was informed otherwise by the CIO, whom he said told him he was “99 per cent” confident the comment system’s downtime was intentionally caused by malicious actors.

The FCC inspector general, David Hunt, did not immediately respond to a request for comment.

The FCC investigation, which began by looking into the source of the purported attack, shifted in December after investigators became concerned that three FCC officials, including Bray and the agency’s chief information security officer, Leo Wong, may have committed a federal crime by proving false information to Congress.

The US Justice Department, to whom the case was referred in January, declined to prosecute the officials; it has declined to say why.

In a letter earlier this week, four Democratic lawmakers demanded to know, among other questions, when exactly Pai first learned that he misinformed federal lawmakers, including a few with oversight authority, such as Rep Debbie Dingell. While mentions of scandal were few at today’s hearing, that puzzle has at least been solved:

Telling no one, the chairman had known all year.