GAO Will Investigate The FCC's Dubious DDoS Attack Claims

You might recall that when HBO comedian John Oliver originally tackled net neutrality on his show in 2014, the FCC website crashed under the load of concerned consumers eager to support the creation of net neutrality rules. When Oliver revisited the topic last May to discuss FCC boss Ajit Pai's myopic plan to kill those same rules, the FCC website crashed under the load a second time. That's not particularly surprising; the FCC's website has long been seen as an outdated relic from the wayback times of Netscape hit counters and awful MIDI music.

But then something weird happened. In the midst of all the media attention Oliver was receiving for his segment, the FCC issued a statement (pdf) by former FCC Chief Information Officer David Bray, claiming that comprehensive FCC "analysis" indicated that it was a malicious DDoS attack, not angry net neutrality supporters, that brought the agency's website to its knees:

"Beginning on Sunday night at midnight, our analysis reveals that the FCC was subject to multiple distributed denial-of-service attacks (DDos). These were deliberate attempts by external actors to bombard the FCC's comment system with a high amount of traffic to our commercial cloud host. These actors were not attempting to file comments themselves; rather they made it difficult for legitimate commenters to access and file with the FCC."

But security researchers who studied that claim found none of the usual indicators that would normally precede such an attack. And subsequent news outlet FOIA requests wound up showing that not only does there appear to have never been any such attack, there was no "analysis" conducted or documented. When media outlets began noticing that something fishy was going on, the FCC issued a punchy statement accusing the media of being "completely irresponsible," while claiming it had plenty of data proving its attack claims (its FOIA responses to journalists state the complete opposite) -- it just didn't want to show its hand.

Most FCC watchers think there's two options here. One, the FCC was incompetent and misread John Oliver viewers as a DDoS attack, then tried to cover up said incompetence. Or the FCC knew it wasn't a DDoS attack, but constructed the narrative to try and downplay media coverage of the plan's unpopularity, then tried to cover that up. The former is certainly in character, but the latter would go hand in hand with the agency's apathy toward whoever has been spamming the FCC's website with fraudulent "support" for what is fairly uniformly seen as shitty policy and a mindless hand out to big telecom.

Heeding calls for something vaguely resembling an answer, the General Accounting Office (GAO) has agreed to launch an investigation into what actually happened at the FCC:

"A spokesman for the Government Accountability Office (GAO) confirmed it has accepted a request from two Democratic lawmakers to probe the distributed denial of service (DDoS) attack that the FCC said disrupted its electronic comment filing system in May. The spokesman said that the probe, which was first reported by Politico, is "now in the queue, but the work won't get underway for several months."

While this story will likely get buried by more pressing news, this inquiry could be notably important in regards to the FCC's attempts to scuttle net neutrality. If the GAO inquiry finds that the FCC was inept or engaged in a cover up, that could raise all manner of procedural questions over whether the FCC was serving the public interest and following established agency protocol. Combined with the agency's obvious apathy to the fact that some group is engaged in fraud to generate bogus support for killing net neutrality, whatever the GAO finds could provide some very interesting fodder for the lawsuits to come.