FCC chairman: truth about site failure should have come out sooner

The head of the Federal Communications Commission told Congress he couldn't alert the public to that website problems had been incorrectly designated as a cyberattack without jeopardizing a federal investigation.

Ajit Pai, the chairman of the FCC, told lawmakers at an Aug. 16 Senate Commerce Committee hearing that he knew a cyberattack likely did not take down the FCC comment filing website in 2017 during a poiltically charged debate over net neutrality. Pai said he didn't want to complicate the Inspector General's investigation and any subsequent criminal prosecution.

Sen. Brian Schatz (D-Hawaii) questioned Pai on whether he knew the cyberattack designation was false, saying that it was "hard to digest" the chairman was "duped" into believing that caused the website malfunction.

"I think a lot of people's first instinct was that it didn't make any sense," Schatz said. "So I understand your reliance on your CIO -- I don't blame you for that -- my question was, did you have any doubt at any time before the report came out?"

Pai said that when he learned the system was down the morning of May 8, 2017, he immediately assumed the site was overwhelmed by a sudden influx of traffic following a segment on an HBO show hosted by John Oliver that directed viewers to file comments with the FCC.

Despite those doubts, Pai chose to go public with findings from then-CIO David Bray characterizing the outage as resulting from a distributed denial of service attack. Pai said the IG notified him in January that those findings were potentially incorrect, but requested that information remain confidential as the investigation was referred to the Justice Department for criminal prosecution.

"Once we knew what the conclusions were, it was very hard to stay quiet," Pai said. "We wanted the story to get out not only because it vindicated what we had been saying -- that we relied on the chief information officer's representations -- but also because otherwise we knew that members of this committee, including potentially you [Sen. Schatz], would think, 'Welp, he knew something was wrong but he didn't tell us about it.'"

Bray defended his position in a June 2018 Medium post, writing "whether the correct phrase is denial of service or "bot swarm" or "something hammering the Application Programming Interface" (API) of the commenting system — the fact is something odd was happening in May 2017." His biggest concern at the time, Bray said, was that "we were also being spammed by something automated" and could keep people from commenting on the proposal.

The hearing came just two days after the House Energy and Commerce Committee inquiry called Pai's unwillingness to correct "a public myth" for more than a year "troubling" and requested more details on his decision making.

As the hearing continued, Schatz seemed unsatisfied with Pai's responses: "It just seems odd that the moment your CIO says something that you run with it and ran with it quite aggressively," he said.

Pai stuck to his position, however, saying that keeping the OIG's confidence was the right action to prevent interfering with the federal investigation and possible DOJ prosecution.

"It's a difficult position to be in," he said. "I made the judgement that we had to adhere to the OIG's request even though I knew we would be falsely attacked for having done something inappropriately."

Schatz replied, "I guess what I'm looking for is some measure of accountability as the chairman...I can't imagine that there was not another way to thread this needle and deal with us in our oversight capacity."