Report on Alleged Multiple Distributed Denial-Of-Service Attacks involving the FCC’s Electronic Comment Filing System

On May 7, 2017, the Home Box Office (HBO) program “Last Week Tonight with John Oliver” aired a segment in which the host John Oliver discussed the Federal Communications Commission’s “Restoring Internet Freedom” (RIF) proceeding and encouraged viewers to visit the Commission’s Electronic Comment Filing System (ECFS) and file comments. Withing 30 minutes, the ECFS experienced a significant increase in the level of traffic attempting to access the system, resulting in the disruption of system availability. On May 8, 2017, the FCC issued a press release in which the FCC’s former Chief Information Officer Dr. David Bray claimed the FCC was subject to multiple distributed denial-of-service attacks (DDoS). 

After an investigation of the incident, the FCC Inspector General finds: 

  • DDoS attacks did not occur: The degradation of ECFS system availability was likely the result of a combination of: (1) “flash crowd” activity resulting from the Last Week Tonight with John Oliver episode that aired on May 7, 2017 through the links provided by that program for filing comments in the proceeding; and (2) high volume traffic resulting from system design issues.
  • The FCC did not respond to the event internally in a manner consistent with the severity of the event.
  • FCC Management was aware The Last Week Tonight with John Oliver program was considering an episode on the Net Neutrality proceeding but did not share that information with the CIO or IT group.
  • The conclusion that the event involved multiple DDoS attacks was not based on substantive analysis and ran counter to other opinions including those of the ECFS subject matter expert and the Chief of Staff.
  • The FCC did not define the event as a cyber security incident, did not refer the matter to the United States Computer Emergency Readiness Team in accordance with federal policy, and did not implement internal processes for responding to cyber security incidents.
  • The FCC made inaccurate comments to Congress

The FCC Inspector General is referring the matter to the Office of FCC Chairman Ajit Pai for review and appropriate action.


Report on Alleged Multiple Distributed Denial-Of-Service Attacks involving the FCC’s Electronic Comment Filing System The FCC claimed it got hacked last year over net neutrality. But an internal watchdog says that isn’t true. (Washington Post) Investigation proves there was no cyberattack on the FCC prior to net neutrality ruling (Vox) The FCC misled Congress on net neutrality comment issues, says agency watchdog (Fast Company) FCC IG Says the Alleged Net Neutrality DDoS Attack Never Happened (nextgov)