This is a story about government incompetence on the grossest, most unforgivable scale. Here’s how the US Economic Development Administration unnecessarily spent $US2.75 million to fight a common case of malware. Warning: much innocent hardware was lost.
In December 2011 the Economic Development Administration (an agency under the US Department of Commerce) was notified by the Department of Homeland Security that it had a malware infection spreading around its network. These things happen, but what came next was truly exceptional. The EDA’s IT people — including its CIO — had a meltdown.
The EDA’s IT crowd determined that its network had been infected with a persistent, nation-state attack on its systems. So they isolated their department’s hardware from other government networks, cut off employee email, hired an outside security contractor, and started systematically destroying $US170,000 worth of computers, cameras, mice, etc. It gets crazier. From the report, prepared for the US Department of Commerce:
EDA’s CIO concluded that the risk, or potential risk, of extremely persistent malware and nation-state activity (which did not exist) was great enough to necessitate the physical destruction of all of EDA’s IT components. 20 EDA’s management agreed with this risk assessment and EDA initially destroyed more than $US170,000 worth of its IT components,21 including desktops, printers, TVs, cameras, computer mice, and keyboards. By August 1, 2012, EDA had exhausted funds for this effort and therefore halted the destruction of its remaining IT components, valued at over $US3 million. EDA intended to resume this activity once funds were available. However, the destruction of IT components was clearly unnecessary because only common malware was present on EDA’s IT systems.
Destroying cameras? And mice? Over malware? Are you serious?
Worse, the EDA continued destroying components until it could no longer afford to destroy them. In fact, the agency intended to continue destroying gear just as soon as it got more funds approved to do so. Uhh… OK!
And no, it does not end there. It turns out the malware infection was absolutely routine. All the EDA had to do was isolate the affected components, remove the malware, reconnect the hardware and move on. NOAA, which received a notice at the same time as EDA, completed this operation in one month.
The overall cost of EDA incompetence? $US2.75 million — approximately half of the agency’s IT budget. Here it is, neatly enumerated into smaller idiotic segments:
Malware is scary, so we’re sympathetic to the government agency that got infected and had a bit of a panic attack. But our sympathy disappears when we learn that its response to the malware betrayed a basic misunderstanding of malware and how it works. [US Department of Commerce via Federal News Radio via The Verge]