Today the wall of weird expands with a news story about how the US Department of Commerce's Economic Development Administration (EDA) agency wasted millions to combat a possible malware infection. The tale begins in December 2011 when the Department of Homeland Security notified both the EDA and the National Oceanic and Atmospheric Administration (NOAA) that there was a possible malware infection within the two agencies' computer systems.
The NOAA isolated the malware and cleaned up the problem within a few weeks, but the EDA grossly overreacted and went on to spend $2.7 million, more than half its 2012 annual IT budget, to combat the problem. EDA's CIO feared the agency was under attack from foreign cyber intelligence, all systems were cut off from the Internet and an outside contractor was hired to investigate the issue, which was really only some relatively innocent malware on a handful of computers. The agency paid $823,000 to a security contractor for investigation and advice, $688,000 to contractors to assist in developing a long-term malware response, and $1,061,000 to buy temporary infrastructure from the Census Bureau.
The most comical part is that out of fear and misunderstanding of computers, the EDA adopted a scorched earth policy that involved spending $4,300 to destroy over $170,500 worth of IT equipment, including uninfected desktop computers, printers, cameras, TVs, keyboards and even mice. The destruction stopped by August 1, 2012 as the EDA had exhausted its funds, but the agency intended to resume the destruction of its remaining IT infrastructure, valued at over $3 million, once funds were available. Further details can be read at ARS Technica.
The EDA's overreaction is, well, a little alarming. Although not entirely to blame—the Department of Commerce's initial communication with EDA grossly overstated the severity of the problem (though corrected its error the following day)—the EDA systematically reacted in the worst possible way. The agency demonstrated serious technical misunderstandings—it shut down its e-mail servers because some of the e-mails on the servers contained malware, even though this posed no risk to the servers themselves—and a general sense of alarmism.
The malware that was found was common stuff. There were no signs of persistent, novel infections, nor any indications that the perpetrators were nation-states rather than common, untargeted criminal attacks. The audit does, however, note that the EDA's IT infrastructure was so badly managed and insecure that no attacker would need sophisticated attacks to compromise the agency's systems.