US government employees destroyed computers to get rid of tiny virus attack

Posted on Thursday, July 11 2013 @ 15:23 CEST by Thomas De Maesschalck
Today the wall of weird expands with a news story about how the US Department of Commerce's Economic Development Administration (EDA) agency wasted millions to combat a possible malware infection. The tale begins in December 2011 when the Department of Homeland Security notified both the EDA and the National Oceanic and Atmospheric Administration (NOAA) that there was a possible malware infection within the two agencies' computer systems.

The NOAA isolated the malware and cleaned up the problem within a few weeks, but the EDA grossly overreacted and went on to spend $2.7 million, more than half its 2012 annual IT budget, to combat the problem. EDA's CIO feared the agency was under attack from foreign cyber intelligence, all systems were cut off from the Internet and an outside contractor was hired to investigate the issue, which was really only some relatively innocent malware on a handful of computers. The agency paid $823,000 to a security contractor for investigation and advice, $688,000 to contractors to assist in developing a long-term malware response, and $1,061,000 to buy temporary infrastructure from the Census Bureau.

The most comical part is that out of fear and misunderstanding of computers, the EDA adopted a scorched earth policy that involved spending $4,300 to destroy over $170,500 worth of IT equipment, including uninfected desktop computers, printers, cameras, TVs, keyboards and even mice. The destruction stopped by August 1, 2012 as the EDA had exhausted its funds, but the agency intended to resume the destruction of its remaining IT infrastructure, valued at over $3 million, once funds were available. Further details can be read at ARS Technica.
The EDA's overreaction is, well, a little alarming. Although not entirely to blame—the Department of Commerce's initial communication with EDA grossly overstated the severity of the problem (though corrected its error the following day)—the EDA systematically reacted in the worst possible way. The agency demonstrated serious technical misunderstandings—it shut down its e-mail servers because some of the e-mails on the servers contained malware, even though this posed no risk to the servers themselves—and a general sense of alarmism.

The malware that was found was common stuff. There were no signs of persistent, novel infections, nor any indications that the perpetrators were nation-states rather than common, untargeted criminal attacks. The audit does, however, note that the EDA's IT infrastructure was so badly managed and insecure that no attacker would need sophisticated attacks to compromise the agency's systems.


About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.



Loading Comments