A federal agency, fearing that its computer systems were widely affected by a computer virus in 2011, spent $2.7 million cutting off its email from the outside world and physically destroying computers, keyboards and computer mice to remedy the problem.
Spurred to action by inaccurate information about a malware issue from the Commerce Department’s Computer Incident Response Team (DOC CIRT), the Economic Development Administration (EDA), a grantmaking agency within the Commerce Department, worried that it was under attack from a nation state.
Although DOC CIRT corrected its mistake after its initial report, that did not stop the EDA from destroying $170,500 in IT equipment when an outside cybersecurity contractor was unable to guarantee EDA’s systems were safe from malware.
The destruction only stopped after EDA ran out of money and the Commerce Department’s Office of the Chief Information Officer denied the agency’s request for more funds for its recovery efforts.
The Commerce Department’s inspector general report — released in late June and reported by Federal News Radio and Ars Technica — found the malware warning to be grossly “overstated.”
The inspector general determined that the DOC CIRT agent handling the EDA case did not have the proper training necessary to diagnose the problem, which was neither widespread nor persistent, nor did it originate from a nation state.
“We found (1) EDA based its critical incident response decisions on inaccurate information, (2) deficiencies in the Department’s incident response program impeded EDA’s incident response, and (3) misdirected planning efforts hindered EDA’s IT system recovery,” wrote Allen Crawley, assistant inspector general for systems acquisition and IT security.
The EDA saga, which began in December 2011, did not end until March, when the Commerce Department’s Office of the Chief Information Officer restored EDA’s IT operations.
The entire operation cost $2.7 million: $823,000 to the unnamed cybersecurity contractor, $1,061,000 in borrowed IT equipment from the Census Bureau, “$4,300 to destroy $170,500 in IT equipment, and $688,000 paid to contractors to assist in development a long-term response,” reports Ars Technica.
But just in case the EDA was not yet finished destroying its computers, the inspector general recommended to the EDA’s deputy assistant secretary that the agency “does not destroy additional IT inventory that was taken out of service as a result of this cyber incident.”