The Economic Development Administration (EDA), an agency within the Department of Commerce, was established to formulate a foundation for sustainable job growth and the building of durable regional economies throughout the United States. With that kind of mission, you’d think they would have some serious brain power working there!
In December 2011, the Department of Homeland Security notified both the EDA and the National Oceanic and Atmospheric Administration (NOAA) that there was a possible malware infection within the two agencies’ systems. NOAA isolated and cleaned up the problem within a matter of weeks.
Thanks to a U.S. Department of Commerce audit, we discovered that the EDA responded by cutting its systems off from the rest of the world—disabling its enterprise e-mail system and leaving its regional offices no way of accessing centrally held databases. Kind of helps explains the lack of economic development doesn’t it?
EDA then recruited an outside security contractor to look for malware and provide assurances that not only were their systems clean, but impregnable against malware. The contractor, after some initial false positives, declared the systems largely clean but was unable to provide this guarantee. Malware was found on six systems, but it was easily repaired by reimaging the affected machines.
EDA’s fearless leaders, Matt S. Erskine and Thomas Guevara, fearing that the agency was under attack from a nation-state, insisted instead on a policy of physical destruction. They ordered the destruction of uninfected desktop computers, printers, cameras, keyboards, and even mice. The wasteful destruction of equipment only stopped – sparing another $3 million worth of equipment – because the agency ran out of money to pay for destroying the equipment.
The total cost to the taxpayer was a cool $2.7 million: $823,000 went to the security contractor for its investigation and advice, $1,061,000 for the acquisition of temporary infrastructure (requisitioned from the Census Bureau), $4,300 to destroy $170,500 in IT equipment, and $688,000 paid to contractors to assist in development of a long-term response. Full recovery took close to a year.
The malware that the EDA was infected with was common. There were no signs of persistent, novel infections, nor any indications that the perpetrators were anything other than common, untargeted criminal attacks.
The U.S. Department of Commerce audit also notes that the EDA’s IT infrastructure was so badly managed and insecure that any attacker would not need sophisticated attacks to compromise the agency’s systems.
Source: ars technica
