Commerce Dept. Spent $2.7 Million to Fix Nonexistent Computer Virus
The Economic Development Administration (EDA), which promotes innovation and competitiveness within the Commerce Department, feared its IT network was infected with a widespread virus, and ultimately spent more than $2.7 million to fix a problem that was nothing more than “common malware.”
According to an inspector general report released on June 26, the EDA based its decision to destroy its computers on “inaccurate information.”
In December 2011, the Department of Homeland Security (DHS) first notified the EDA that it had a “potential” malware infection within one of its IT systems.
Believing the problem was widespread, the EDA “decided to isolate its IT systems from the [Herbert C. Hoover Building] HCHB network and destroy IT components to ensure that a potential infection could not persist,” the report states.
“However, OIG found neither evidence of a widespread malware infection nor support for EDA’s decision to isolate its IT systems from the HCHB network.”
Worried it was being hacked by foreign governments, the EDA had hired a cybersecurity contractor to look into the initial threat in January 2012. Within two weeks, the contractor found no evidence of a malware infection, but continued an investigation until May.
There was never any indication the network was being hacked, and only six components were found to have malware infections that “could have been remediated using typical containment measures.”
The EDA’s Chief Information Officer, however, “concluded that the risk, or potential risk, of extremely persistent malware and nation-state activity (which did not exist) was great enough to necessitate the physical destruction of all of EDA’s IT components,” the IG said.
“EDA’s management agreed with this risk assessment and EDA initially destroyed more than $170,000 worth of its IT components, including desktops, printers, TVs, cameras, computer mice, and keyboards,” they said.
Not only did the agency have $170,500 worth of working equipment destroyed, they paid $4,300 to have it done.
The ordeal ended up costing $2,747,000—which is over half of EDA’s budget for the year—including more than $1 million for “temporary infrastructure.”
In fact, the EDA wanted to destroy all of its computers and IT equipment, valued at over $3 million, but ran out of funds to do so.
“By August 1, 2012,” the report states, “EDA had exhausted funds for this effort and therefore halted the destruction of its remaining IT components.”
“EDA intended to resume this activity once funds were available,” it said. “However, the destruction of IT components was clearly unnecessary because only common malware was present on EDA’s IT systems.”