Federal Agency Smashes Up $175K Worth of Usable Electronics….By Mistake
(CNSNews.com) -- Federal employees in the Economic Development Administration smashed up $175,000 worth of usable computers, printers, televisions, and digital cameras after being warned by the Department of Homeland Security (DHS) that their IT system was infected with malicious malware.
But the destruction was based on “inaccurate information” and a series of blunders and miscommunications that wound up costing taxpayers a total of $2.7 million in unnecessary expenditures, or more than half of EDA’s 2012 IT budget, according to a 33-page report by the Commerce Department’s inspector general.
On Dec. 6, 2011, DHS’ Computer Incidence Response Team (US-CIRT) notified the Commerce Department’s cyber security office (DOC-CIRT) that potential malware had been detected in EDA’s computer system.
Believing that the malware was “extremely persistent," had infected over half of its entire system, was spreading via email, and could infect other bureaus, EDA completely isolated itself from the department network in January 2012.
But none of those assumptions were true, according to the OIG.
“DOC-CIRT’s first incident report was misleading,” the report noted, and “inaccurately described the extent of the potential malware infection.” Instead of affecting 146 components of EDA’s system, over half of the total, the bug was only found in two of them.
But when DOC-CIRT sent EDA a second notification, it “did not clearly explain that the first incident notification was inaccurate. As a result, EDA continued to believe a widespread malware infection was affecting its systems.”
Besides spending $1 million to set up a temporary system, and another $688,000 for a “long term recovery solution,” EDA paid a cybersecurity contractor $823,000 to ferret out the malware.
Within two weeks, the cybersecurity experts concluded that the initial malware warnings were “false positives.” However, they “were unable to provide the assurance EDA’s Chief Information Officer sought, because doing so involved proving that an infection could not exist rather than that one did not exist,” the IG said.
“EDA’s CIO concluded that the risk, or potential risk, of extremely persistent malware and nation-state activity (which did not exist) was great enough to necessitate the physical destruction of all of EDA’s IT components. EDA’s management agreed with this risk assessment and EDA initially destroyed more than $170,000 worth of its IT components,including desktops, printers, TVs, cameras, computer mice, and keyboards,” according to the report.
In fact, the only thing that stopped EDA from destroying all of its remaining electronic equipment, worth $3 million, was the fact that the federal agency “exhausted funds for this effort,” the IG noted.
“However, the destruction of IT components was clearly unnecessary because only common malware was present on EDA’s IT systems,” the IG concluded. “Once it started recovery efforts in February 2013, the [Commerce] Department needed only a little longer than five weeks to restore EDA’s former operational capabilities.”