After receiving word that his agency’s systems might have been infected by malware, the CIO of the Department of Commerce Economic Development Administration (EDA) overreacted and decided to destroy thousands of dollars’ worth of hardware to eliminate the problem. The entire incident cost more than $2.7 million dollars.
Computerworld’s Jaikumar Vijayan reported, “The U.S. Department of Commerce’s Economic Development Administration destroyed about $170,000 worth of IT equipment including computers, printers, keyboards and computer mice last year on the mistaken belief that the systems were irreparably compromised by malware. The bureau was poised to destroy an additional $3 million worth of IT equipment but was prevented from doing so by a lack of funding for the effort, a report released by the Commerce Department’s Inspector General says.”
Ars Technica’s Peter Bright explained, “In December 2011, the Department of Homeland Security notified both the EDA and the National Oceanic and Atmospheric Administration (NOAA) that there was a possible malware infection within the two agencies’ systems. The NOAA isolated and cleaned up the problem within a few weeks…. EDA’s CIO, fearing that the agency was under attack from a nation-state, insisted instead on a policy of physical destruction. The EDA destroyed not only (uninfected) desktop computers but also printers, cameras, keyboards, and even mice.”
The Register’s John Leyden added, “The agency hired an outside security contractor, at an eventual cost of $823,000, in late January 2012. After some initial false positives, the contractor decided EDA’s systems were mostly clean. Common-or-garden malware was found on six systems, a problem that could have been repaired by reimaging the affected machines. The unnamed ‘common malware [was] contained in archived e-mail attachments and temporary Internet browser files,’ according to OIG’s report.”
ZDNet’s Michael Lee observed, “By August 1, 2012, EDA had destroyed over US$170,000 worth of its infrastructure. It had only been prevented from destroying the remaining US$3 million worth as it had run out of funding for the operation, and the Commerce IT Review Board refused to approve the US$26 million it would need to continue its recovery operations. By that stage, however, EDA had spent US$823,000 on its external security contractor, US$1.061 million on temporary infrastructure, US$175,000 to destroy its equipment, and US$688,000 on external assistance for its recovery operations. In all, EDA spent US$2.7 million to combat an infection that had never existed.”