The U.S. Economic Development Administration (EDA) spent nearly $3 million in 2012 to rectify a cyber-attack that did not actually happen, leading them to destroy hundreds of computers, printers, monitors and even mice for no good reason at all.
The EDA, part of the Department of Commerce, is designed to invest in needed economic developments around the country like infrastructure projects. But last year, the agency spent about half of its annual IT budget destroying its own systems and building them up from scratch after several computers were infected with common malware.
All it took was a miscommunication, according to the Office of the Inspector General for the Commerce Department. An internal investigation (PDF) concluded last month that the EDA’s chief technology officer was caught in something of a Catch-22 between an erroneous message and a confusing correction, leading to the conclusion that all the systems would simply have to be destroyed.
It started when the Department of Commerce’s cyber incident response team mistakenly claimed that 146 out of 250 systems on the department’s network had malware. They later corrected that claim when a lower-level network tech noticed that 146 actually referred to the number of computers the EDA had on the department’s network. The real number of systems infected with malware was just two.
That correction was not quite clear enough, the OIG report explains. “As a result, EDA continued to believe a widespread malware infection was affecting its systems,” investigators wrote. Federal News Radio reporter Jason Miller described what happened next, writing on Monday that the EDA’s reaction “ended up costing the agency more than $2.7 million to clean up and reconfigure its network and computers.”
Over $170,000 of perfectly functional computer equipment was destroyed, the OIG report notes, and not just desktop computers. Targeted equipment included keyboards, monitors, mice, cameras and even televisions — none of which are prone to malware infection.
“By August 1, 2012, EDA had exhausted funds for this effort and therefore halted the destruction of its remaining IT components, valued at over $3 million,” the OIG report concludes. “EDA intended to resume this activity once funds were available. However, the destruction of IT components was clearly unnecessary because only common malware was present on EDA’s IT systems.”
In other words, all they really needed was a single geek armed with an inexpensive copy of Spybot Search & Destroy (which is free to home users), or just copies of the hard drive images from when the systems were first set up, and all of this could have been avoided.
[“Stock photo: A person buries their face in their hands,” via Shutterstock.]
(H/T: Ars Technica)