Call it the cyber-attack that never happened. A false alarm that sent the Economic Development Agency scrambling. When the dust settled, the EDA had spent half of its information technology budget – or nearly $3 million – destroying hundreds of thousands of dollars worth of perfectly functioning computer equipment.
Only in the federal government.
The incident occurred back in December 2011, according to a recently released report by the Commerce Department’s Inspector General. The auditor found that the EDA responded “excessively” to a nonexistent cyber threat “based on inaccurate information” from the department’s cyber-security team, adding that EDA failed to follow Commerce’s incidence response procedures.
“EDA’s persistent mistaken beliefs [of a non-existent cyber threat] resulted in an excessive response and ultimately unnecessary expenditure of valuable resources,” the auditor said.
Here’s what happened: In late 2011, the Department of Homeland Security, which monitors federal networks for cyber threats, notified the Commerce Department of potential threats to its IT system. The Commerce Department’s cyber security team traced the bugs to the EDA’s network and erroneously claimed that 146 of the network’s 250 systems had malicious malware.
They later walked back that claim when a lower level employee noticed that the 146 number actually referred to the number of computers EDA had on the department’s network. It turns out only two systems were actually infected with malware.
But, according to the auditor, EDA officials said the correction wasn’t clear enough. They continued to believe that a widespread virus was affecting its system and concluded that the “risk, or potential risk, of extremely persistent malware (which did not exist) was great enough to necessitate the physical destruction of all EDA’s IT components,” the report said.
So, that’s what they did.
In January 2012, EDA workers begin destroying $170,000 worth of “perfectly functional” computers, printers, keyboards, cameras and televisions that, the report noted, “were not prone to malware infection.” EDA also hired several contractors to assist in the recovery efforts, so the total cost of the response was $2.7 million.
The auditor said that the main employee in charge of handling the incident “had minimal incidence response experience and no incident response training and added that “the destruction of the IT components was clearly unnecessary.”
Still, the demolition continued until August, when EDA reportedly ran out of money to destroy the rest of the equipment which was valued at over $3 million.
Commerce officials responded to a draft audit in June, defending the safety measures taken to protect the agency from the fake virus.
“EDA acted out of an abundance of caution in an effort to protect the IT security and privacy of our staff, the Department of Commerce, grantees, and other federal partners and clients with whom we interact electronically,” wrote Matt Erskine, deputy assistant secretary for economic development.