EDA Overreacts to Malware Scare

By | July 15, 2013

Posted in: Network Security Trends

The Economic Development Administration (EDA) in Washington, D.C. physically destroyed computers and other IT equipment worth $170,000 in a comedy of errors sparked by a relatively harmless malware incident, according to an audit report.

The report by the inspector general’s office in the Department of Commerce, released late last month, said that at one stage the EDA feared it was under cyber-attack by a foreign state – whereas in reality its system had suffered only a limited infection by unsophisticated malware.

The report into the incident which began in December 2011 described a litany of miscommunication, misunderstanding and incompetence that cost the EDA a total of $2.75-million in IT remediation measures – including the cost of the destroyed hardware. “EDA’s persistent mistaken beliefs resulted in an excessive response and ultimately unnecessary expenditure of valuable resources,” the report said.

It singled out the unnamed incident handler at the Department of Commerce’s computer incident response team (DOC CIRT) as lacking in experience and qualifications. It also criticized DOC CIRT for failing to follow procedures or coordinate incident response activities. “The inadequate coordination resulted in haphazard communications, in which external incident responders received minimal direction,” the report said.

The malware scare began on December 6, 2011, when the US Computer Emergency Readiness Team (US-CERT) told DOC CIRT that components in the EDA system were communicating with fake anti-virus sites. A series of misleading e-mails followed between DOC CIRT and the EDA.

“EDA believed that a cyber-attack had resulted in an extensive malware infection affecting over half of its components,” the report said.

“This belief originated on the first day of incident response activities when DOC CIRT sent EDA inaccurate information concerning the extent of the malware infection, which overstated the number of components involved. Additionally, EDA misunderstood DOC CIRT’s follow-up communications, which accurately described the limited extent of the infection. Even though additional communications occurred between DOC CIRT and EDA, each organization continued to have a different understanding of the extent of the malware infection.”

It said that EDA’s chief information officer concluded that the risk of extremely persistent malware and nation-state activity -- which did not exist – “was great enough to necessitate the physical destruction of all of EDA’s IT components. EDA’s management agreed with this risk assessment and EDA initially destroyed more than $170,000 worth of its IT components, including desktops, printers, TVs, cameras, computer mice, and keyboards.”

The report said the agency would have destroyed more IT components, but it ran out of money to replace them. “The destruction of IT components was clearly unnecessary because only common malware was present on EDA’s IT systems,” it said.

On its website, the EDA describes its mission as: “To lead the federal economic development agenda by promoting innovation and competitiveness, preparing American regions for growth and success in the worldwide economy.”

You May Also Be Interested In: