US government agency spent $3 million on phantom malware

The US Economic Development Administration, a Commerce Department agency, spent nearly $3 million and more than a year in a phantom fight that included discarding $170,000 worth of computers, at the hands of a staff that "lacked appropriate IT security skills," according to an audit report.

The Commerce Department's inspector general said that the saga began in December 2011, when the US Computer Emergency Response Team (US-CERT) sent a warning to two agencies about an infection it detected within their building-wide network, which affected just two machines.

The National Oceanic and Atmospheric Administration’s (NOAA) Computer Incident Response Team analyzed the information provided by DOC CIRT and identified the infected component. NOAA cleaned the malware infection and placed the remediated machine back into operation by January 12, 2012 – just weeks after the warning.

In contrast, the EDA "misunderstood" the message warning, thinking that instead it was a widespread attack. It proceeded to the nuclear stage, isolating its IT systems from the larger building network, shutting down enterprise email and web access, and restricting regional office access to database applications.

And despite initially warning of the infection and determining that it was minor at best, US-CERT sent in additional troops to the EDA. Three other agencies – the Department of Energy (DOE) Computer Incident Response Team, the National Institute of Standards and Technology (NIST) Security Implementation and Incident Response Team, and the National Security Agency (NSA) all rallied to the cause. And if that wasn’t enough, EDA also retained the services of a cybersecurity contractor for $823,000.

Ironically, amidst all the firepower, only the contractor raised a hand to say that the agency faced no significant threat and required only minor repairs. But the EDA opted to ignore that (expensive) assessment, and set out to dismantle and discard the entirety of its electronics footprint and IT infrastructure, including not only hard drives but also TVs, cameras, computer mice and keyboards.

The US Census Bureau meanwhile loaned it interim equipment and contracted with the agency to provide internet access and email.

Eventually, the agency ran out of money for the effort, and asked for an additional $26 million to continue its scorched-Earth efforts. The budget committee declined, and initiated an audit. Bottom-line assessment? "EDA's persistent mistaken beliefs resulted in an excessive response and ultimately unnecessary expenditure of valuable resources," the report said.

What’s Hot on Infosecurity Magazine?