Henry Brown

Additional information and Commentary from TheSecurity Bistro blog

EDA Overreacts to Malware Scare

The Economic Development Administration (EDA) in Washington, D.C. physically destroyed computers and other IT equipment worth $170,000 in a comedy of errors sparked by a relatively harmless malware incident, according to an audit report.

The report by the inspector general’s office in the Department of Commerce, released late last month, said that at one stage the EDA feared it was under cyber-attack by a foreign state – whereas in reality its system had suffered only a limited infection by unsophisticated malware.

The report into the incident which began in December 2011 described a litany of miscommunication, misunderstanding and incompetence that cost the EDA a total of $2.75-million in IT remediation measures – including the cost of the destroyed hardware. “EDA’s persistent mistaken beliefs resulted in an excessive response and ultimately unnecessary expenditure of valuable resources,” the report said.

It said that EDA’s chief information officer concluded that the risk of extremely persistent malware and nation-state activity — which did not exist – “was great enough to necessitate the physical destruction of all of EDA’s IT components. EDA’s management agreed with this risk assessment and EDA initially destroyed more than $170,000 worth of its IT components, including desktops, printers, TVs, cameras, computer mice, and keyboards.”

The report said the agency would have destroyed more IT components, but it ran out of money to replace them. “The destruction of IT components was clearly unnecessary because only common malware was present on EDA’s IT systems,” it said.