The Economic Development Administration (EDA) is an agency
in the Department of Commerce that promotes economic development in regions of
the US suffering low growth, low employment, and other economic problems. In
December 2011, the Department of Homeland Security notified both the EDA and
the National Oceanic and Atmospheric Administration (NOAA) that there was a
potential malware infection within the two agencies' systems.
The NOAA isolated and cleaned up the problem within a few
weeks.
The EDA, however, responded by cutting its systems off from
the rest of the world—disabling its enterprise e-mail system and leaving its
regional offices no way of accessing centrally-held databases.
It then recruited in an outside security contractor to look
for malware and provide assurances that not only were EDA's systems clean, but
also that they were impregnable against malware. The contractor, after some
initial false positives, declared the systems largely clean but was unable to
provide this guarantee. Malware was found on six systems, but it was easily
repaired by reimaging the affected machines.
EDA's CIO, fearing that the agency was under attack from a
nation-state, insisted instead on a policy of physical destruction. The EDA
destroyed not only (uninfected) desktop computers but also printers, cameras,
keyboards, and even mice. The destruction only stopped—sparing $3 million of
equipment—because the agency had run out of money to pay for destroying the
hardware.
The total cost to the taxpayer of this incident was $2.7
million: $823,000 went to the security contractor for its investigation and
advice, $1,061,000 for the acquisition of temporary infrastructure
(requisitioned from the Census Bureau), $4,300 to destroy $170,500 in IT
equipment, and $688,000 paid to contractors to assist in development a
long-term response. Full recovery took close to a year.
The full grim story was detailed in Department of Commerce
audit released last month, subsequently reported by Federal News Radio.
The EDA's overreaction is, well, a little alarming. Although
not entirely to blame—the Department of Commerce's initial communication with
EDA grossly overstated the severity of the problem (though corrected its error
the following day)—the EDA systematically reacted in the worst possible way.
The agency demonstrated serious technical misunderstandings—it shut down its
e-mail servers because some of the e-mails on the servers contained malware,
even though this posed no risk to the servers themselves—and a general sense of
alarmism.
The malware that was found was common stuff. There were no
signs of persistent, novel infections, nor any indications that the
perpetrators were nation-states rather than common-or-garden untargeted
criminal attacks. The audit does, however, note that the EDA's IT
infrastructure was so badly managed and insecure that no attacker would need
sophisticated attacks to compromise the agency's systems.
No comments:
Post a Comment