Believing that a common malware infection was an indication of a much larger and damaging threat the Commerce Department’s Economic Development Administration spent close to $3 million attempting to expunge it in a vast overreaction, the department’s inspector general has found.
Initial confusion arose when the EDA received a list of all of its 146 systems from a log file, making it think that all its systems were compromised when actually only two were. An attempted to clarify that not all systems were compromised was overly vague and ultimately lost on key players, the IG found.
Thinking it had a much bigger problem on its hands EDA eventually paid a contractor over a million dollars for assistance. The contractor found nothing.
The IG concluded that EDA based its critical cyber-incident response decisions on inaccurate information and succombed to the belief that an infection could spread to other bureaus.
As a result the EDA isolated its IT systems from the Herbert C. Hoover network and destroyed over $170,000 worth of IT components – including peripherals such as keyboards, mice and printers.
The National Oceanic and Atmospheric Administratraion, also on the network, mitigated the threat on its own systems.
