Government failure

Federal Agency Wastes $2.7 Million Fighting Practically Nonexistent Cyber Attack

|

credit: Don Fulano / Foter / CC BY-SA

Here's what happened when a tech-inept federal agency panicked over a potential cyber threat: The Economic Development Administration last year blew half its information technology budget fighting phantom attacks, cutting off staff from basic communications systems like email, and unnecessarily destroyed hundreds of thousands of dollars worth of computer equipment that not only wasn't infected but almost certainly couldn't have been infected — stopping only when the agency ran out of funding to destroy equipment. 

Federal News Radio has the whole sad, sorry story, based on a new report from the Department of Commerce's Office of Inspector General:

The Commerce Department's Economic Development Administration spent almost half of its IT budget last year to remediate a cyber attack that barely happened.

Commerce's inspector general found in a report released last week a string of errors and miscommunications led to EDA's overreaction of removing employee email and website access from the main agency network.

EDA's drastic steps to limit the damage by shutting down much of the access to the main Herbert Hoover Building network ended up costing the agency more than $2.7 million to clean up and reconfigure its network and computers. The IG said the bureau destroyed more than $170,000 in IT equipment, including desktop computers, printers, keyboards and mice.

But the IG found no evidence of a large scale malware attack, and in fact, a series of blunders between EDA and the Commerce Department's incident response team led to what turned out to be poor decisions by senior leaders, a waste of money and resources and potentially a disruption to EDA's mission.

More here

You can see a number of problems here: One is just the general technological incompetence of the EDA. Based on an initial report from the incident response team, the agency's IT administrators apparently thought that 146 components were infected throughout their network. But when the incident response team corrected their report to say that in fact only two components appeared to be infected, the EDA IT team did not understand the update, according to the FNR report. Indeed, it appears as if the EDA IT team didn't understand basic details about their own network setup. Basically, the whole thing was one giant, cascading ID-10-T error.

According to Ars Technica, malware was eventually found on about half a dozen EDA computer systems, but they could have been cleaned up simply by doing a clean system wipe and starting over. 

Another is that fear of massive cyber attacks led to a huge overreaction. FNR notes that the agency's chief tech official thought a serious, sophisticated cyber-attack was "highly probable and possible." But the malware they found wasn't part of some big international attack. It was common Internet garbage, the sort of crapware that barely counts as a cyber threat at all, much less an actual "attack."

The ensuing panic didn't just end up wasting money. It ended up wasting time and effort that might have gone to actually securing the agency's systems, which were completely open to exploits. As Ars explains, the IG report indicates that "the EDA's IT infrastructure was so badly managed and insecure that no attacker would need sophisticated attacks to compromise the agency's systems."

Read Jerry Brito and Tate Watkins on the great cyber security panic, and the dubious but incredibly expensive cybersecurity-industrial complex that has grown up around it, in Reason's August 2011 issue. 

NEXT: Shikha Dalmia on Immigration and the Impossibility of an Impregnable Border

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. SUXNET!

  2. But the IG found no evidence of a large scale malware attack, and in fact, a series of blunders between EDA and the Commerce Department’s incident response team led to what turned out to be poor decisions by senior leaders, a waste of money and resources and potentially a disruption to EDA’s mission.

    So this story has a happy ending after all.

    1. I hear happy endings are legal in China, even if prostitution isn’t.

  3. “PC Load Letter”, which was an actual error on that model of printer, is what he says. TPS are the reports Peter put the wrong cover sheet on. Maybe you didn’t actually live through Office Space like I did.

    1. Oh man, pre-coffee brain botched that one. Can’t believe I misremembered that. Updated!

      1. yeah…like Jedi Mind Meld…you are worse than Obama (the new godwining)

    2. I came here to say this, thanks Brett. And for the record Dilbert (obviously similar to Office Space and Melvin) is written by a former PacBell employee. I have been in this damn industry for 17 years and can attest to every single thing in both office space and Dilbert. I have even seen a cube farm that is over 1/4 mile long…no interior walls and no windows.

      1. Luckily my company has offices for pretty much everyone; the worst it ever got was a cluster of about 10 cubes while construction on our new building was finishing, but I have heard from some people who used to work at Intel and it was apparently just a warehouse with hundreds of cubes in it.

        1. There are 5,000 people in a building in south Denver, All cubes, no offices. When I worked there years ago the VP of the NOC sat in a double wide cube in the corner. The building is an old McDonnel Douglas Launch Vehicle Missile Assembly plant. It is huge.

  4. A+ alt-text, but as for the (less important) article content…

    Did you even consider how bad things would have been if they did not act? Think how much more existent the attack could have been if they hadn’t spent that money?! They spent that money, and the result was that the attack was not a threat; therefore the money prevented the attack from succeeding.

    1. Very sarcasmic. Nice!

    2. Tiger repellant webpage?

      1. I would like to purchase your webpage…

  5. The most shocking thing I learned in this article is the existence of something called Federal News Radio.

  6. Everywhere I look the Obama administration appears to be hiding things. Think about this ridiculous manueuver; in my past experience you can’t get political appointees to take security seriously enough. They will normally try their best to save things like their precious email.

    1. Remember the cheery optimism, the vibrancy of hope’n’change, when His Oneness was elected? His promise of transparency was so refreshing, and so sincere. His Administration launched the Open Government Initiative and even designed a logo that illustrated how His Oneness was going uncover government secrets. To facilitate this new openness, His Oneness appointed Aneesh Chopra as his Chief Technology Officer. Aneesh was no more of an IT expert than Deepak, but it seems that he was politically savvy. He understood that all of this aspirational talk about transparency was just talk.

  7. a series of blunders between EDA and the Commerce Department’s incident response team led to what turned out to be poor decisions by senior leaders, a waste of money and resources and potentially a disruption to EDA’s mission.

    In other words, business as usual.

  8. The IG said the bureau destroyed more than $170,000 in IT equipment, including desktop computers, printers, keyboards and mice.

    Wait, what the fuck?

    1. All your keyboards are belong to us.

      Seriously, how freaking stupid do you have to be to think a keyboard is infected by a computer virus?

      1. It’s possible for a keyboard to have a built in keylogger, but it would have to be in the hardware. Did they think that somebody was sneaking in and replacing keyboards and mice?

        1. We’re logging your mouse activity. Please report to HR to discuss your overuse of the scroll wheel.

  9. The IG said the bureau destroyed more than $170,000 in IT equipment, including desktop computers, printers, keyboards and mice.

    My God, the virus is in the mice! Quickly, destroy them! Destroy them all!

    1. Actually, though, the wireless ones with USB dongles can be a vector for malware.

      1. I find my best wireless mice in the parking lot along with my USB thumbdrives.

        1. “Look! Someone left this perfectly good USB mouse right outside the Starbucks parking lot closest to Langley!”

      2. The last wireless mouse I owned had an unacceptable quarter-second delay. Do the newer ones work better? If not, why would anyone want a wireless mouse?

  10. I will say it once again: you really cannot imagine the incompetence, waste, corruption, fraud, and outright stupidity in our government, and if we were to truly be able to grasp how unbelievably endemic and horrible it is, even the most pessimistic of us would be shocked. This is just an example of it.

    1. You underestimate us. Thru repeated exposure to his fervid and sordid writings, Nutrasweet has broadened our capacity to conceive of just about anything.

      1. NutraSweet is part of the problem, not the solution.

  11. CYBER CYBER CYBER CYBER CYBER CYBER CYBER CYBER CYBER

    Someone please kill that abomination of a word.

    1. BADGER BADGER BADGER BADGER BADGER BADGER BADGER BADGER

      /Mushroom

      1. Cyber…badger?

        1. He’s the greatest threat the internet has ever known

          1. Maybe he’s the king of the server squirrels? Take him down and they shall surely fall too.

        2. You really don’t want to know.

          You’ll have that damn song stuck in your head for days.

      2. SNAKE…. SNAKE…. IT’S A SNAKE!

  12. RELEASE THE CYBERMICE!

  13. I’m sure the IT Team there all got their jobs because some non-IT manager type said ‘Hire my nephew, he’s good with computers. He’s always on that facebook thing.’

    1. This would be a step up.

    2. Obama’s selection for Chief Technology Officer had a BA in public policy from Johns Hopkins, a MPP from Harvard, and zero experience in tech.

      One can only imagine how low the bar was set for the lower level IT types.

      For this we can should be thankful. Imagine how dreadful the government would be if it were efficient.

    3. Guarantee most of these people were contractors. And they probably got their contract renewed for “satisfactory performance”.

  14. IT departments often get headed up by technologically illiterate bureaucrats, and network administrators are stuck. I can’t imagine, however, someone on staff not trying to put a stop to this madness as it was happening.

    1. I’m sure some of them did try to stop it. But they were overruled during that series of “miscommunications” and “blunders”. Also, they had no incentive to push very hard because they had nothing to lose. In fact, destroying a bunch of old equipment just meant they got to play with a bunch of new replacement equipment.

  15. I assume the “attack” occurred because our faithful public servants at the EDA were surfing porn all day.

  16. Except for the pricetag, this is hilarious. And it’s not like the money would have been remitted to taxpayers, so this is hilarious.

  17. We were just talking about this in the office the other day. Here, completely despite Moore’s Law, our Outlook mailboxes have been reduced to a mind numbing 100MB and our network has slowed to a near dial-up crawl. I remember 5+ years ago, home internet speeds couldn’t touch the speeds we’d get at work; now it’s completely reversed. And in the middle of sequestration when official travel is next to impossible, the alternative, video teleconferences are a joke since we have insufficient bandwidth. And all supposedly to make us safer.

  18. I work in IT at a large corporation and I can say that this doesn’t surprise me at all. IT decisions are almost all made by bureaucrats with absolutely no knowledge of computer systems now. This is true in government and industry, the days of actual IT people making informed logical decisions are gone. Replaced by a top down command structure that cares more about closing tickets and covering asses than it does about actually fixing IT issues.

  19. Another appropriate movie reference alt-text would have been Zoolander…

    “The files are IN the computer?”

  20. I’m sorry the ID-10(t) is a form, not an error, one that users must file in triplicate with their service requests, as it most frequently identifies the cause of the problem.

  21. Am I the only one that thought the IT guys probably saw this as a great opportunity to score an equipment upgrade?

    1. I had that thought too. If management wants to replace everything, we aren’t going to complain.

Please to post comments

Comments are closed.