Federal Cyber Panic

What happens when a tech-inept federal agency panics over a potential cyber threat? A yearlong saga of waste and overreaction at the Economic Development Administration provides a sad illustration.

The agency, a subdivision of the Commerce Department tasked with promoting innovation and economic competitiveness, blew half its information technology budget last year fighting phantom attacks, cut off staff from basic communications systems such as email, and unnecessarily destroyed hundreds of thousands of dollars' worth of computer equipment that not only wasn't infected but almost certainly couldn't have been infected-stopping only when the agency ran out of funding to destroy equipment, according to a Commerce Department inspector general's report released in June.

After an internal report indicated that malware had infected hundreds of computer systems, the agency began a massive campaign of technological destruction, tossing out an estimated $170,000 worth of computers and related equipment, including mice, on the fear that a major foreign cyber attack might be underway.

But the initial report had been a mistake. Only two components were infected. And the malware was garden-variety Internet junk-not the stuff of a foreign cyber-plot. An incident response team tried to correct the mistake, but higher-ups at the agency didn't understand the follow-up message.

Overall, the agency ended up spending $2.7 million attempting to clean out its systems despite the fact that there was never a serious infection. There was, however, one problem that the cleanup crew missed entirely: According to the inspector general's report, the agency's network was so poorly protected that no outsider would have needed sophisticated infiltration techniques to attack it in the first place.