Federal Cyber Panic
Fake scare, blown budget
What happens when a tech-inept federal agency panics over a potential cyber threat? A yearlong saga of waste and overreaction at the Economic Development Administration provides a sad illustration.
The agency, a subdivision of the Commerce Department tasked with promoting innovation and economic competitiveness, blew half its information technology budget last year fighting phantom attacks, cut off staff from basic communications systems such as email, and unnecessarily destroyed hundreds of thousands of dollars' worth of computer equipment that not only wasn't infected but almost certainly couldn't have been infected-stopping only when the agency ran out of funding to destroy equipment, according to a Commerce Department inspector general's report released in June.
After an internal report indicated that malware had infected hundreds of computer systems, the agency began a massive campaign of technological destruction, tossing out an estimated $170,000 worth of computers and related equipment, including mice, on the fear that a major foreign cyber attack might be underway.
But the initial report had been a mistake. Only two components were infected. And the malware was garden-variety Internet junk-not the stuff of a foreign cyber-plot. An incident response team tried to correct the mistake, but higher-ups at the agency didn't understand the follow-up message.
Overall, the agency ended up spending $2.7 million attempting to clean out its systems despite the fact that there was never a serious infection. There was, however, one problem that the cleanup crew missed entirely: According to the inspector general's report, the agency's network was so poorly protected that no outsider would have needed sophisticated infiltration techniques to attack it in the first place.
Editor's Note: As of February 29, 2024, commenting privileges on reason.com posts are limited to Reason Plus subscribers. Past commenters are grandfathered in for a temporary period. Subscribe here to preserve your ability to comment. Your Reason Plus subscription also gives you an ad-free version of reason.com, along with full access to the digital edition and archives of Reason magazine. We request that comments be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of reason.com or Reason Foundation. We reserve the right to delete any comment and ban commenters for any reason at any time. Comments may only be edited within 5 minutes of posting. Report abuses.
Please
to post comments
such as email, and unnecessarily destroyed hundreds