US Government Needlessly Trashes $170k Of Kit After Routine Malware Infection

computer rage - Shutterstock - © Stokkete

US body goes beserk over a relatively minor malware outbreak

A US government department lost the plot when it discovered a fairly run-of-the-mill malware outbreak, needlessly deciding to kill off the threat by destroying more than $170,000 (£114,100) worth of hardware, even mice and keyboards.

That was the finding of a report into the actions of the Economic Development Administration (EDA) in 2011 and 2012, when it found one of its networks contained various infections.

It panicked, thinking the infection was part of a “sophisticated cyber attack” that could hit other departments. So it decided to destroy IT components on the affected network, including desktops, printers, TVs, cameras, computer mice and keyboards.

The EDA wanted to destroy more, but ran out of funds by August 2012. It was thinking of obliterating the rest of its IT kit, worth more than $3 million.

Malware scare causes carnage

Computer rage 2 - Shutterstock - © Stephane Bidouze

But an Office of Inspector General investigation found no evidence of a widespread malware infection nor any reason for it to separate its IT systems from other networks, let alone destroy a tonne of equipment. And the EDA didn’t follow the right incident response procedures, basing its actions on inaccurate data, the report claimed.

It uncovered a serious disconnect between the Department of Commerce Computer Incident Response Team and the EDA, which resulted in further propagation of inaccurate information.

And neither the Department of Homeland Security, nor the National Security Agency validated claims that 50 percent of the EDA’s network was infected, or that 143 systems contained common fake anti-virus. Instead the two major government bodies compounded the problem by pushing the erroneous data.

Indeed, it appeared antivirus had picked up on threats and there was no malware either across that many systems, nor on an email server, as the EDA CIO believed.

“Not only was EDA’s CIO unable to substantiate his assertion with credible evidence, EDA’s IT staff did not support the assertion of an infection in the email server,” the report read.

When the organisation brought in a specialist for $823,000, they discovered only six components had malware infections, which could have easily been cleaned.

Overall, the government body spent $2,747,000 on the “recovery” operation.

Insane reaction

IT security pros were stunned at the rash response of the US government.

“Is it the most absurd reaction to a malware outbreak I have ever seen? On the face of it, certainly yes,” Rik Ferguson, director of security research and communication for Trend Micro, told TechWeekEurope.

“What strikes me as really curious about the whole affair is that one of two things had to happen. Either the EDA spent over $800,000 on an outside expert to help in the investigation and as a result of the investigation, came to the conclusion that all their kit had to be destroyed, or they were carrying out the destruction while the investigation was ongoing.

“Neither of these outcomes seems appropriate or proportionate, to put it mildly.”

Are you a security expert? Try our quiz!