WASHINGTON – In an almost cartoonish response to a relatively minor problem, employees at the obscure Economic Development Administration took a hammer to their computers, keyboards and mice in an effort to destroy all of the agency’s tech-related hardware after incorrectly believing their network had been hacked.
Not only was the reaction unorthodox and unnecessary, it cost $2.7 million in damages -- more than half the agency’s annual technology budget, according to a recently released inspector general report.
The scathing audit also reveals that employees and contractors hired by the agency, which operates under the Commerce Department, repeatedly broke protocol and embarked on a series of bizarre blunders based on faulty information. Among them was the apparent assumption that a computer mouse can carry a virus.
An EDA spokesperson told FoxNews.com that the IT disruptions did not affect the agency’s work.
Here’s how it went down:
On Dec. 6, 2011, the U.S. Computer Emergency Response Team, which operates under the Department of Homeland Security, notified the Commerce Department that it detected a potential malware infection within the department’s computer system. Malware is software intended to damage or disable computer systems.
The EDA hired a cybersecurity contractor to look for malware on the agency’s computer systems. The contractor initially found evidence of corrupt software but concluded two weeks later that the findings were in fact false positives. But the EDA wanted a guarantee that its computer system was infection-free and that no malware could persist – something nearly impossible to promise.
“External incident responders were unable to provide the assurance EDA’s CIO sought, because doing so involved proving that an infection could not exist rather than that one did not exist,” the report said.
Four months later, in April, the contractor told the agency he was unable to find “any extremely persistent malware or indications of a targeted attack on EDA’s systems.”
By mid-May, EDA decided further forensic investigation would probably not lead to any new evidence. In the end, only six infected components were identified and according to the report, all easily fixable. But instead of taking that route, the EDA decided to physically destroy its hardware system.
According to the report, the agency spent $1.06 million on “building a temporary infrastructure, pending long-term IT solution;” $823,000 on hiring the cybersecurity contractor; $688,000 on “contractor assistance for a long-term recovery solution;" and $4,300 to destroy $170,000 worth of tech equipment.
The destroyed equipment included:
- Desktop computers
By August 1, 2012, EDA had exhausted funds for this effort and therefore halted the destruction of its remaining IT components, valued at over $3 million.
The Commerce Department agreed with the inspector general’s findings and said it had already implemented some of the recommendations, which included making sure staff receive appropriate training, updating incident response procedures and hiring “experienced incident handlers.”
“EDA accepts the Inspector General’s recommendations regarding its information technology incident,” an agency spokesperson said. “We take the privacy and IT security of all our employees, grantees and other partners seriously, which is why the agency acted out of an abundance of caution based on the information provided to us.”
Today, EDA’s IT operations, including its email and many of its business applications, have been integrated into Commerce’s IT operating systems which gives the agency access to a greater level of cybersecurity.