Now comes news that the attack was no attack at all.
The Commerce Department’s inspector general has determined that the supposed attack that crippled the Economic Development Administration for almost a year in 2012 was nothing of the sort. The disruption turned out to be a common malware infection on six computers that could have been erased with anti-virus tools and other security steps.
“EDA’s persistent, mistaken beliefs resulted in an excessive response and ultimately unnecessary expenditure of valuable resources,” Inspector General Todd J. Zinser wrote in a recent report.
“There was no evidence to suggest that EDA’s primary business application had been targeted by a cyber attack or maliciously altered,” he wrote.
Zinser described a series of errors and miscommunications that led the EDA to take drastic steps immediately after a Department of Homeland Security team flagged a possible virus in December 2011.
Inexperienced, unqualified IT employees overreacted to information that turned out to be wrong, investigators found in their June 26 report. They spoke past one another and did not validate how many computers had been targeted. They failed to heed early conclusions that this was not a large-scale attack by a foreign entity.
EDA officials destroyed desktops, laptops, servers and printers worth $175,000. The destruction stopped only because they ran out of money — and Commerce officials denied their request for millions of dollars to demolish more equipment.
EDA officials hired an outside cybersecurity contractor $823,000 to investigate the attack and spent $688,000 to come up with a long-term fix for a problem that didn’t exist.
They wasted $1.1 million on new computers and other temporary equipment they are now replacing with permanent networks.
The expenses came to half the department’s technology budget. In an environment of heightened vulnerability to cyberattacks, “once you’re infected you often overact,” said Alan Paller, research director of the SANS Institute, a cybersecurity training school in Bethesda.
“You feel violated,” Paller said. “All you feel is somebody’s in my house and I’ve got to get them out. And you get overly conservative.”
Rebecca Blank, appointed as acting commerce secretary in June 2012, asked Zinser to investigate the response.
“The EDA did not know what it was facing,” said Blank, who left the Obama administration this spring. “Under those circumstances, given the cyber risks [to the government], one has to be cautious.”