An almost farcical series of miscommunications led to the destruction of $170,000 worth of IT gear by the U.S. Department of Commerce’s Economic Development Administration over a routine malware warning, and it was only a lack of budget that stopped the agency from throwing out another $3 million in hardware.
The comedy of errors not only points up a lack of communication between agencies, but also a fundamental misunderstanding of technology.
The timeline of the fiasco runs something like this:
* In December 2011, the Department of Homeland Security (those guys who told the entire North American population to disable Java on its computers) warns the Commerce Department of a potential compromise of its systems.
* The Commerce Department identifies the potentially compromised computers as belonging to the Economic Development Administration. Its warning to the EDA names accidentally names 146 systems as being compromised, when in fact, the number is only two.
* A follow-up warning tells the EDA that only two systems are compromised, but in classic CYA fashion, does not clearly point out that the first warning was erroneous.
* The EDA treats the follow-up as a confirmation of the first warning and proceeds on the understanding that 146 systems are compromised. The EDA commissions a forensic analysis of the two systems identified by Commerce and confirms that they are infected with malware.
* Commerce tells the EDA to reimage the systems. The EDA replies that the problem is too widespread. Commerce assumes that the forensic analysis uncovered more compromised systems.
* Fearing rampant malware and possible nation-state attack, EDA’s chief information officer disconnects the systems from the network.
* Paranoid of persistent threats in the system, the EDA begins destroying hardware. About $170,00 worth of computers, printers, keyboards and computer mice are taken out of commission (keyboards? mice?) even though an independent analysis identifies only minor and easily fixed problems.
* The EDA runs out of funding before it can destroy its $3 million in remaining technology assets.
* At the end of the day, the EDA has spent half of its 2012 budget — or about $2.7 million — recovering from a minor malware infection.