July 10, 2103
Department of Commerce division physically destroys 2.7 Million dollars’ worth of computer hardware, to include monitors and keyboards, in an attempt to protect themselves from a virus that did not exist.
WHAT WE FOUND
Reviewing EDA’s IT security program and the events surrounding its December 2011 cyber
incident and recovery efforts, we found that:
EDA Based Its Critical Cyber-Incident Response Decisions on Inaccurate Information. Believing
(a) the incident resulted in a widespread malware infection possibly propagating within its
systems and (b) its widespread malware infection could spread to other bureaus if its IT
systems remained connected to the network, EDA decided to isolate its IT systems from
the HCHB network and destroy IT components to ensure that a potential infection could
not persist. However, OIG found neither evidence of a widespread malware infection nor
support for EDA’s decision to isolate its IT systems from the HCHB network.
Deficiencies in the Department’s Incident Response Program Impeded EDA’s Incident Response.
These deficiencies significantly contributed to EDA’s inaccurate belief that it experienced a
widespread malware infection. Consequently, the Department of Commerce Computer
Incident Response Team (DOC CIRT) and EDA propagated inaccurate information that
went unidentified for months after EDA’s incident. We found that DOC CIRT’s incident
handlers did not follow the Department’s incident response procedures, that its handler for
EDA’s incident did not have the requisite experience or qualifications, and that DOC CIRT
did not adequately coordinate incident response activities.
Misdirected Efforts Hindered EDA’s IT System Recovery. With its incorrect interpretation of
recovery recommendations, EDA focused its recovery efforts on replacing its IT
infrastructure and redesigning its business applications. EDA should have concentrated its
resources on quickly and fully recovering its IT systems (e.g., critical business applications) to
ensure its operational capabilities. Our review of EDA’s recovery activities found that
(a) EDA decided to replace its entire IT infrastructure based on its incorrect interpretation
of recovery recommendations and (b) EDA’s recovery efforts were unnecessary.
The Department, using already existing shared IT services, returned EDA’s systems to their
former operational capabilities (except for access to another Departmental agency’s financial
system) in just over 5 weeks of starting its effort.