US computer security "experts" destroy mice

Security experts working for a US government department believed that the best way to stop a virus infecting their system was to destroy printers, cameras, keyboards, and mice.

The Economic Development Administration (EDA) is an agency in the Department of Commerce that promotes economic development in regions of the US suffering slow growth, low employment, and other economic problems.  Clearly it is the sort of place which does not consider education an option.

In December 2011, the Department of Homeland Security warned the department that there was a possible malware infection in its systems.  All perfectly normal, and most outfits would have done a virus sweep.

The EDA instead adopted the sort of response not seen since the days of the bubonic plague. It cut its systems off from the rest of the world, disabling its enterprise e-mail system and leaving its regional offices no way of accessing centrally held databases.

Then it paid for outside security contractors to look for malware and provide assurances that not only were EDA’s systems clean, but also that they were impregnable against malware.

The contractor found viruses on six systems which were removed with a virus checker, but of course it could not be guaranteed that the system would never have a virus again.

According to Ars Technicathe EDA’s CIO, fearing that the agency was under attack from a nation-state, insisted instead on a policy of physical destruction of computer equipment.

He ordered the destruction of uninfected PCs printers, cameras, keyboards, and even mice. The destruction only stopped because the agency ran out of money to pay for destroying the hardware.

The CIO’s final approach to a fairly basic virus was a slap in the face to the taxpayer. The cost of this incident was $2.7 million: $823,000 went to the security contractor for its investigation and advice, $1,061,000 for the acquisition of temporary infrastructure, $4,300 to destroy, $170,500 in IT equipment, and $688,000 paid to contractors to assist in the development of a long-term response. It took a year for full recovery.

Ironically an audit of the fiasco revealed that the EDA’s systems were so badly managed that a virus was the least of its worries. Things were so bad that if a Chinese hacker really had wanted to find out the agencies’ doings for poor regions, they would not have needed malware to do it.