The Economic Development Administration (EDA) is an agency in the Department of Commerce that promotes economic development in regions of the US suffering slow growth, low employment, and other economic problems. In December 2011, the Department of Homeland Security notified both the EDA and the National Oceanic and Atmospheric Administration (NOAA) that there was a possible malware infection within the two agencies’ systems.
The NOAA isolated and cleaned up the problem within a few weeks.
Of course they did. The NOAA has scientists in it to whom computers are not a magic talisman. So they probably cleaned it up with standard software.
If I gave you ten years, you could not imagine what EDA did.
The EDA, however, responded by cutting its systems off from the rest of the world—disabling its enterprise e-mail system and leaving its regional offices no way of accessing centrally held databases.
It then recruited an outside security contractor to look for malware and provide assurances that not only were EDA’s systems clean, but also that they were impregnable against malware. The contractor, after some initial false positives, declared the systems largely clean but was unable to provide this guarantee. Malware was found on six systems, but it was easily repaired by reimaging the affected machines.
EDA’s CIO, fearing that the agency was under attack from a nation-state,
A nation-state? Did he really think that Libya was planning to hit us where it really hurts — at the EDA? Not nuclear weapons or air-traffic control, but an agency so obscure and useless, most Americans couldn’t identify it on a bet? What’s the worst they’d do? Stop another absurd expensive useless boondoggle being inflicted on some poor community?
EDA’s CIO, fearing that the agency was under attack from a nation-state, insisted instead on a policy of physical destruction. The EDA destroyed not only (uninfected) desktop computers but also printers, cameras, keyboards, and even mice. The destruction only stopped—sparing $3 million of equipment—because the agency had run out of money to pay for destroying the hardware.
The total cost to the taxpayer of this incident was $2.7 million: $823,000 went to the security contractor for its investigation and advice, $1,061,000 for the acquisition of temporary infrastructure (requisitioned from the Census Bureau), $4,300 to destroy $170,500 in IT equipment, and $688,000 paid to contractors to assist in development of a long-term response. Full recovery took close to a year.
$823,000 for an investigation into malware? $688,000 for long term … ? I … you … but … this … you gotta …
These are the people who we are supposed to trust to look over our electronic communications, to check our cell phones, to keep our information …
Another day, another slipup by the Internal Revenue Service.
The incident involves the unwitting exposure of “tens of thousands” of Social Security numbers, according to a recent audit by the independent transparency and public-domain group Public.Resource.org. The identifying numbers were on the Internet for less than 24 hours after being discovered, but the damage was done. And unfortunately, the data-breach concerns some of the most sensitive types of transactions: Those made by nonprofit political groups known as 527s.
Information about 527’s is supposed to be public. However, those forms are supposed to have the SS#’s blacked out. A significant number didn’t. No word yet on whether there was any political bias in the numbers revealed or if all of them were.
This is it, folks. This is the government that is supposed to run our healthcare, move our economy, give us jobs, educate us, feed us, house us, make sure we don’t get fat, force us to breast-feed our children and defend us from terrorists. And they’re responding to malware with a literal sledgehammer and posting documents with our private information on it.