At Least DOC Did Not Use White Out

July 10, 2103

Department of Commerce division physically destroys 2.7 Million dollars’ worth of computer hardware, to include monitors and keyboards, in an attempt to protect themselves from a virus that did not exist.

http://www.oig.doc.gov/OIGPublications/OIG-13-027-A.pdf

WHAT WE FOUND

Reviewing EDA’s IT security program and the events surrounding its December 2011 cyber incident and recovery efforts, we found that:

EDA Based Its Critical Cyber-Incident Response Decisions on Inaccurate Information. Believing

(a) the incident resulted in a widespread malware infection possibly propagating within its

systems and (b) its widespread malware infection could spread to other bureaus if its IT

systems remained connected to the network, EDA decided to isolate its IT systems from

the HCHB network and destroy IT components to ensure that a potential infection could

not persist. However, OIG found neither evidence of a widespread malware infection nor

support for EDA’s decision to isolate its IT systems from the HCHB network.

Deficiencies in the Department’s Incident Response Program Impeded EDA’s Incident Response.

These deficiencies significantly contributed to EDA’s inaccurate belief that it experienced a

widespread malware infection. Consequently, the Department of Commerce Computer

Incident Response Team (DOC CIRT) and EDA propagated inaccurate information that

went unidentified for months after EDA’s incident. We found that DOC CIRT’s incident

handlers did not follow the Department’s incident response procedures, that its handler for

EDA’s incident did not have the requisite experience or qualifications, and that DOC CIRT

did not adequately coordinate incident response activities.

Misdirected Efforts Hindered EDA’s IT System Recovery. With its incorrect interpretation of

recovery recommendations, EDA focused its recovery efforts on replacing its IT

infrastructure and redesigning its business applications. EDA should have concentrated its

resources on quickly and fully recovering its IT systems (e.g., critical business applications) to

ensure its operational capabilities. Our review of EDA’s recovery activities found that

(a) EDA decided to replace its entire IT infrastructure based on its incorrect interpretation

of recovery recommendations and (b) EDA’s recovery efforts were unnecessary.

The Department, using already existing shared IT services, returned EDA’s systems to their

former operational capabilities (except for access to another Departmental agency’s financial

system) in just over 5 weeks of starting its effort.