WASHINGTON – In an almost cartoonish response to a relatively minor problem, employees at the obscure Economic Development Administration took a hammer to their computers, keyboards and mice to physically destroy every piece of technology they had after incorrectly believing their network had been hacked.
Not only was the reaction unorthodox and unnecessary, it cost $2.7 million in damages -- more than half the agency’s annual technology budget, according to a recently released inspector general report.
The scathing audit also reveals that employees and contractors hired by the agency, which operates under the Commerce Department, repeatedly broke protocol and embarked on a series of bizarre blunders based on faulty information. Among them was the apparent assumption that a computer mouse can carry a virus.
An EDA spokesperson told FoxNews.com that the IT disruptions did not affect the agency’s work.
On Dec. 6, 2011, the U.S. Computer Emergency Response Team, which operates under the Department of Homeland Security, notified the Commerce Department that it detected a potential malware infection within the department’s computer system. Malware is software intended to damage or disable computer systems.
The EDA hired a cybersecurity contractor to look for malware on the agency’s computer systems. The contractor initially found evidence of corrupt software but concluded two weeks later that the findings were in fact false positives. But the EDA wanted a guarantee that its computer system was infection-free and that no malware could persist – something nearly impossible to promise.
“External incident responders were unable to provide the assurance EDA’s CIO sought, because doing so involved proving that an infection could not exist rather than that one did not exist,” the report said.
Four months later, in April, the contractor told the agency he was unable to find “any extremely persistent malware or indications of a targeted attack on EDA’s systems.”
By mid-May, EDA decided further forensic investigation would probably not lead to any new evidence. In the end, only six infected components were identified and according to the report, all easily fixable. But instead of taking that route, the EDA decided to physically destroy its hardware system.