Wednesday, July 10, 2013

Department of Commerce division spent half its 2012 IT budget to combat routine malware

In mid-June, NSA chief General Keith Alexander said that the U.S. is ill-prepared to handle a major cyber attack, and a new report unveiled on Monday points to the government being ill-prepared for even the most basic of malware attacks.

The report, from the Office of the Inspector General for the Commerce Department, points out the foibles of the Economic Development Administration, a division of the Commerce Department. The EDA apparently spent $2.7 million, or over half of its 2012 IT budget on the eradication of malware in its systems.

As part of the process, the EDA destroyed more than $170,000 worth of equipment, including televisions, printers, and even those well-known computer rodents, mice.

Reportedly, the EDA only halted its destructive tendencies when its eradication budget ran out.

While it's possible for malware to exist on printers -- large-scale ones do, essentially, contain a print server that can be infected, televisions and mice seem a little on the extreme side. It's true, though, that as far back as 2011 the Department of Homeland Security theorized that the future of cyberwarfare may be in pre-infected electronics.

One need only look at the supply chain of most tech companies and where their hardware is built to see why that would be a valid concern.

Still, the IG was quite clear in its assessment, saying:
EDA’s CIO concluded that the risk, or potential risk, of extremely persistent malware and nation-state activity (which did not exist) was great enough to necessitate the physical destruction of all of EDA’s IT components. EDA’s management agreed with this risk assessment and EDA initially destroyed more than $170,000 worth of its IT components, including desktops, printers, TVs, cameras, computer mice, and keyboards.

By August 1, 2012, EDA had exhausted funds for this effort and therefore halted the destruction of its remaining IT components, valued at over $3 million. EDA intended to resume this activity once funds were available. However, the destruction of IT components was clearly unnecessary because only common malware was present on EDA’s IT systems.
In addition, the EDA reported that 146 pieces of equipment were infected, but it turns out that only two were in fact affected. In terms of IT equipment, EDA’s system consisted of approximately 250 "IT components.," meaning desktops, laptops, and servers.

Finally, it turns out the malware was a routine variant, not a nation-state level of malware such as Stuxnet. The EDA could have eradicated the malware by isolating the affected components from its network, scrubbing the malware away, and reconnecting the hardware.

The National Oceanic and Atmospheric Administration (NOAA), which received a notice about a potential infection at the same time as EDA, completed their operation in one month.

The IG concluded their report with the following recommendations:
We recommend that the Deputy Assistant Secretary for EDA:

1. Identify EDA’s areas of IT responsibility and ensure the implementation of required security measures.
2. Determine whether EDA can reduce its IT budget and staff expenditures, through the increased efficiencies of EDA’s involvement in the Department’s shared services.
3. Ensure that EDA does not destroy additional IT inventory that was taken out of service as a result of this cyber incident.

We recommend that the Department’s Chief Information Officer:

1. Ensure DOC CIRT can appropriately and effectively respond to future cyber incidents.
2. Ensure incident response procedures clearly define DOC CIRT as the incident response coordinator for the bureaus relying on DOC CIRT’s incident response services.
3. Ensure that DOC CIRT management has proper oversight and involvement in cyber incidents to ensure that required incident response activities take place.
Its true that organizations often feel that it is cheaper to trash hardware than to disinfect it. In another example, in April it was learned that the German Ministry of Education trashed 170 computers because they were infected with Conficker, claiming just that.

We've even seen cases of private citizens doing the same, rather than a relatively simple wipe and reinstallation of the OS.

No comments: