Malware: A Convenient Excuse to Upgrade Hardware

Many of you have probably heard about the Economic Development Administration’s (EDA) act of outright destroying perfectly functional hardware because of malware infections:

The Economic Development Administration (EDA) is an agency in the Department of Commerce that promotes economic development in regions of the US suffering slow growth, low employment, and other economic problems. In December 2011, the Department of Homeland Security notified both the EDA and the National Oceanic and Atmospheric Administration (NOAA) that there was a possible malware infection within the two agencies’ systems.

[…]

EDA’s CIO, fearing that the agency was under attack from a nation-state, insisted instead on a policy of physical destruction. The EDA destroyed not only (uninfected) desktop computers but also printers, cameras, keyboards, and even mice. The destruction only stopped—sparing $3 million of equipment—because the agency had run out of money to pay for destroying the hardware.

The total cost to the taxpayer of this incident was $2.7 million: $823,000 went to the security contractor for its investigation and advice, $1,061,000 for the acquisition of temporary infrastructure (requisitioned from the Census Bureau), $4,300 to destroy $170,500 in IT equipment, and $688,000 paid to contractors to assist in development of a long-term response. Full recovery took close to a year.

The full grim story was detailed in the Department of Commerce audit released last month, subsequently reported by Federal News Radio.

Most of the people I’ve talked to about this story have written it off as ineptitude on behalf of the EDA’s leadership, specifically laughing about how poorly they understood technology. Even though I tend to attribute buffoonery to stupidity instead of malice in this case I think the leadership of the EDA knew exactly what they were doing. They were looking for a way to justify upgrading their equipment.

Computer technology advances quickly and hardware that his a mere two years old is already out of date. If you’re the leadership of a massive government bureaucracy looking to have the latest and greatest technology at hand what can you do? You can exploit the first tragedy that arises! The agency had enough foresight to hire a security contractor who likely informed it that there was no reason to replace any hardware. Yes the agency replaced a great deal of hardware. In all likelihood the EDA’s leadership knew there was no reason to do so but went forward with the plan anyways because they knew they could write off their act of destruction and simple ignorance. Everybody knows accountability is dead within the state after all.