The total cost to the taxpayer of this incident was $2.7 million: $823,000 went to the security contractor for its investigation and advice, $1,061,000 for the acquisition of temporary infrastructure (requisitioned from the Census Bureau), $4,300 to destroy $170,500 in IT equipment, and $688,000 paid to contractors to assist in development of a long-term response. Full recovery took close to a year.
The full grim story was detailed in the Department of Commerce audit released last month, subsequently reported by Federal News Radio.
The EDA’s overreaction is, well, a little alarming. Although not entirely to blame—the Department of Commerce’s initial communication with EDA grossly overstated the severity of the problem (though corrected its error the following day)—the EDA systematically reacted in the worst possible way. The agency demonstrated serious technical misunderstandings—it shut down its e-mail servers because some of the e-mails on the servers contained malware, even though this posed no risk to the servers themselves—and a general sense of alarmism.
The malware that was found was common stuff. There were no signs of persistent, novel infections, nor any indications that the perpetrators were nation-states rather than common, untargeted criminal attacks. The audit does, however, note that the EDA’s IT infrastructure was so badly managed and insecure that no attacker would need sophisticated attacks to compromise the agency’s systems.