Given EDA’s history of common malware infections (the NSA identified common malware on EDA’s IT systems in its 2009 review), there was a high probability that external incident responders would find some malware infections when investigating EDA’s incident. In fact, EDA’s lack of implemented IT security and the significant number of easily exploitable vulnerabilities negated an attacker’s need to use costly attack techniques (sophisticated cyber attacks) to compromise EDA’s systems. EDA’s deficient IT security posture made it likely that external incident responders would find common malware. In the end, nothing identified on EDA’s components posed a significant risk to EDA’s operations.
However, EDA’s CIO concluded that the risk, or potential risk, of extremely persistent malware and nation-state activity (which did not exist) was great enough to necessitate the physical destruction of all of EDA’s IT components. EDA’s management agreed with this risk assessment and EDA initially destroyed more than $170,000 worth of its IT components, including desktops, printers, TVs, cameras, computer mice, and keyboards. By August 1, 2012, EDA had exhausted funds for this effort and therefore halted the destruction of its remaining IT components, valued at over $3 million. EDA intended to resume this activity once funds were available. However, the destruction of IT components was clearly unnecessary because only common malware was present on EDA’s IT systems.
Now that I think about it, maybe the more dangerous malware infection was of the government official’s mind, not of the computer hardware. Thanks to InstaPundit for the pointer.