Report In Brief JUN E 26 2013 Background ECONOMIC DEVELOPMENT ADMINISTRATION Malware Infections on EDA’s Systems Were Overstated The Economic Development Administration’s EDA’s mission is to leadand the Disruption of IT Operations Was Unwarranted the federal economic development agenda by promoting innovation and OIG-13-027-A competitiveness thus preparing American regions for growth and success WHAT in WE FOUND the worldwide economy To fulfill its Reviewing EDA’s IT security program and the events surrounding its December 2011 c mission EDA uses six regional offices to provide services specific to each incident and recovery efforts we found that region’s needs EDA Based Its Critical Cyber-Incident Response Decisions on Inaccurate Information In accordance with the Federal Infor- a the incident resulted in a widespread malware infection possibly propagating wit mation Security Management Act of 2002 systems and b its widespread malware infection could spread to other bureaus if it FISMA we evaluated EDA’s incident systems remained connected to the network EDA decided to isolate its IT systems f response and recovery activities in relation the HCHB network and destroy IT components to ensure that a potential infection co to EDA’s fiscal year 2012 cyber incident not persist However OIG found neither evidence of a widespread malware infection Why We Did This Review support for EDA’s decision to isolate its IT systems from the HCHB network Deficiencies in the Department’s Incident Response Program Impeded EDA’s Inciden On December 6 2011 the Department These deficiencies significantly contributed to EDA’s inaccurate belief that it experie of Homeland Security DHS notified the widespread malware infection Consequently the Department of Commerce Compu Department of Commerce that it detectIncident Response Team DOC CIRT and EDA propagated inaccurate information tha ed a potential malware infection within went unidentified for months after EDA’s incident We found that DOC CIRT’s inciden the Department’s systems The Departhandlers did not follow the Department’s incident response procedures that its han ment determined the infected compoEDA’s incident did not have the requisite experience or qualifications and that DOC nents resided within IT systems operating on the Herbert C Hoover Building did not adequately coordinate incident response activities HCHB network and informed EDA and Misdirected Efforts Hindered EDA’s IT System Recovery With its incorrect interpreta another agency of a potential infection in recovery recommendations EDA focused its recovery efforts on replacing its IT their IT systems infrastructure and redesigning its business applications EDA should have concentra on quickly and fully recovering its IT systems e g critical business applic On January 24 2012—believing it hadresources a widespread malware infection—EDA ensure its operational capabilities Our review of EDA’s recovery activities found tha requested the Department isolate its IT a EDA decided to replace its entire IT infrastructure based on its incorrect interpret systems from the HCHB network Thisof recovery recommendations and b EDA’s recovery efforts were unnecessary action resulted in the termination of The Department using already existing shared IT services returned EDA’s systems to EDA’s operational capabilities for enterprise e-mail and Web site access asformer well asoperational capabilities except for access to another Departmental agency’s fi system in just over 5 weeks of starting its effort regional office access to database applications and information residing on servers connectWHAT WE RECOMMEND ed to the HCHB network Given the Department’s limited incident We recommend that the Deputy Assistant Secretary for EDA response capabilities and the perceived extent of the malware infection the 1 Identify EDA’s areas of IT responsibility and ensure the implementation of requir security measures   Department and EDA decided to augment the Department’s incident re- 2 Determine whether EDA can reduce its IT budget and staff expenditures through sponse team Additional incident reincreased efficiencies of EDA’s involvement in the Department’s shared services sponse support was provided by DHS 3 Ensure that EDA does not destroy additional IT inventory that was taken out of s the Department of Energy the National as a result of this cyber incident Institute of Standards and Technology and the National Security Agency as well We recommend that the Department’s Chief Information Officer as a cybersecurity contractor In early February 2012 EDA entered into an 1 Ensure DOC CIRT can appropriately and effectively respond to future cyber incid agreement with the Census Bureau to 2 Ensure incident response procedures clearly define DOC CIRT as the incident res provide an interim e-mail capability Incoordinator for the bureaus relying on DOC CIRT’s incident response services ternet access to EDA staff and Census Bureau surplus laptops for EDA staff 3 Ensure that DOC CIRT management has proper oversight and involvement in cyb incidents to ensure that required incident response activities take place