The virus struck in an e-mail 81 days ago, flagged by a federal team that monitors cyberthreats. The target was a small job-development bureau in the Commerce Department. The infiltration was so vicious it put Commerce’s entire computer network at risk.
To avert a crisis, the Economic Development Administration (EDA) unplugged its operating system — and plunged its staff into the bureaucratic Dark Ages
E-mail? Gone. Attachments, scans, Google searches? Until further notice, no such thing.
Employees became reacquainted with their neighborhood post office and the beep-squeak-hiss of the fax spitting out paper. The must-have office supply became toner for the machine.
Twelve weeks offline and the longest intrusion into a federal network in recent history is still wreaking havoc.
“We don’t yet have any deeper understanding of what happened,” Commerce Secretary John Bryson said in an interview. “But we have the best resources in the federal government looking into this.”
The hackers so far have outrun those investigators; the malware’s origin remains unknown.
The EDA gives grants to distressed communities out of six regional offices, with a small Washington presence. It has 215 employees, a tiny corner of the federal landscape.
But its crippled system is evidence that every government network is vulnerable to cyberattacks that could disrupt business and spread. The number of intrusions into federal systems reported to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team exploded to 44,000 in fiscal year 2011 from 5,500 in fiscal 2007. They ranged in severity from malicious software to unauthorized computer use.
Most of the attacks did not knock out entire networks. They were erased or swatted away with anti-virus tools, password changes and other security steps.
Other attacks were serious. In recent years, hackers have penetrated e-mail and other systems at the Defense and State departments and NASA and disabled another Commerce bureau that handles sensitive information.
Cyber-experts have repeatedly pointed to a lack of system security at the Commerce Department. The agency’s IT systems “are constantly exposed to an increasing number of cyber attacks, which are becoming more sophisticated and more difficult to detect,” Inspector General Todd J. Zinser wrote last year.
As an outside security team tries to isolate the current culprit, the EDA has spent weeks building from scratch a new operating network that requires servers and equipment and a complex security firewall to prevent another virus from working its way into the new system.
Business has limped along as employees slowly are brought back online on the new network. The hackers’ motives, whether economic espionage or something else, are unknown.
The bottom line for now: Make do.
The already long vetting process for grants slowed. How fast, after all, could it move when paperwork had to be sent by snail mail?
In the field, the first sign of trouble in January was bouncing e-mails.
In Rochelle, Ill., economic development director Jason Anderson was waiting for word on funding for a railroad spur between a freight line and a new rail car plant under construction in his city. Finally, he dialed the EDA’s Chicago office.