The rise of digitalization and computerization across the world has also significantly increased the system’s vulnerability towards cybercrimes, such as spreading spyware, malware, and conducting deliberate hacking attempts. Whether done for fun, to deliver a political message, to extract criminal profit, or as an act of information warfare, cybercrime has led to increased demand in cybersecurity.
Books, journals, and scientific pamphlets in newspapers have been dedicated to propagating investments into cybersecurity for business organizations, government agencies, nonprofits, and even individual users who fear they may become targeted by cybercriminals.
However, some individuals resist the desire for increased security, as it increases the influence of the state. Others have raised concerns about how cybersecurity always plays catch-up and how cybercriminals are always three steps ahead. The inefficiency of the existing security protocols has been demonstrated between 2015-2017, during which there were over 3000 serious database breaches, with over 400 million records exposed (Statista, 2018).
However, cybersecurity cannot be improved by mindlessly throwing money at the problem in hopes of it going away. The purpose of this paper is to analyze the incident that occurred in EDA (Economic Development Administration) during 2012-2013, and decide whether it was prudent or incompetent to destroy hardware in the aftermath of a viral attack.
What Happened: A Summary
The crisis at EDA started in late December 2011 – early January 2012, when the agency received a warning from the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT), that there was a malware infecting their network (Gibbs, 2013). The malware was a relatively benign virus that had gotten entrance into the system when one of the employees opened an email containing it. In order to contain the infection and prevent the loss of critical data, EDA had disconnected itself from the world wide web and called for cybersecurity agencies to assist them. The virus was located on six computers and promptly removed.
However, it was uncertain if it existed on any other machines within the system. Instead of methodically checking every computer found in the same network, EDA’s CEO, Chuck Benjamin, decided that they were dealing with a nation-state grade cybersecurity issue, and ordered the destruction of all hardware, including cameras, mice, printers, keyboards, and other equipment (Gibbs, 2013). Total damages are estimated at 3 million dollars (Gibbs, 2013).
EDA had stopped only because the funding for the destruction of hardware ran out. In addition, the agency requested over 26 million dollars for the next three years to aid in restoring and upgrading its IT department (Gibbs, 2013). Such activities are perceived by many as wasteful spending of taxpayer dollars.
My Initial Opinion
To me, this is an obvious case of corruption and money laundering being committed under the guise of upgrading equipment and improving the department’s cybersecurity. As it stands, the US operates a very large government, with many trillions of dollars being spent on various issues, such as economic development, welfare, social security, medical security, and others. These large government-sanctioned programs require a large bureaucracy. With the system being so unnecessarily complex, it is bound to have plenty of loopholes.
From how I see it, the decision to destroy the equipment was made out of self-serving financial concerns. Securing funding for renewing the existent IT structure and expanding the yearly budget by 2.5 times (to 8.81 million dollars per year versus 3 million dollars per year) for the next three years provides an excellent opportunity to install cheaper computers and hardware that would work just as well, if not better than the previous system. Any extra finances saved as a result could have been spent on personal effects, improving the CEO’s office, and other proclivities not associated with improving cybersecurity.
The fate of the devices destroyed in the effort to protect EDA from the virus also leaves many questions. From my understanding, the procedure involved the destruction of used, but perfectly working equipment. It is possible for that equipment not to have been destroyed, but instead sold or distributed among the workers involved in its destruction. Either constitutes theft of government property and a waste of taxpayer dollars.
Lastly, the motivations for ordering such a course of action are suspect. Viruses infect hard drives and memory slots. They do not survive a memory formatting procedure, which erases all data from the disks. Had this operation been done, the system could have been restored much cheaper and faster, without the need for unnecessary destruction. Virtually any semi-competent computer user is aware of this. EDA’s CEO, as well as everyone involved, should have been aware of how viruses and cyberthreats work, at least on a rudimentary level, to inform their decision. To summarize, the destruction of hardware was a criminal waste of money and property, which would not bring about any improvements, but only slowed down EDA’s performance and caused additional damage in delays and obstacles for the department.
Opinions of IT Professionals
In order to obtain a more informed opinion about the subject, I decided to conduct my own research by examining academic sources as well as making inquiries among individuals more knowledgeable in the field than I am. They managed to provide interesting and refreshing perspectives on the matter. Their responses have been summarized in the table below:
Interview Analysis
Each interview was conducted separately one from another, without the individuals knowing about responses given by previous interviewees. As it is possible to see, while the majority of the respondents agree that the destruction of peripheral devices was meaningless, there are discrepancies in regards to the issues surrounding cybersecurity of EDA. It is important to highlight each of the crucial points in the interview and investigate them further to see if they are as relevant as they seem to be. These points are as follow:
- No virus can survive a memory formatting.
- Employee training is as critical to the success or failure of the cybersecurity architecture as the presence of safeguards, firewalls, antiviruses, and backup servers.
- There are viruses that can infect other parts of the computer, including BIOS/UEFI/SMM/GPU/NIC.
- Cybersecurity will always lag behind and is not worth the investment.
- Some viruses can be carried out by periphery devices with USB outlets.
Some of these points are contradicting one another. For example, the common belief is that no viruses can survive being formatted. However, the existing body of academic literature dedicated to the subject indicates that such a belief is false. Wu, Li, Yang, Yang, and Tang (2017) confirm the existence of viruses that can survive a disk purge by embedding themselves into various other systems on the computer, such as BIOS, UEFI, SMM, GPU, or NIC. Since two other respondents have also mirrored the information about these threats, it is possible to conclude that the common idea of viruses being easily removed from hardware is false.
The next idea to investigate is the idea that employee training should be the main focus for the intervention and not the renewal/destruction of the equipment. As it was mentioned at the beginning, the main reason why EDA network became infected with a malware program was that one of the employees opened an unsanctioned email, which contained the virus. According to Conteh and Schmick (2016), employees are extremely vulnerable to social engineering attempts.
Social engineering is a type of hacking that utilizes various methods of conscious and subconscious persuasion to let employees deliver their credentials to the culprits or download suspicious files onto their computers. Conteh and Schmick (2016) support the idea of teaching employees to recognize and eliminate such threats, in order to improve cybersecurity.
One respondent voiced the idea that funding cybersecurity efforts are a waste of time because the existing heterogeneity in the system leaves too many holes to be exploited by deliberate hackers. There is some truth to that statement. Olleros and Zhegu (2016) state that the effectiveness of cybersecurity interventions varies across different fields. While the existing levels of systems protection and employee training are enough to deal with phishing attempts, Trojan viruses, and social engineering methods, they are not enough to thwart professional hackers from infiltrating and shutting down systems. Jing, Vasilakos, Wan, Lu, and Qiu (2014) support these conclusions, stating that the vulnerability of organizations continues to expand with the popularity growth of IoT (Internet of Things) technologies.
The last point to be researched is the existence of viruses that can infect peripheral devices connected to the computer, such as keyboards, mice, web cameras, scanners, and printers. Choi (2015) confirms the existence of such viruses, stating that it is possible for them to transmit from USB sticks of various technologies that use the USB cable to transfer information input. In addition, the researcher confirmed the existence of other types of viruses targeting firmware. Thus, the possibilities of peripheral devices being infected are confirmed.
Informed Opinion and Conclusions
After conducting research, my opinion of the situation surrounding the destruction of hardware by EDA changed to a considerable degree. As it was shown by various academic sources, cybersecurity is a very young and somewhat contradictory discipline, as it is necessary to balance effectiveness, costs, employee training, while at the same time being prepared to defend against cyberthreats of different levels of complexity.
Let us start with the matters in which I have been wrong in my initial perception of the situation. The main flaw of my argument was that a simple hardware memory wipe would be enough to remove all kinds of viruses and help restore the functionality of the system. It has proven to be a false solution, as there are indeed viruses that can embed themselves in BIOS, UEFI, SMM, GPU, or NIC and survive the purge. Therefore, following with the standard procedure would have exposed EDA to potential risks.
My assumption that peripheral devices could not carry any malignant codes was also flawed. As it was proven in several academic sources, there are viruses that affect company firmware as well as use one of the most popular port sticks to transfer viruses from one machine to another. This is very disconcerting, as it shows the possibility of virtually anything being hacked. Considering the popularity of IoT technologies in virtually any sphere of our lives, firmware and USB-ware are more dangerous than anticipated.
Therefore, it appears to be that, in theory, EDA had reasons to fear a nation-state hacking attacks from other countries. Such attacks could have been conducted, as there is evidence of potential attackers having the expertise, the knowledge, the finances, and the technology to do so. However, these facts do not give EDA an alibi against the accusations made in my initial statement of opinion.
There is no reason to believe that outside forces facilitated the security breach. It is a known fact that the malware that infected their computers was part of a large email spam campaign that did not aim at the company specifically. The virus only spread into EDA’s systems because its employees allowed it to.
While this may serve as an excuse to request money for additional cybersecurity training of EDA’s employees, there is no evidence that full destruction of the company’s IT hardware, including mice, keyboards, cameras, and others, was warranted. According to the US-CERT report, the virus was successfully removed from six computers, and there was no evidence that it existed anywhere else in the system. The decision to take preemptive action in such a wasteful manner was made by EDA’s CEO, Chuck Benjamin. Therefore, this situation revolves around incompetence and corruption, with cybersecurity concerns being used to cover up these activities.
The supporters of a small government would find little use of this argument, however. EDA is one of the agencies that cannot be eliminated, only reduced in scale. Nevertheless, it would still be vulnerable to cyberattacks. The issue is not about the government being large or small; it is about the head of EDA and its employees being incompetent to handle cybersecurity issues.
References
Choi, J. (2015). Countermeasures for BadUSB vulnerability. Journal of the Korea Institute of Information Security and Cryptology, 25(3), 559-565.
Conteh, N. Y., & Schmick, P. J. (2016). Cybersecurity: Risks, vulnerabilities and countermeasures to prevent social engineering attacks. International Journal of Advanced Computer Research, 6(23), 31-38.
Gibbs, M. (2013). US Economic Development Administration fixes malware infection, destroys everything (mice included). Forbes. Web.
Jing, Q., Vasilakos, A. V., Wan, J., Lu, J., & Qiu, D. (2014). Security of the Internet of Things: perspectives and challenges. Wireless Networks, 20(8), 2481-2501.
Olleros, F. X., & Zhengu, M. (2016). Research handbook on digital transformations. Northampton, MA: Edward Elgar Publishing.
Statista. (2018). Annual number of data breaches and exposed records in the United States from 2005 to 2018 (in millions). Web.
Wu, Y., Li, P., Yang, L.-X., Yang, X., & Tang, Y. Y. (2017). A theoretical method for assessing disruptive computer viruses. Physica A: Statistical Mechanics and Its Applications, 482, 325-336.