Economic Development Administration: Equipment Destruction Research Paper

Exclusively available on IvyPanda Available only on IvyPanda

The rise of digitalization and computerization across the world has also significantly increased the system’s vulnerability towards cybercrimes, such as spreading spyware, malware, and conducting deliberate hacking attempts. Whether done for fun, to deliver a political message, to extract criminal profit, or as an act of information warfare, cybercrime has led to increased demand in cybersecurity.

We will write a custom essay on your topic a custom Research Paper on Economic Development Administration: Equipment Destruction
808 writers online

Books, journals, and scientific pamphlets in newspapers have been dedicated to propagating investments into cybersecurity for business organizations, government agencies, nonprofits, and even individual users who fear they may become targeted by cybercriminals.

However, some individuals resist the desire for increased security, as it increases the influence of the state. Others have raised concerns about how cybersecurity always plays catch-up and how cybercriminals are always three steps ahead. The inefficiency of the existing security protocols has been demonstrated between 2015-2017, during which there were over 3000 serious database breaches, with over 400 million records exposed (Statista, 2018).

However, cybersecurity cannot be improved by mindlessly throwing money at the problem in hopes of it going away. The purpose of this paper is to analyze the incident that occurred in EDA (Economic Development Administration) during 2012-2013, and decide whether it was prudent or incompetent to destroy hardware in the aftermath of a viral attack.

What Happened: A Summary

The crisis at EDA started in late December 2011 – early January 2012, when the agency received a warning from the Department of Homeland Security’s United States Computer Emergency Readiness Team (US-CERT), that there was a malware infecting their network (Gibbs, 2013). The malware was a relatively benign virus that had gotten entrance into the system when one of the employees opened an email containing it. In order to contain the infection and prevent the loss of critical data, EDA had disconnected itself from the world wide web and called for cybersecurity agencies to assist them. The virus was located on six computers and promptly removed.

However, it was uncertain if it existed on any other machines within the system. Instead of methodically checking every computer found in the same network, EDA’s CEO, Chuck Benjamin, decided that they were dealing with a nation-state grade cybersecurity issue, and ordered the destruction of all hardware, including cameras, mice, printers, keyboards, and other equipment (Gibbs, 2013). Total damages are estimated at 3 million dollars (Gibbs, 2013).

EDA had stopped only because the funding for the destruction of hardware ran out. In addition, the agency requested over 26 million dollars for the next three years to aid in restoring and upgrading its IT department (Gibbs, 2013). Such activities are perceived by many as wasteful spending of taxpayer dollars.

1 hour!
The minimum time our certified writers need to deliver a 100% original paper

My Initial Opinion

To me, this is an obvious case of corruption and money laundering being committed under the guise of upgrading equipment and improving the department’s cybersecurity. As it stands, the US operates a very large government, with many trillions of dollars being spent on various issues, such as economic development, welfare, social security, medical security, and others. These large government-sanctioned programs require a large bureaucracy. With the system being so unnecessarily complex, it is bound to have plenty of loopholes.

From how I see it, the decision to destroy the equipment was made out of self-serving financial concerns. Securing funding for renewing the existent IT structure and expanding the yearly budget by 2.5 times (to 8.81 million dollars per year versus 3 million dollars per year) for the next three years provides an excellent opportunity to install cheaper computers and hardware that would work just as well, if not better than the previous system. Any extra finances saved as a result could have been spent on personal effects, improving the CEO’s office, and other proclivities not associated with improving cybersecurity.

The fate of the devices destroyed in the effort to protect EDA from the virus also leaves many questions. From my understanding, the procedure involved the destruction of used, but perfectly working equipment. It is possible for that equipment not to have been destroyed, but instead sold or distributed among the workers involved in its destruction. Either constitutes theft of government property and a waste of taxpayer dollars.

Lastly, the motivations for ordering such a course of action are suspect. Viruses infect hard drives and memory slots. They do not survive a memory formatting procedure, which erases all data from the disks. Had this operation been done, the system could have been restored much cheaper and faster, without the need for unnecessary destruction. Virtually any semi-competent computer user is aware of this. EDA’s CEO, as well as everyone involved, should have been aware of how viruses and cyberthreats work, at least on a rudimentary level, to inform their decision. To summarize, the destruction of hardware was a criminal waste of money and property, which would not bring about any improvements, but only slowed down EDA’s performance and caused additional damage in delays and obstacles for the department.

Opinions of IT Professionals

In order to obtain a more informed opinion about the subject, I decided to conduct my own research by examining academic sources as well as making inquiries among individuals more knowledgeable in the field than I am. They managed to provide interesting and refreshing perspectives on the matter. Their responses have been summarized in the table below:

NameOccupationAgeDateNotes
Faizan HussainTo be filled out by the customerTo be filled out by the customerTo be filled out by the customerThe destruction of hardware makes no sense to me. While some devices may have the capacity to store infected code, they can be easily checked for their presence and formatted as well. No virus survives a hard-drive wipe. It seems that EDA was trying to force the money out of the government for an IT upgrade for a while now, without much success, and used the latest viral attack as an excuse to obtain said funding. I cannot say whether such a desperate measure was warranted, as I do not know what was the state of their IT architecture at the time. In either case, purchasing more sophisticated equipment does not necessarily result in a more secure system, as it is just as likely to be paralyzed by an employee opening up a wrong letter.
Abdul Majeed=/==/==/=It is clear to me that the money spent on destroying old equipment and buying new one would have been better spent on training employees. Cybersecurity is built on several key founding areas: automatic responses to threats, backup facilities in case of data corruption, targeted interventions against specific threats, output and input controls, and personnel training. Many companies put an emphasis on upgrading their systems to the highest possible standard, but often neglect training their employees. The fact that the virus managed to infiltrate a government agency system via an email shows that employees lack training in cybersecurity. The fact that nobody protested against the destruction of equipment worth 3 million dollars shows a lack of basic understanding of how viruses work. The focus of the intervention, thus, is completely flawed.
Syed Tarooq Ahmed=/==/==/=While I think that the destruction of all hardware and peripheral devices, such as mice, printers, cameras, and other equipment is needless, EDA is not completely wrong in assuming such a course of action in regards to motherboards, processors, and memory storage devices. Viruses have advanced significantly in the past decade. A total memory wipe is sometimes not enough to remove them. For example, a virus could hide itself in BIOS/UEFI, in system management mode, in the Intel Management Engine (IME), in GPUs, Network Cards, SMM, and microcodes. However, it is unlikely to encounter such deep-seated viruses, as they have very specific demands towards the target hardware. In other words, a rootkit that may work on a specific configuration would be useless against another.
Abrar Parvez=/==/==/=In my opinion, cybersecurity remains a significant money sink due to a lack of uniform standards in coding as well as software security development. It could be seen in many different applications and hardware that do not receive timely upgrades to their systems, and leave outdated security protocols to be exploited by hackers. It is the reason why, despite the efforts in improving cybersecurity growing from year to year, the number of successful attacks by the likes of Petya, NotPetya, and others, are growing. Buying new equipment may lessen the chances of getting caught off-guard by regular viruses, but will not stop advanced hacking attempts. In my opinion, the best investment is in backup facilities and virus-detection software. That way, the slate could be wiped clean every time there’s a major incident, and the facility could be back to work in no time.
Najeed Uddin=/==/==/=I do not know the full story behind the incident, as it happened a while ago. I would like to play the Devil’s advocate and say that, if the event was indeed engineered by a foreign nation, then the possibility of the rootkit being engineered to survive a system purge is very likely. Constructing a BIOS/UEFI/SMM/GPU/NIC-resident rootkit is very costly and usually does not warrant the money invested into it. However, nation-state threats, such as Russia and China, usually do not seek to gain a profit from cyberattacks. They seek to deal physical or economic damage, and the amount of money already wasted in this scenario probably paid off for the development of the virus. If EDA was indeed facing a hacking attempt by a foreign nation-state threat, then destroying the equipment was warranted. Viruses can be devised to remain in cameras, mice, printers, and other hardware. They are usually very specific and made to infiltrate particular firmware architectures, which make them very specific in utilization. An example of a virus that infects devices with USB ports is BadUSB.

Interview Analysis

Each interview was conducted separately one from another, without the individuals knowing about responses given by previous interviewees. As it is possible to see, while the majority of the respondents agree that the destruction of peripheral devices was meaningless, there are discrepancies in regards to the issues surrounding cybersecurity of EDA. It is important to highlight each of the crucial points in the interview and investigate them further to see if they are as relevant as they seem to be. These points are as follow:

  • No virus can survive a memory formatting.
  • Employee training is as critical to the success or failure of the cybersecurity architecture as the presence of safeguards, firewalls, antiviruses, and backup servers.
  • There are viruses that can infect other parts of the computer, including BIOS/UEFI/SMM/GPU/NIC.
  • Cybersecurity will always lag behind and is not worth the investment.
  • Some viruses can be carried out by periphery devices with USB outlets.

Some of these points are contradicting one another. For example, the common belief is that no viruses can survive being formatted. However, the existing body of academic literature dedicated to the subject indicates that such a belief is false. Wu, Li, Yang, Yang, and Tang (2017) confirm the existence of viruses that can survive a disk purge by embedding themselves into various other systems on the computer, such as BIOS, UEFI, SMM, GPU, or NIC. Since two other respondents have also mirrored the information about these threats, it is possible to conclude that the common idea of viruses being easily removed from hardware is false.

Remember! This is just a sample
You can get your custom paper by one of our expert writers

The next idea to investigate is the idea that employee training should be the main focus for the intervention and not the renewal/destruction of the equipment. As it was mentioned at the beginning, the main reason why EDA network became infected with a malware program was that one of the employees opened an unsanctioned email, which contained the virus. According to Conteh and Schmick (2016), employees are extremely vulnerable to social engineering attempts.

Social engineering is a type of hacking that utilizes various methods of conscious and subconscious persuasion to let employees deliver their credentials to the culprits or download suspicious files onto their computers. Conteh and Schmick (2016) support the idea of teaching employees to recognize and eliminate such threats, in order to improve cybersecurity.

One respondent voiced the idea that funding cybersecurity efforts are a waste of time because the existing heterogeneity in the system leaves too many holes to be exploited by deliberate hackers. There is some truth to that statement. Olleros and Zhegu (2016) state that the effectiveness of cybersecurity interventions varies across different fields. While the existing levels of systems protection and employee training are enough to deal with phishing attempts, Trojan viruses, and social engineering methods, they are not enough to thwart professional hackers from infiltrating and shutting down systems. Jing, Vasilakos, Wan, Lu, and Qiu (2014) support these conclusions, stating that the vulnerability of organizations continues to expand with the popularity growth of IoT (Internet of Things) technologies.

The last point to be researched is the existence of viruses that can infect peripheral devices connected to the computer, such as keyboards, mice, web cameras, scanners, and printers. Choi (2015) confirms the existence of such viruses, stating that it is possible for them to transmit from USB sticks of various technologies that use the USB cable to transfer information input. In addition, the researcher confirmed the existence of other types of viruses targeting firmware. Thus, the possibilities of peripheral devices being infected are confirmed.

Informed Opinion and Conclusions

After conducting research, my opinion of the situation surrounding the destruction of hardware by EDA changed to a considerable degree. As it was shown by various academic sources, cybersecurity is a very young and somewhat contradictory discipline, as it is necessary to balance effectiveness, costs, employee training, while at the same time being prepared to defend against cyberthreats of different levels of complexity.

Let us start with the matters in which I have been wrong in my initial perception of the situation. The main flaw of my argument was that a simple hardware memory wipe would be enough to remove all kinds of viruses and help restore the functionality of the system. It has proven to be a false solution, as there are indeed viruses that can embed themselves in BIOS, UEFI, SMM, GPU, or NIC and survive the purge. Therefore, following with the standard procedure would have exposed EDA to potential risks.

My assumption that peripheral devices could not carry any malignant codes was also flawed. As it was proven in several academic sources, there are viruses that affect company firmware as well as use one of the most popular port sticks to transfer viruses from one machine to another. This is very disconcerting, as it shows the possibility of virtually anything being hacked. Considering the popularity of IoT technologies in virtually any sphere of our lives, firmware and USB-ware are more dangerous than anticipated.

Therefore, it appears to be that, in theory, EDA had reasons to fear a nation-state hacking attacks from other countries. Such attacks could have been conducted, as there is evidence of potential attackers having the expertise, the knowledge, the finances, and the technology to do so. However, these facts do not give EDA an alibi against the accusations made in my initial statement of opinion.

We will write
a custom essay
specifically for you
Get your first paper with
15% OFF

There is no reason to believe that outside forces facilitated the security breach. It is a known fact that the malware that infected their computers was part of a large email spam campaign that did not aim at the company specifically. The virus only spread into EDA’s systems because its employees allowed it to.

While this may serve as an excuse to request money for additional cybersecurity training of EDA’s employees, there is no evidence that full destruction of the company’s IT hardware, including mice, keyboards, cameras, and others, was warranted. According to the US-CERT report, the virus was successfully removed from six computers, and there was no evidence that it existed anywhere else in the system. The decision to take preemptive action in such a wasteful manner was made by EDA’s CEO, Chuck Benjamin. Therefore, this situation revolves around incompetence and corruption, with cybersecurity concerns being used to cover up these activities.

The supporters of a small government would find little use of this argument, however. EDA is one of the agencies that cannot be eliminated, only reduced in scale. Nevertheless, it would still be vulnerable to cyberattacks. The issue is not about the government being large or small; it is about the head of EDA and its employees being incompetent to handle cybersecurity issues.

References

Choi, J. (2015). Countermeasures for BadUSB vulnerability. Journal of the Korea Institute of Information Security and Cryptology, 25(3), 559-565.

Conteh, N. Y., & Schmick, P. J. (2016). Cybersecurity: Risks, vulnerabilities and countermeasures to prevent social engineering attacks. International Journal of Advanced Computer Research, 6(23), 31-38.

Gibbs, M. (2013). . Forbes. Web.

Jing, Q., Vasilakos, A. V., Wan, J., Lu, J., & Qiu, D. (2014). Security of the Internet of Things: perspectives and challenges. Wireless Networks, 20(8), 2481-2501.

Olleros, F. X., & Zhengu, M. (2016). Research handbook on digital transformations. Northampton, MA: Edward Elgar Publishing.

Statista. (2018). . Web.

Wu, Y., Li, P., Yang, L.-X., Yang, X., & Tang, Y. Y. (2017). A theoretical method for assessing disruptive computer viruses. Physica A: Statistical Mechanics and Its Applications, 482, 325-336.

Print
Need an custom research paper on Economic Development Administration: Equipment Destruction written from scratch by a professional specifically for you?
808 writers online
Cite This paper
Select a referencing style:

Reference

IvyPanda. (2020, December 19). Economic Development Administration: Equipment Destruction. https://ivypanda.com/essays/economic-development-administration-equipment-destruction/

Work Cited

"Economic Development Administration: Equipment Destruction." IvyPanda, 19 Dec. 2020, ivypanda.com/essays/economic-development-administration-equipment-destruction/.

References

IvyPanda. (2020) 'Economic Development Administration: Equipment Destruction'. 19 December.

References

IvyPanda. 2020. "Economic Development Administration: Equipment Destruction." December 19, 2020. https://ivypanda.com/essays/economic-development-administration-equipment-destruction/.

1. IvyPanda. "Economic Development Administration: Equipment Destruction." December 19, 2020. https://ivypanda.com/essays/economic-development-administration-equipment-destruction/.


Bibliography


IvyPanda. "Economic Development Administration: Equipment Destruction." December 19, 2020. https://ivypanda.com/essays/economic-development-administration-equipment-destruction/.

Powered by CiteTotal, easy essay bibliography generator
If you are the copyright owner of this paper and no longer wish to have your work published on IvyPanda. Request the removal
More related papers
Cite
Print
1 / 1