WASHINGTON – The virus struck in an email 81 days ago, flagged by a federal team that monitors cyberthreats. The target was a small job-development bureau in the Commerce Department. The infiltration was so vicious it put Commerce’s entire computer network at risk.
To avert a crisis, the Economic Development Administration unplugged its operating system – and plunged its staff into the bureaucratic Dark Ages.
Email? Gone. Attachments, scans, Google searches? Until further notice, no such thing.
Employees became reacquainted with their neighborhood post office and the beep-squeak-hiss of the fax machine spitting out paper. The must-have office supply became toner for that machine.
Twelve weeks offline and the longest intrusion into a federal network in recent history is still wreaking havoc.
We don’t yet have any deeper understanding of what happened, Commerce Secretary John Bryson said. But we have the best resources in the federal government looking into this.
The hackers so far have outrun those investigators; the malware’s origin remains unknown.
The EDA gives grants to distressed communities out of six regional offices, with a small Washington presence. It has 215 employees, a tiny corner of the federal landscape.
But its crippled system is evidence that every government network is vulnerable to cyberattacks that could disrupt business and spread. The number of intrusions into federal systems reported to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team exploded to 44,000 in fiscal 2011 from 5,500 in fiscal 2007. They ranged in severity from malicious software to unauthorized computer use.
Most of the attacks did not knock out entire networks. They were erased or swatted away with anti-virus tools, password changes and other security steps.
Other attacks were serious. In recent years, hackers have penetrated email and other systems at the Defense and State departments and NASA and disabled another Commerce bureau that handles sensitive information.
Experts have repeatedly pointed to a lack of system security at the Commerce Department. The agency’s IT systems are constantly exposed to an increasing number of cyberattacks, which are becoming more sophisticated and more difficult to detect, Inspector General Todd Zinser wrote last year.
Business has limped along as employees slowly are brought back online on the new network. The hackers’ motives, whether economic espionage or something else, are unknown.
The bottom line for now: Make do.
The already-long vetting process for grants slowed. How fast, after all, could it move when paperwork had to be sent by snail mail?
People are rediscovering what it is like to scribble down a When you were out slip. They pick up the phone, calling congressional staff members, for example, to announce a grant in their districts. They meet potential clients face to face.
With their data frozen on infected PCs and no place in the field to scan federal forms, staff members have retyped hundreds of pages into word processors, key by key.
If someone told me I wouldn’t have email for this long, I would have said it’s not possible, said Jane Reimer, a planner in the Denver office.
Employees refer to the outage as the disruption. At Commerce Department headquarters here, managers panicked at first. How would business get done?
There were things like How are we going (to) do our payroll?’ external-affairs chief Angela Martinez recalled.
Work hours were submitted from local libraries, home computers or mobile phones. The payroll went out on time.
Employees were instructed to call their clients and ask how they wanted to communicate without the Internet.
The agency is starting over, issuing employees new email addresses, BlackBerrys and laptops on loan from the Census Bureau. A skeletal website was restored last week.
Fax machines have been ordered for staff members who work from home. Scanning and attachments are off-limits for now, however, and files and email from the infected computers have not been recovered.
Commerce officials declined to say how much the crisis is costing.
There has, however, been an upside: human contact.
You pick up your phone and you get back to some human interaction, said Chris Massengill of the Delta Regional Authority in Clarksdale, Miss., which works with the federal government to jump-start development in the Delta, which in my opinion is never a bad thing, especially for government.