A task force composed of representatives from federal agencies and the private sector convened last week to discuss a “whole of government” response to the Microsoft Exchange hack, White House Press Secretary Jen Psaki said in a statement today.
The Unified Coordination Group established by the National Security Council included officials from the FBI, the Cybersecurity and Infrastructure Security Agency at DHS, the Office of the Director of National Intelligence and the NSA, as well as unnamed private sector companies “based on their specific insights to this incident.”
That includes Microsoft, who the White House said developed its one-click mitigation tool for the vulnerabilities to help small businesses who may otherwise struggle to afford costly incident response services. Microsoft did not immediately respond to a request for comment.
The task force “discussed the remaining number of unpatched systems, malicious exploitation, and ways to partner together on incident response, including the methodology partners could use for tracking the incident, going forward,” Psaki said.
Still struggling to wrap its arms around the SolarWinds hack last year, which compromised at least nine federal agencies and a swath of state governments and private companies, the Biden administration appears to be creating a similar policy track to respond to the Microsoft Exchange vulnerabilities, which some information security experts have worried could be as bad or worse in terms of its impact on the IT security ecosystem.
Evidence of widespread scanning for servers vulnerable to the four zero-day flaws disclosed by Microsoft earlier this month prompted CISA and the FBI to issue a joint public advisory warning that “tens of thousands of systems in the United States” could be affected and that both nation-state hacking groups and cyber criminals “are likely among those exploiting these vulnerabilities.” Other cybersecurity researchers have worried about the potential for ransomware actors to also leverage the vulnerabilities.
“It is highly likely that malicious cyber actors will continue to use the aforementioned exploits to target and compromise the networks of U.S. entities for cyber-enabled espionage, data exfiltration and criminal activity," the agencies warned.
In a statement attached to the White House announcement, Anne Neuberger, deputy national security advisor for cybersecurity and emerging technology, indicated that the administration views speedy coordination with private companies as crucial to their strategy for responding to the hack and similar ones in the future.
“This administration is committed to working with the private sector to build back better – including to modernize our cyber defenses and enhance the nation’s ability to respond rapidly to significant cybersecurity incidents,” said Neuberger.
News of the task force appeared to catch some congressional overseers by surprise. In a House Homeland Security and Governmental Affairs Committee hearing the same day, Rep. Andrew Garbarino, R-N.Y., quizzed Secretary of Homeland Security Ali Mayorkas on why the administration hadn’t notified Congress about the group’s formation until today. Mayorkas said he would follow up with the committee, prompting a frustrated response from Chairman Bennie Thompson, D-Miss.
“We have very seldom received notification on what the White House is doing – Democrat or Republican – and I agree with my colleague from New York, it would be nice to know,” Thompson said. “In practice it's just not something that's ordinarily done, so maybe that's something we can take up.”