Pentagon issues cyber tasking order in response to Exchange hack

The Pentagon has ordered its agencies and commands to take actions "in line" with the emergency directive recently issued by the Cybersecurity and Infrastructure Security Agency in response to vulnerabilities found in Microsoft's Exchange software.

"Joint Force Headquarters - DODIN coordinated with the Cybersecurity and Infrastructure Security Agency and then issued a Cyber Tasking Order in line with CISA's emergency directive to all DOD agencies and commands directing them to take actions necessary to protect DoD networks and IT systems," Russell Goemaere, a Pentagon spokesman, told FCW Tuesday.

Goemaere added the Defense Department is also coordinating with the National Security Agency on further steps to protect its networks.

Goemaere did not say what actions the order included, but CISA's March 3 emergency directive instructed federal agencies to either disconnect or update Microsoft Exchange software running on premise as well as conduct forensic analysis for indicators of compromise. CISA's authority extends only to civilian agencies, placing the Pentagon outside of its purview.

The zero-day exploits discovered in Microsoft's product has prompted the White House, the National Security Council and CISA to aggressively push a public message urging U.S. organizations to not only update their systems, but check for compromise.

"I would just take this opportunity to encourage any attendees at this panel, please do urgently look at guidance that my agency, CISA, has put out to mitigate this vulnerability. It is an urgent national risk and I think reflects the fact that, big or small, all organizations face significant cybersecurity risks," Eric Goldstein, executive assistant director for cybersecurity at CISA, said Tuesday during a panel hosted by the Center for Strategic and International Studies.

Greg Touhill, a former Air Force brigadier general and the first federal chief information security officer, said that while CISA's authority may not include the Pentagon, the remediations necessary for military networks are not necessarily unique from civilian ones.

"One of the frustrations that's out there is the fact that we do have separate lines of authorities for dot gov and then dot mil," he said. "If CISA puts something out, DOD takes a look at it. They may amplify it, they may ignore it, or they may help inform better documents coming out of CISA, but at this point, there are two distinct management teams."

This article first appeared on FCW, a Defense Systems partner site.