White House stands down SolarWinds, Microsoft Exchange cyber response groups

The White House is suspending the two interagency groups tasked with managing the government's response to the cybersecurity incidents involving SolarWinds and Microsoft Exchange, citing improving trends in patching.

Stepped up patching for to the SolarWinds and Microsoft Exchange vulnerabilities has allowed the White House to stand down the two Unified Coordination Groups tasked with tackling the government's response to the cybersecurity threats.

"Due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures," Anne Neuberger, deputy national security advisor for cyber and emerging technology, said in a April 19 statement.

The interagency UCGs, established through a 2016 presidential directive, brought together the Cybersecurity and Infrastructure Security Agency, the FBI and the Office of the Director of National Intelligence to manage the government's response efforts. They were activated shortly after each incident was discovered.

Neuberger credited Microsoft with rapidly developing a one-click tool for identifying and remediating issues with its Exchange server, and “CISA created and utilized a methodology to track trends in patching and exposed Exchange servers that enabled the UCG to quantify the scope of the incident," she said.

This type of industry-government partnership sets a “precedent for future engagements on significant cyber incidents,” she said.

For the SolarWinds attack, the FBI and Department of Justice narrowed the list of potential victims from 16,800 to “fewer than 100 targeted exploited nongovernment entities," the statement said. The National Security Agency and CISA published cybersecurity advisories for the public, and NSA also provided guidance to the U.S. military, intelligence organizations and defense contractors, according to the statement.

The announcement to stand down the response groups comes days after the White House officially sanctioned the Kremlin for its alleged role in the campaign against SolarWinds and attributed the attack to the Russian foreign intelligence service SVR. CISA and NSA in coordination with the sanctions announcement also published a cybersecurity advisory outlining common tactics being used by the SVR to exploit several pieces of software common throughout the federal government.

"While this will not be the last major incident, the SolarWinds and Microsoft Exchange UCGs highlight the priority and focus the administration places on cybersecurity, and at improving incident response for both the U.S. government and the private sector," Neuberger said.

Matthew Cornelius, executive director of the Alliance for Digital Innovation, called the White House's announcement "encouraging."

"We hope that the executive order, and any associated actions, will seek to bring together government and industry as the default option, rather than having agencies implement taskings first and without the benefit of robust, collaborative engagement with their vital partners in the private sector," he said, referring to a pending, wide-ranging executive order focused on cybersecurity the White House is expected to unveil in the coming weeks.

This article was first posted to FCW, a sibling site to Defense Systems.