The Biden Administration convened two Unified Coordination Groups (UCGs) to drive a whole of government response to the SolarWinds and Microsoft Exchange incidents. Due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures.
The innovations from the Exchange UCG and the lessons learned from these responses will be used to improve future unified, whole of Government responses to significant cyber incidents, including:
- Integrating private sector partners at the executive and tactical levels. The active private sector involvement resulted in an expedited Microsoft one-click tool to simplify and accelerate victims’ patching and clean-up efforts, and direct sharing of relevant information. This type of partnership sets precedent for future engagements on significant cyber incidents.
- CISA created and utilized a methodology to track trends in patching and exposed Exchange servers that enabled the UCG to quantify the scope of the incident.
- Through industry relationships and leveraging legal authorities, the FBI and DOJ quickly identified the scale of the incidents – in the SolarWinds UCG, for example, scoping from a worst case of 16,800 to fewer than 100 targeted exploited nongovernment entities. This enabled focused victim engagement and improved understanding of what the perpetrators targeted from the larger set of exposed entities.
- NSA and CISA released cybersecurity advisories that detailed adversary techniques and provided mitigation for system owners. NSA also provided guidance to other U.S. military and intelligence organizations, as well as contractors in the defense industrial base.
The Biden Administration is undertaking a whole-of-government effort – working closely with Congress, the private sector, and allies and partners around the world – to build back better in new and innovative ways, to modernize our cyber defenses and enhance the nation’s ability to quickly and effectively respond to significant cybersecurity incidents. While this will not be the last major incident, the SolarWinds and Microsoft Exchange UCGs highlight the priority and focus the Administration places on cybersecurity, and at improving incident response for both the U.S. government and the private sector.