White House stands down groups tackling SolarWinds, Microsoft Exchange

Anne Neuberger briefs the White House press corps on Feb. 17, 2021

The White House is standing down the two interagency groups tasked with managing the government's response to the cybersecurity incidents involving SolarWinds and Microsoft Exchange, citing improving trends in patching.

"Due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures," according to an April 19 statement from Anne Neuberger, deputy national security advisor for cyber and emerging technology.

The Unified Coordination Groups, established through a 2016 presidential directive, were stood up shortly after each incident was discovered. They brought together the Cybersecurity and Infrastructure Security Agency, the FBI and the Office of the Director of National Intelligence to manage the government's response efforts.

The Trump administration stood up the first of those groups in December shortly after the hacking campaign against SolarWinds was discovered. When President Joe Biden took office, Neuberger became the White House's point person for leading response efforts. A formal announcement saying as much did not come until mid-February, but at that time Emily Horne, a spokeswoman for the National Security Council, told media outlets that Neuberger had been leading response efforts from day 1.

Neuberger's statement credited industry with rapidly developing a one-click tool for identifying remediating issues with Microsoft Exchange, saying the partnership "sets precedent for future engagements on significant cyber incidents.

"CISA created and utilized a methodology to track trends in patching and exposed Exchange servers that enabled the UCG to quantify the scope of the incident," Neuberger said.

Concerning SolarWinds, the administration said the FBI and Department of Justice identified "100 targeted exploited nongovernment entities" and that the National Security Agency and CISA published cybersecurity advisories for the public. NSA also provided guidance to the U.S. military, intelligence organizations and defense contractors, according to the statement.

The announcement to stand down the response groups comes days after the White House officially sanctioned the Kremlin for its alleged role in the campaign against SolarWinds and attributed the attack to the Russian foreign intelligence service SVR. CISA and NSA in coordination with the sanctions announcement also published a cybersecurity advisory outlining common tactics being used by the SVR to exploit several pieces of software common throughout the federal government.

"While this will not be the last major incident, the SolarWinds and Microsoft Exchange UCGs highlight the priority and focus the administration places on cybersecurity, and at improving incident response for both the U.S. government and the private sector," said Neuberger.

Matthew Cornelius, executive director of the Alliance for Digital Innovation, said the White House's announcement was "encouraging."

"We hope that the executive order, and any associated actions, will seek to bring together government and industry as the default option, rather than having agencies implement taskings first and without the benefit of robust, collaborative engagement with their vital partners in the private sector," he said, referring to a pending, wide-ranging executive order focused on cybersecurity the White House is expected to unveil in the coming weeks.