Was the FBI action on Microsoft exchange servers justified in your opinion?

2.1k views1 Upvote7 Comments

Board Member, Advisor, Executive Coach in Software, Self-employed
I think there's some appropriateness to it. I figured they probably did some calculus of proportionality of action to greater harm to infrastructure/other people, and concluded that action was necessary to avoid severely detrimental consequences. But that wasn't clear in the subpoena, which makes me wonder if there was a sealed side and a public side of it.

My security team has taken enforcement actions because the system owner wouldn't do it themselves. They either didn't care or didn't think it was important enough, so I looked at the FBI action through that same lens. I once took a factory offline and scrapped 50K units one time because some schmuck put a box susceptible to SQL Slammer back on the network. I disconnected the factory from the rest of the world because I was not going to live through that hell again. But the context was different, I was acting as an agent of the company.
1 2 Replies
Managing Partner & CISO in Software, 11 - 50 employees

It’s one thing for a private company to act on its own behalf. It's very different when somebody acts under the color of law. Imagine one of these companies saying, "We sustained a $50 million dollar loss because in the process of removing the vulnerable component you deleted a bunch of other stuff too." Who's on the hook for that? It's a business component.

Board Member, Advisor, Executive Coach in Software, Self-employed

If they did that and somebody sued, I would hope the government would have looked at that calculus and would therefore be willing to cover any damages resulting from their actions. That could take years to play out in court.

CIO in Software, 5,001 - 10,000 employees
Under the right conditions, a small subset of companies might require outside intervention but only after information is provided and requests for approval are made. Now that this precedent is set, nobody knows where it will go, which is a concern. What constitutes something so egregious that we need more than the efforts of individual companies? When should we be forced to come together? This didn't seem like a great example of circumstances that would justify government overreach. All we know is that something could have happened at some point as a result of these exploits.
1 Reply
Board Member, Advisor, Executive Coach in Software, Self-employed

In the decades I’ve spent in IT—and for a couple of those decades I was in security—I’ve never seen anything like this. It's a blend of public safety, public policy, IT, corporate and private property independence, and security issues. This action was precedent-setting, which means this path and some branches of it will occur in the future.

Managing Partner & CISO in Software, 11 - 50 employees
To say that they just patched these systems to solve a problem is a nice way of saying they used unauthorized credentials to hack into them, change the existing configuration and seize their data.

10-15 years ago the FBI and Secret Service had to do a tremendous amount of community building and outreach because people were concerned that following an incident the government would say, “We're in charge. We're taking your servers down.” And you could tell them, "Hold on, you're taking our core processing system down," but it wouldn’t matter. Maybe you shrug it off the first time, but the second time, the government says, "We did this before so we'll just patch all these things." You're patched and the reason given is that the bad component breaks so many aspects of their operating process. And now the logic is that it's for the good of the ecosystem. It's an insanely dangerous precedent.
CIO in Manufacturing, 1,001 - 5,000 employees
It seemed like they were protecting the public in this case. I ask my direct reports to hold me accountable to this management tenant: Help only helps if it really helps. And in this case it does. This action helped out a large portion of the companies they touched. I see the invasion of privacy as well, but overall it did help protect a number of folks. In many cases I don't think the government does enough, in that regard.

Content you might like

Way more involved5%

Somewhat more involved47%

A bit more involved31%

Security’s current role is adequate10%

A bit less involved4%

Somewhat less involved1%

Way less involved1%



CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
43.6k views132 Upvotes319 Comments

Business expansion12%

Changing business model47%

Compartmentalization due to localized regulatory requirements15%

Cultural changes within organization12%

Customer data privacy concerns3%

Data monetization3%

Emerging risks3%

Improving data governance maturity3%

Introducing new technology0%

Scaling data and analytics ecosystem0%

Not sure3%

We aren’t making changes0%