Was the FBI action on Microsoft exchange servers justified in your opinion?

Question

Answer

I think there's some appropriateness to it. I figured they probably did some calculus of proportionality of action to greater harm to infrastructure/other people, and concluded that action was necessary to avoid severely detrimental consequences. But that wasn't clear in the subpoena, which makes me wonder if there was a sealed side and a public side of it.

My security team has taken enforcement actions because the system owner wouldn't do it themselves. They either didn't care or didn't think it was important enough, so I looked at the FBI action through that same lens. I once took a factory offline and scrapped 50K units one time because some schmuck put a box susceptible to SQL Slammer back on the network. I disconnected the factory from the rest of the world because I was not going to live through that hell again. But the context was different, I was acting as an agent of the company.

Answer

Under the right conditions, a small subset of companies might require outside intervention but only after information is provided and requests for approval are made. Now that this precedent is set, nobody knows where it will go, which is a concern. What constitutes something so egregious that we need more than the efforts of individual companies? When should we be forced to come together? This didn't seem like a great example of circumstances that would justify government overreach. All we know is that something could have happened at some point as a result of these exploits.

Answer

To say that they just patched these systems to solve a problem is a nice way of saying they used unauthorized credentials to hack into them, change the existing configuration and seize their data.

10-15 years ago the FBI and Secret Service had to do a tremendous amount of community building and outreach because people were concerned that following an incident the government would say, “We're in charge. We're taking your servers down.” And you could tell them, "Hold on, you're taking our core processing system down," but it wouldn’t matter. Maybe you shrug it off the first time, but the second time, the government says, "We did this before so we'll just patch all these things." You're patched and the reason given is that the bad component breaks so many aspects of their operating process. And now the logic is that it's for the good of the ecosystem. It's an insanely dangerous precedent.

Answer

It seemed like they were protecting the public in this case. I ask my direct reports to hold me accountable to this management tenant: Help only helps if it really helps. And in this case it does. This action helped out a large portion of the companies they touched. I see the invasion of privacy as well, but overall it did help protect a number of folks. In many cases I don't think the government does enough, in that regard.

Was the FBI action on Microsoft exchange servers justified in your opinion?

Content you might like

Do you feel like security’s current role in your org’s generative AI initiatives is adequate? Or do you think the security team(s) should be more/less involved?

What steps are must-haves to ensure data security in automated processes?

If you had a magic wand - what's the #1 daily business challenge you'd eliminate?

Any plans to change your software teams’ working environment in the next year? Are you going remote or pushing for return to office?

What is the main driver for changes to your data governance strategy in the upcoming fiscal year?