CISA: No Federal Agencies Compromised Through Microsoft Exchange Servers


Investigations remain ongoing, Cybersecurity and Infrastructure Security Agency leaders said at a hearing on modernizing the federal government’s approach to cybersecurity.

Vulnerabilities that spurred an emergency directive to analyze and patch or disconnect a Microsoft email and scheduling service have not compromised any federal agencies, a top Cybersecurity and Infrastructure Security Agency official told members of Congress.   

CISA issued the emergency directive last week as researchers described how it was being exploited to access the communications of tens of thousands of victims, including local governments and universities. The directive followed the release of security patches from Microsoft, which attributed exploitation of the vulnerabilities to a China-based group it called Hafnium.

“We have seen outstanding responses to that directive and now the vast majority of Microsoft Exchange Servers have been mitigated across the federal civilian executive branch,” said Eric Goldstein, executive assistant director of CISA’s cybersecurity division. “At this point in time, there are no federal civilian agencies that are confirmed to be compromised by this campaign.”

He caveated the statement by noting that CISA is still working with individual agencies to assess their analysis of the evolving campaign and that new information emerges every hour.

Goldstein testified before the House Appropriations Committee’s Subcommittee on Homeland Security Wednesday along with CISA Acting Director Brandon Wales. The two fielded questions on the Exchange servers as well as the hacking campaign revealed in December that compromised at least nine federal agencies and 100 companies in making a case for greater investment in CISA.

The hearing came as lawmakers prepared to vote on the latest COVID relief bill, which contains almost $2 billion for cybersecurity and technology modernization, with $650 million designated specifically for CISA.

CISA would use additional funding to hire more threat hunters and buy better tools. The goal is to increase visibility, respond to incidents with greater capacity, analyze data for long term planning and drive the adoption of more resilient networks across the federal enterprise, the officials said. And they noted that tools like EINSTEIN and the Continuous Diagnostics and Mitigation program will be foundational. 

Goldstein said several pilots introducing endpoint detection and response mechanisms to agencies are already underway and that more money for cybersecurity would mean faster implementation. This is especially important as a result of COVID-19, he said, as remote work has increased the adoption of cloud computing. 

“The $650 million that is currently under consideration in the relief package is a down payment,” Wales added. “It accelerates some of these efforts, but this is going to require sustained investment for both CISA as well as the agencies themselves. Those agencies themselves are going to need additional capabilities to fully leverage those capabilities that we will be deploying.” 

The CISA officials also expressed their intention of introducing criteria like comprehensive logging to security reviews for entities like the Federal Acquisition Security Council and the Technology Modernization Fund. 

“A common baseline of security controls, particularly focused on logging and retention, may be necessary across cloud environments in the federal government,” reads a joint statement from the witnesses. “We will work jointly with the Federal Risk and Authorization Management Program Joint Authorization Board and the National Institute of Standards and Technology on tightening these controls.”

Subcommittee Chairwoman Lucille Roybal-Allard, D-Calif., was supportive of CISA’s mission.

“We have spoken about some of the recent challenges you and CISA face, and I want to reaffirm my commitment to helping you address them,” she said to Wales in her opening statement.

But she pressed the officials to submit a plan with benchmarks and funding estimates, particularly for the purpose of protecting industrial control systems, many of which are vulnerable and located in lawmakers’ jurisdictions. 

“CISA really does need to put together a very comprehensive strategy with fund estimates and schedules to help the nation address the ICS risk,” she said, “because we really would like to move very quickly in addressing this issue.”   

A new report out Wednesday from the Government Accountability Office also recommends CISA establish deadlines for overdue tasks DHS laid out at the agency’s inception. DHS agreed with the recommendations.