A new court order allowed the FBI to automatically patch vulnerable Microsoft Exchange servers for businesses in the United States. This included hundreds of computers that were running a vulnerable version of the Microsoft Exchange Server. This action has probably helped keep many organizations secure but at the same time, raises concerns about the type of access government agencies have to private networks and systems.
“This operation is an example of the FBI’s commitment to combatting cyber threats through our enduring federal and private sector partnerships,” said Acting Assistant Director Tonya Ugoretz of the FBI’s Cyber Division. “Our successful action should serve as a reminder to malicious cyber actors that we will impose risk and consequences for cyber intrusions that threaten the national security and public safety of the American people and our international partners.
The FBI said it is attempting to provide notice to all of the organizations that it removed the vulnerability from, which means they accessed private networks and computers without prior notification, permission, or authorization. The organizations in question had no knowledge of the operation.
In this case, the intent was good, but the knowledge that the FBI (and probably other government agencies) have and can access private networks and systems on demand and without having to notify. In my opinion, this action is not OK. If I was part of an organization that had a vulnerable server that was affected, I would have preferred to apply patches and secure my servers myself. I wouldn’t want the FBI or any government agency to access my private servers without my knowledge and making changes. If they can access my servers to fix an issue, what else can they do? They can then access all communications? They should have just contacted the vulnerable organizations and worked with them to fix the issue.