CISA: Federal Response to Log4j Has Been 'Exceptional'Jen Easterly and Eric Goldstein Outline Progress, Known Exploits With Apache Flaw
Top U.S. cybersecurity leaders continue to warn against the perils of Apache Log4j vulnerabilities, confirming in a press conference on Monday that hundreds of millions of devices worldwide are likely affected by the logging utility flaw, although the response, in terms of scope and speed, has been "exceptional."
See Also: Case Study: The Road to Zero Trust
Jen Easterly, director of the U.S. Cybersecurity and Infrastructure Security Agency, said on Monday - exactly one month since the remote code execution vulnerability in Log4j was publicly revealed - that it remains the most serious vulnerability she has seen in her career. But she also said the agency is perfectly equipped to manage the response.
"So the good news is that we're really tackling the challenge with an unprecedented level of operational collaboration with our industry, the research community and international partners," Easterly said.
The CISA director highlighted the work of the agency's Joint Cyber Defense Collaborative, an effort to develop cyber defense operations alongside interagency partners, the private sector, and state, local, tribal and territorial governments. Log4j-related technical analysis from JCDC, she said, helped form the December joint advisory among Five Eyes nations.
Easterly said that over the past several weeks, there has been widespread exploitation of Log4j by criminal actors - mainly around cryptomining or to build botnets. CISA has also "seen reports of more sophisticated activity," including a cyberattack on the Belgian Ministry Defense, and data from security firms reporting nation-state activity leveraging Log4j. Easterly said CISA "cannot independently confirm these reports."
She warned that sophisticated adversaries may have already compromised systems using the logging flaw - and could be waiting to leverage their new access once network defenders are on "lower alert."
In response, Easterly said her team at CISA is "driving adoption of strong security practices, like Zero Trust architecture, that will help to test and limit the impact of potential intrusions."
Easterly recapped CISA's efforts to stand up a consolidated webpage for network defenders to access information - a page that has been viewed some 330,000 times. CISA's crowdsourced GitHub repository, showing vulnerable products, has grown to 2,800 known products, while its open-source scanning tool has been downloaded nearly 4,000 times, she said.
Easterly said the agency has established a virtual collaboration platform, over messaging app Slack, to share technical information in real time with 20 of the nation's largest cybersecurity and technology companies, along with the FBI and the National Security Agency. She credited the group with 14 analyses of Log4j and 17 submissions of technical data.
The CISA director also said that the agency has conducted two national stakeholder calls with more than 13,000 participants to share guidance and mitigation steps with critical infrastructure providers and state and local partners, among others.
Eric Goldstein, CISA's executive assistant director for cybersecurity, said during the press conference that the agency has "pivoted" to leverage its vulnerability disclosure platform, conducted through Bugcrowd, to identify Log4j-vulnerable assets.
"We're also laser focused on taking steps now that will result in a more secure and resilient knowledge ecosystem as we go forward," Goldstein said.
He cited President Joe Biden's May 2021 executive order on cybersecurity and CISA's work alongside the National Institute of Standards and Technology to approve requirements for software security. CISA is also working with the broader Department of Homeland Security to develop tools to perform supply chain analysis of open-source software, he said.
While the Apache Software Foundation, the nonprofit that manages Apache's open-source projects, has come out with additional patches for Log4j, Goldstein said that from a national risk management perspective, "we are deeply focused on making sure, first and foremost, that everybody is mitigating that [original] Log4Shell vulnerability."
Goldstein said that since smaller or medium-sized agencies may not have the resources to mitigate quickly, CISA is working with them to "ensure they're making progress in remediating any assets that are currently under-addressed."
Incident Reporting and SBOMs
CISA officials and U.S. lawmakers have also renewed talks on other pressing cybersecurity items - one of which is passing a national incident reporting law. A provision that would have accomplished this fell out of the annual defense spending bill in December (see: Log4j: Sen. Peters Revisits Incident Reporting Legislation).
"It won't surprise you that we were all disappointed that the cyber incident reporting bill was not included in the NDAA," said Easterly. "We have continued to stress the urgency of passing that legislation."
Easterly confirmed she had attended a briefing last week with Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters, D-Mich., and the committee's ranking member, Sen. Rob Portman, R-Ohio, about "continuing to champion" the reporting mandate.
"We are concerned that threat actors are going to start taking advantage of this vulnerability. … And because there is no legislation in place, we will likely not know about it," she said. "It's important that our partners receive timely information about successful exploitation … after they are discovered, to enable us to really help victims to mitigate the effects and to stop the spread to additional victims."
Elsewhere on the legislative front, Easterly said that CISA continues to push an effort it calls PSIEs - or "primary systemically important entities" - to properly classify critical infrastructure. She says the effort will help "ensure focus" on any cascading impacts of a cyber intrusion.
Log4j has also spurred additional discussion about software bills of materials, or SBOMs, which are essentially a comprehensive list of software components. Mentioned as part of Biden's security executive order and then subsequently outlined by the National Telecommunications and Information Administration, machine-readable SBOMs would allow network defenders to identify vulnerable software components almost immediately.
Easterly noted on Monday that Dr. Allan Friedman, who joined CISA in 2021 and is one of the nation's top experts on SBOMs, is now leading its effort to more widely facilitate their creation and adoption. And Goldstein clarified that CISA is "very much in the operationalization phase" for SBOMs - focusing on how to drive adoption across federal networks.