A panel of US government officials and private sector experts tasked with investigating the nation’s top cybersecurity flaws concluded that the notoriousdid not cause any “significant” attacks on critical infrastructure systems.
A serious flaw living within open-source, Java-based software known as “Log4j” rocked the world last December as officials estimated it left hundreds of millions of devices exposed to potential breaches.
The fledgling Cyber Security Review Board, loosely modeled after the National Transportation Security Board and housed under the control of the Department of Homeland Security (DHS), released the findings of its investigation into the vulnerability on Thursday.
Led by Chairman Rob Silvers, DHS deputy secretary for policy, and Vice Chairman Heather Adkins, Google’s senior director of security engineering, the new group, which draws its authority from a executive order signed by President Biden last year, determined in his inaugural report that the widespread vulnerability did not compromise critical infrastructure or result in any “high-impact” incidents by nation-state actors.
To date, “Log4j exploitation has occurred at lower levels than many experts predicted, given the severity of the vulnerability,” the report stated. Still, board leaders warned that the potential for breaches remains.
“I think our recommendation that people should be vigilant about this emphasizes that this incident is not over and we will continue to hear about further engagements going forward,” Adkins said Wednesday during a briefing with reporters.
However, Silvers cautioned that the board has a limited understanding of current vulnerabilities because critical infrastructure owners and operators are not yet required to report cyber breaches to the federal government. In March, Congress passed legislation requiring such incidents to be reported to the Cybersecurity and Infrastructure Security Agency (CISA), but the agency has up to two years to begin drafting rules, setting the parameters of the program.
“The board noted that because there is currently no federally enforced cyber incident reporting requirement on all critical infrastructure, we have potentially limited visibility into exploitation,” Silvers said.
Silvers promised that CISA is working on a “rapid implementation” of the law to put the new rules in place “as quickly as possible.”
The board’s 52-page report outlined a full timeline of events related to the discovery of the Log4j vulnerability, beginning in late November 2021, when a researcher at Chinese e-commerce company Alibaba reported the flaw to his colleagues. creators within the Apache Software Foundation (PPA).
“We believe the global community benefited from Alibaba security researcher following coordinated vulnerability disclosure best practices in bringing the discovery of the vulnerability to the Apache Software Foundation, the open source foundation that maintains Log4j,” Silvers told reporters on Wednesday, applauding the cybersecurity expert who first brought the vulnerability to light.
Silvers also revealed that the Cyber Security Review Board reached out to the Chinese ambassador to the United States in an effort to better understand the Chinese government’s correspondence with Alibaba.
According to the report, the Chinese government informed the Board that Alibaba first reported the vulnerability to its Ministry of Industry and Information Technology (MIIT) on December 13, 2021, 19 days after the issue was disclosed to ASF. . According to Reuters, China has Alibaba penalized for failing to report the Log4j vulnerability earlier, but the Chinese government declined a request from the board to provide more information about the sanctions, according to their report.
Silvers said China’s “lack of transparency” only “increases concern” among the board that “China’s regulatory regime will discourage network advocates from [disclosing vulnerabilities] with software developers” in the future.
“Regardless of a potential sanction against Alibaba, the Board noted worrying elements of MIIT regulations governing the disclosure of security vulnerabilities,” the report added, suggesting that the Chinese government’s requirement for vendors to inform them of security vulnerabilities vulnerabilities within two days of discovery “could give the PRC government early knowledge of the vulnerabilities before vendor fixes are available to the community.”
“The Board is concerned that this will allow the [Chinese] I rule a window in which to exploit vulnerabilities before network defenders can fix them. This is a disturbing prospect given the [Chinese] the government’s known history of intellectual property theft, intelligence gathering, surveillance of human rights activists and dissidents, and military cyber operations,” the report continued.
The report also outlined a number of recommendations for improving cybersecurity going forward, including a push for a better “software ecosystem.” As part of that initiative, the board recommended increased investments in open source software security and urged software developers to generate a “Software Bill of Materials,” or “SBOM,” which can be shipped with their product. This type of catalog would be designed to let consumers know what kind of software is inside their products and applications, similar to what a Nutrition Facts label does for food.
“Our observation is that organizations using open source software should support that community directly, giving them access to training programs, developing toolkits that will make things like SBOM adoptable,” Adkins told reporters.
The 15-member panel engaged with nearly 80 organizations and individuals representing software developers, end users, security professionals and businesses to produce Thursday’s report. Participants included Alibaba, Amazon, Apple, AT&T, and Google, plus a host of private companies, cybersecurity firms, and dozens of government agencies from around the world.
The Cyber Security Review Board was originally charged with conducting an autopsy of thecarried out by Russian hackers, but ultimately focused on studying the impact of the Log4j flaw.
DHS Secretary Alejandro Mayorkas called the cyber threat environment “as diverse and critical as ever” during Wednesday’s briefing. “We are seeing cybercriminals and nation-state cyberactors, including those involved in ransomware operations, routinely use cyber means to steal data, make financial gains, and put critical infrastructure at risk,” the secretary added.
CISA launched a “shields up” campaign in February to urge US businesses to protect themselves against potential cyberattacks in the wake of. That warning has lasted 150 days so far.