Changes in federal cybersecurity leadership over the past year allowed the private and public sectors to quickly work together in responding to the disclosure of the Log4shell bug last month, experts said Tuesday at a Senate hearing.
Witnesses at the Homeland Security and Governmental Affairs Committee hearing praised the usefulness of the Joint Cyber Defense Collaborative, a new center launched by the Cybersecurity and Infrastructure Security Agency in August to help federal agencies, the private sector and state and local governments collaborate on cyberthreat response.
“Its structure provided a body to scramble a snap call on Saturday afternoon after Log4shell emerged to allow industry competitors act as partners with the government to share raw situational awareness and we must continue building upon this partnership,” said Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks’ Unit 42.
The witnesses warned that the fallout from Log4shell — a vulnerability in the widely used Apache open-source logging tool Log4j — is likely far from over. Committee Chairman Gary Peters, D-Mich., convened the hearing with the hopes of helping to head-off the next Log4j-level disaster.
“The weaknesses in Log4J is just one example of how widespread software vulnerabilities, including those found in open source code, can present a serious threat to our national and economic security. In terms of the amount of online services, sites and devices exposed, the potential impact of this software vulnerability is immeasurable,” Peters said.
Miller-Osborn suggested that JCDC can be even more useful in the future by disseminating guidance to mid-and lower-sized businesses that may not have as many internal cybersecurity resources.
Peters and ranking member Sen. Rob Portman, R-Ohio, used the hearing to promote their legislation to require mandatory incident reporting to CISA by critical infrastructure owners and operators and civilian agencies. The bill won committee approval in October and is ready for Senate floor action.
“From a threat intelligence perspective, there is real policy benefit from sharing cyber incident information, especially if CISA is able to then provide bi-directional benefit,” said Miller-Osborn.
Log4J’s presence in millions of devices quickly made the vulnerability a top priority for cyberdefenders and sparked renewed concern in the security of open-source software, which is often under-resourced.
In response to concerns from Sen. Alex Padilla, D-Calif., that open-source software has created a “free rider” problem where companies use the code but don’t invest in its security, Apache Software Foundation president David Nalley said that he sees things differently.
“We believe that enlightened self-interest will inform industry to begin contributing and indeed in response to this, we’re seeing greatly increased contribution around security, auditing and code validation in Log4j and a number of other open-source projects,” Nalley said. “I do think that instance like this will, will continue to enlighten the industry, that they have their own self-interest to protect and by doing so, that, that the easiest way to do that is to contribute to open source.”
The Apache Software Foundation alongside Facebook, Google and Apple attended a White House summit on open-source software security last month in response to the vulnerability.
The Log4j vulnerability also will be one of the topics in the first report to come from the new Cyber Safety Review Board created recently by the Department of Homeland Security. That body will mirror what the National Transportation Safety Board does after aviation incidents.