DHS Cyber Safety Review Board found no evidence China knew of Log4j before disclosure

The Department of Homeland Security’s inaugural Cyber Safety Review board released its first-ever report Thursday, issuing a set of 19 recommendations in response to the widespread Log4j vulnerability that continues to affect networks around the world.

“Log4j is one of the most serious software vulnerabilities in history,” Rob Silvers, DHS undersecretary for strategy, policy and plans, said in a call with reporters Wednesday, echoing warnings from intelligence officials about the severity of the vulnerability when it was discovered last December.

The bug, disclosed initially by Chinese Alibaba researchers, led to the widespread exploitation of systems using the Apache Software Foundation’s open-source logging tool.

As part of the review, the CSRB engaged with 80 organizations and individuals including the Chinese government. The board brought in Chinese officials to discuss reports that the Chinese government had punished Alibaba for not disclosing the vulnerability quickly enough.

Chinese officials confirmed that Alibaba shared the vulnerability with the Chinese government on Dec. 13, three days after CISA issued an advisory in response to observations of the vulnerability in the wild. Chinese officials did not say if the government had punished the company in any way.

“This lack of transparency heightened the board’s concern that China’s regulatory regime will discourage network defenders from engaging in beneficial vulnerability disclosure activity with software developers,” Silvers told reporters.

In its review, the board raised further concerns about two Chinese regulations that could potentially threaten U.S. cybersecurity, one which requires Chinese companies to report vulnerabilities to the government within two days of discovery and a second that prohibits organizations or individuals from publicly disclosing vulnerabilities during loosely defined “major national events.”

However, there’s no indication that those regulations facilitated any early exploits of the Log4j vulnerability. Silvers said that the board found no evidence the vulnerability had been exploited prior to public disclosure.

The DHS assembled the Cyber Safety Review Board, which was outlined in Biden’s May 2021 executive order on federal cybersecurity, in February. Silver chairs the board that includes 15 members from the private and public sector.

The report suggests that even though Log4j remains a risk, a government-wide response helped drive remediation of the vulnerability. For instance, the report notes “anecdotal” evidence that some organizations addressed the vulnerability after the Federal Trade Commission warned of potential enforcement actions.

The board also identified the need for additional funding to support the mostly volunteer open source software security community.

The White House has already launched some public-private collaborations on that front, including a summit in January where companies including Apple and Google met with the White House to discuss proposals to improve open source software security.

Recommendations for the federal government from the report include directing the Office of Management and Budget to invest in new technology tools to help more accurate inventories of software.