US legislator seeks answers from federal agencies on ongoing Log4j cyber security threat

A U.S. senator convened a virtual committee briefing with administration officials on Wednesday to get additional information on how the Log4j cyber security threat is affecting the federal government, critical infrastructure, and other entities, and what the administration has been doing to help remediate the issue.

U.S. Senator Gary Peters, a Democrat from Michigan and chairman of the Homeland Security and Governmental Affairs Committee met virtually with Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), and Chris Inglis, National Cyber Director, to discuss how the administration is working to mitigate the threat posed by the Log4j cyber security threat.

Senator Peters has been leading efforts to increase the nation’s cybersecurity defenses, including bringing in a bill last October that focuses on strengthening federal cybersecurity and requires critical infrastructure owners and operators to report to CISA if they experience a cyber-attack. The bipartisan, Cyber Incident Reporting bill, has advanced in the Senate.

“I was pleased to hear how our government has swiftly mobilized to respond to this threat – including by requiring federal agencies to secure their systems and by offering support to impacted organizations,” Senator Peters said in a media statement on Wednesday. 

The Log4j cyber security threat is “one of the most serious and widespread cybersecurity risks that we have ever seen, and it leaves countless major companies, government agencies and small businesses susceptible to harmful attacks from cybercriminals and adversaries,” according to Peters. “However, I remain concerned that we will likely never know the full scope and impacts of this widespread vulnerability, or the risk posed to critical infrastructure.” 

“Our federal government still lacks the necessary insight to understand the threat facing our nation, protect our networks, and impose consequences on malicious hackers,” Peters said. “I will continue pushing to pass my bipartisan legislation to require critical infrastructure companies to report a substantial attack or when they pay ransom so the government can better assess national risk, prepare for national security impacts, and execute coordinated responses.”

As chairman of the Homeland Security and Governmental Affairs Committee, “I’ll continue to work with the Administration to monitor and mitigate the impacts of this serious vulnerability,” he added.

Earlier this week, the Federal Trade Commission (FTC) said it is critical for companies and their vendors that rely on the Log4j software vulnerability to “act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.” 

The federal agency also warned that “there is a risk of a loss or breach of personal information, financial loss, and other irreversible harms when vulnerabilities are discovered and exploited,” and that failure “to identify and patch instances of the Log4j software vulnerability software may violate the FTC Act.”

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.