Attacks and Vulnerabilities
Critical infrastructure
Malware, Phishing & Ransomware
News
Threat Landscape
Vendors

Senate Homeland Committee met with industry experts to examine Log4j cybersecurity vulnerabilities

February 11, 2022
Senate Homeland Committee met with industry experts to examine Log4j cybersecurity vulnerabilities

The U.S. Senate Committee on Homeland Security & Governmental Affairs convened this week a hearing with experts from the cybersecurity industry and research community to examine the Log4j cybersecurity vulnerabilities. The Apache Foundation chief said at the meeting that the vulnerability was reported to the company’s Log4j team in late November 2021, ‘after having been latent for many years.’

The witnesses to the meeting included David Nalley, president of the Apache Software Foundation, Brad Arkin, senior vice president and chief security and trust officer at Cisco Systems, Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Network’s Unit 42, and Trey Herr, director for the Cyber Statecraft Initiative at The Atlantic Council. The latest hearing builds on a previous briefing on the Log4j cybersecurity vulnerabilities that the Senate Committee held over a month ago with Chris Inglis, National Cyber Director, and Jen Easterly, CISA Director.

The Log4j cybersecurity vulnerabilities were discovered in the Java-logging software used across enterprises apps and cloud services as an easy-to-use common utility to support client/server application development. If exploited, the Log4j weakness could let an unauthenticated remote actor take control of an affected server system and gain access to company information or unleash a denial of service attack.

Easterly had in December called the Log4Shell the ‘most serious vulnerability’ she has seen in her decades-long career and it could take years to address. 

In his opening remarks, U.S. Senator Gary Peters, a Democrat from Michigan and chairman of the committee, said that the Russian Federation has reportedly “already taken advantage of this vulnerability to perpetrate cyber-attacks against Ukraine. While I hope that situation deescalates, we must be prepared to protect our systems from similar attacks from the Russian government and the criminal organizations they harbor, who could exploit this or other vulnerabilities to compromise American networks in retaliation for our nation’s support for Ukraine,” he added. 

The weakness in log4j is just one example of how widespread software vulnerabilities, including those found in open source code, or code that is freely available and developed by individuals, can present a serious threat to national and economic security, according to Peters. “In terms of the amount of online services, sites, and devices exposed, the potential impact of this software vulnerability is immeasurable, and it leaves everything from our critical infrastructure, such as banks and power grids, to government agencies, open to network breaches,” he added.

“The log4shell vulnerability is a particularly severe vulnerability because the code is in so many places, the vulnerability is easy to exploit requiring less than a sentence, and because it provides a high level of access,” Rob Portman, a Republican from Ohio and Ranking Member of the committee, wrote in his opening comments

“It’s clear that issues involving the security of open source software have been around for a long time. I’m looking forward to hearing from our witnesses, who have a wide variety of perspectives, on how we can address these longstanding challenges,” Portman added. 

The vulnerability was reported to Apache’s Log4j team in late November 2021, after having been latent for many years, Nalley wrote in his testimony. “The Apache Logging project, and Apache’s Security team immediately got to work addressing the vulnerability in the code. The full solution was released approximately two weeks later. Given the near ubiquity of Log4j’s use, it may be months or even years before all deployed instances of this vulnerability are eliminated,” he added. 

“Moreover, every stakeholder in the software industry – including its largest customers, like the federal government – should be investing in software supply chain security,” according to Nalley. “While ideas like the Software Bills of Materials won’t prevent vulnerabilities, they can mitigate the impact by accelerating the identification of potentially vulnerable software. However, the ability to quickly update to the most secure and up-to-date versions remains a significant hurdle for the software industry,” he added.

Open source is not the problem, The Atlantic Council’s Herr wrote in his testimony statement. “Software supply chain security issues have bedeviled the cyber policy community for years. Log4j is an exceptionally widely used logging program and addressing its flaws has required significant effort and public attention but it will not be the last time this kind of incident occurs,” he added. 

“Learning lessons from these situations and using events like the Log4j vulnerability response drives improvements,” Cisco’s Arkin wrote in his testimony statement. “These joint efforts across industry and government help identify new opportunities for continued partnership. Doing so helps raise awareness and capabilities for all organizations, regardless of their size and resources. The Log4j vulnerability demonstrated, yet again, that we are reliant on one another and must continue to work together to manage this ever-present risk,” he added. 

Palo Alto’s Miller-Osborn said in her testimony that “It’s important to look at Log4Shell both as a standalone vulnerability that demands discrete analysis and reflection, and as the latest in a string of national-level vulnerabilities that impact federal systems, critical infrastructure, and state and local networks alike.”

She also identified that the cybersecurity threat landscape is only getting more complex. Whether it’s cybersecurity vulnerabilities “like Log4Shell, the ongoing ransomware threat, or our dynamic geopolitical environment, cybersecurity will undoubtedly remain a core pillar of our national security posture. Now, more than ever, this demands a whole-of-society approach.

Miller-Osborn also spoke of the role played by the Joint Cyber Defense Collaborative (JCDC) that brings together federal government and industry players to move from information sharing to information enabling.

“The most recent JCDC engagement, which occurred after Log4Shell was first discovered, presents an important use case of the long-term opportunity this collaboration vehicle presents,” Miller-Osborn said. “It can be an exemplar of successful public-private sector cooperation – specifically, the JCDC working as a venue for commercial competitors to act as peers, and share rapidly developing situational awareness to help secure our National Critical Functions,” she added.

Earlier this week, Peters and Portman introduced a bill titled, ‘Strengthening American Cybersecurity Act,’ which would significantly enhance the nation’s ability to combat ongoing cybersecurity attacks against critical infrastructure installations and federal agencies. The bill also works towards ensuring that the government can safely adopt cloud technology. 

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
RMC
Risk Mitigation Consulting acquires Securicon, boosting cybersecurity and mission assurance offerings
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
DC3, DCSA collaborate to launch vulnerability disclosure program for defense industrial base
Waterfall’s WF-600 unidirectional security gateway brings 'unbreachable protection' to OT/ICS networks
Waterfall, 2TS enter into cybersecurity alliance for African market