A panel of U.S. government officials and private-sector experts tasked with investigating the nation’s major cybersecurity failures has concluded that the notorious Log4j internet bug did not prompt any “significant” attacks on critical infrastructure systems.
A serious flaw living inside an open-source Java-based software known as “Log4j” shook the world last December when officials estimated that it left hundreds of millions of devices exposed to potential breaches.
The fledgling Cyber Safety Review Board, loosely modeled off the National Transportation Safety Board and housed under the purview of the Department of Homeland Security (DHS), released the findings of its investigation into the vulnerability on Thursday.
Led by Chair Rob Silvers, the undersecretary for policy at DHS, and Vice Chair Heather Adkins, senior director of security engineering at Google, the new group, which draws its authority from an executive order signed by President Biden last year, determined in its inaugural report that the widespread vulnerability did not compromise critical infrastructure nor result in any “high impact” incidents by nation state actors.
To date, “exploitation of Log4j occurred at lower levels than many experts predicted, given the severity of the vulnerability,” the report indicated. Still, the board’s leaders warned the potential for breaches remains.
“I think our recommendation that people need to keep an eye on this emphasizes that this incident is not done and that we will continue to hear about new compromises going forward,” Adkins said Wednesday during a briefing with reporters.
Silvers cautioned, however, that the board is limited in its understanding of current exploits because critical infrastructure owners and operators are not yet required to report cyber breaches to the federal government. In March, Congress passed legislation requiring such incidents to be reported to the Cybersecurity and Infrastructure Security Agency (CISA), but the agency has up to two years to start rulemaking, setting the program’s parameters.
“The board noted that because there is currently no cyber incident reporting requirement in effect federally across critical infrastructure, we have potentially limited visibility into exploitation,” Silvers said.
Silvers vowed that CISA is working toward “rapid implementation” of the law to establish the new rules “as quickly as possible.”‘
The board’s 52-page report outlined a comprehensive timeline of events surrounding the discovery of the Log4j vulnerability, beginning in late-November 2021, when a researcher at the Chinese e-commerce firm Alibaba reported the flaw to its creators within the Apache Software Foundation (ASF).
“We believe the global community benefited from the security researcher at Alibaba, who followed coordinated vulnerability disclosure best practices by bringing the discovery of the vulnerability to the Apache Software Foundation, the open source foundation that maintains Log4j,” Silvers told reporters Wednesday, applauding the cybersecurity expert who first brought the vulnerability to light.
Silvers also revealed that the Cyber Safety Review Board reached out to the Chinese ambassador to the United States in an effort to better understand the Chinese government’s correspondence with Alibaba.
According to the report, the Chinese government informed the Board that Alibaba first reported the vulnerability to its Ministry of Industry and Information Technology (MIIT) on December 13, 2021, 19 days after the problem was disclosed to ASF. According to Reuters, China has penalized Alibaba for failing to report the Log4j vulnerability sooner, but the Chinese government declined a request from the board to provide more information on the sanctions, according to its report.
Silvers said that China’s “lack of transparency” only “heightens concern” among the board that “China’s regulatory regime will discourage network defenders from [disclosing vulnerabilities] with software developers” in the future.
“Independent of a possible sanction against Alibaba, the Board noted troubling elements of MIIT’s regulations governing disclosure of security vulnerabilities,” the report added, suggesting that the Chinese government’s requirement for providers to report vulnerabilities to them within two days of discovery “could give the PRC government early knowledge of vulnerabilities before vendor fixes are made available to the community.”
“The Board is concerned this will afford the [Chinese] government a window in which to exploit vulnerabilities before network defenders can patch them. This is a disturbing prospect given the [Chinese] government’s known track record of intellectual property theft, intelligence collection, surveillance of human rights activists and dissidents, and military cyber operations,” the report continued.
The report also outlined a series of recommendations for enhanced cybersecurity going forward, including a push for a better “software ecosystem.” As part of that initiative, the board recommended further investments in open-source software security and urged software developers to generate a “Software Bill of Materials,” or “SBOM,” that can be shipped with their product. This catalog of sorts would be designed to let consumers know what sort of software lives inside their products and applications, somewhat akin to what a nutrition facts label does for food.
“Our observation is that organizations using open source software should be supporting that community directly – getting them access to training programs, developing the tool sets that will make things like SBOMs adoptable,” Adkins told reporters.
The 15-member panel dealt with nearly 80 organizations and individuals representing software developers, end users, security professionals, and companies to produce Thursday’s report. Participants included Alibaba, Amazon, Apple, AT&T and Google, in addition to a slew of private companies, cybersecurity firms and scores of government agencies around the globe.
The Cyber Safety Review Board was originally tasked with conducting a postmortem of the massive SolarWinds breach carried out by Russian hackers, but ultimately pivoted to studying the impact of the Log4j flaw.
DHS Secretary Alejandro Mayorkas called the cyber threat environment “as diverse and critical as it’s ever been,” during Wednesday’s briefing. “We are seeing nation state cyber actors and cybercriminals, including those involved in ransomware operations, routinely use cyber means to steal data, gain financially and hold critical infrastructure at risk,” the secretary added.
CISA in February launched a “shields up” campaign to urge U.S. companies to safeguard against possible cyberattacks in the wake of Russia’s invasion of Ukraine. That warning has lasted for 150 days so far.