After turbulent cyber year, agencies enter 2022 with fresh security crisis on hand

Log4j will keep agencies busy into the new year, but experts say the federal enterprise made progress a year after SolarWinds.

A year after the SolarWinds compromise, federal agencies are once again entering the new year in the middle of a cybersecurity emergency, with IT offices racing to identify and patch instances of widely used software code on their networks.

But after 12 months of “blocking and tackling,” experts say the federal enterprise is better positioned to handle cybersecurity incidents and primed for more progress in 2022.

Agencies had until Dec. 23 to identify and patch instances of Log4j on their Internet-facing systems, according to an emergency directive issued by the Cybersecurity and Infrastructure Security Agency last week. The vulnerability in the widely used Apache open source logging software emerged earlier this month.

The directive also tells agencies to report all affected software applications to CISA by Dec. 28.

“CISA is very pleased with the urgency with which agencies are addressing Log4j vulnerabilities,” a CISA official told Federal News Network on-background. The official said CISA has hosted multiple calls attended by “thousands of staff” across civilian agencies, including chief information officers and chief information security officers, as well as IT operations and security operations center personnel.

“Federal IT and Cybersecurity leadership’s commitment to urgently addressing these vulnerabilities as a cohesive enterprise has been clear since the onset,” the official said. “We have no confirmed compromises across federal civilian networks relating to the Log4j vulnerability.”

Efforts to address Log4j will bridge 2022 to a year that saw the creation of the National Cyber Director’s office, the establishment of CISA’s Joint Cyber Defense Collaborative, and efforts to implement President Joe Biden’s cybersecurity executive order, among other federal developments.

Mark Montgomery, senior advisor to the recently shuttered Cyberspace Solarium Commission, said 2020 was a “watershed” year in cybersecurity, when lawmakers included 26 of the commission’s recommendations in the annual defense bill, including the creation of the NCD.

“2021 was much, much more of blocking and tackling,” Montgomery said. “More changes to CISA authorities, the establishment of a Response and Recovery Fund, building better public-private partnership programs in the Department of Defense and Department of Homeland Security. Those are smaller issues, but important issues that that help in in getting the cybersecurity agenda moving forward.”

Chris Cummiskey, a consultant and former Department of Homeland Security under secretary for management, said it was a “rebuilding year” for federal cybersecurity after the Trump administration did away with the former White House national cybersecurity coordinator position.

“There’s much better coordination now between the White House key cyber functions, the National Security Agency, the FBI, and CISA,” Cummiskey said. “When you have that coming together on all cylinders, it’s a much more effective response.”

Biden’s May cybersecurity executive order, spurred on by the SolarWinds breach, also set tight deadlines for agencies to begin improving their cyber practices, including through the shift to zero trust architectures. Chris DeRusha, federal chief information security officer, recently said that agencies are now entering the “execution phase” of the EO.

Cummiskey said past cyber executive actions have lacked sufficient accountability and performance tracking measures. But he believes officials like National Cyber Director Chris Inglis, CISA Director Jen Easterly and DeRusha will hold agencies accountable to the latest EO.

“The difference this time is that you’ve got a lot of seasoned veterans in leadership roles that are helping other agencies kind of understand that if we’re going to move to zero trust architecture, or if we’re going to strengthen the enterprise, cybersecurity functions at agencies, it’s got to be more than just a reporting requirement through FITARA,” Cummiskey said, referring to the Federal Information Technology Acquisition Reform Act that requires annual reports from agencies on IT inventories and plans.

The executive order put CISA in charge of multiple action items to improve federal cybersecurity, including the designation of “critical software” and the establishment of a Cyber Safety Review board.

CISA also saw continued support from Congress this year, especially funding. The American Rescue Plan added $650 million in emergency funds on top of CISA’s $2 billion annual budget. Lawmakers are proposing increasing CISA’s budget to $2.4 billion in fiscal year 2022.

However, in spite of a scourge of ransomware attacks, including incidents that shut down Colonial Pipeline and a major meatpacking plant, Congress could not come to an agreement on including cyber incident reporting requirements in legislation by the end of the year.

Tatyana Bolton, former cyber policy lead at CISA, said the continued policy of voluntary reporting for critical incidents leaves a major hole in the U.S. approach to cybersecurity. Bolton was also on the staff of the Solarium Commission and directs cyber policy for the R Street Institute.

“The fact that we couldn’t have that very simple provision into law is very unfortunate, and I think we’re going to see over the course of the next year how not having that tool in the toolbox for the federal government is going to be a weakness of our cyber strategy,” Bolton said.

But she and Montgomery expect lawmakers will make another strong to pass reporting requirements in 2022.

Bolton also predicts Inglis and the National Cyber Director’s office will make progress next year on efforts to introduce more resilience into the U.S. cybersecurity approach, taking a wider view of incidents like ransomware attacks and Log4j.

“His efforts on resilience is focusing on the broader picture,” she said. “It’s the forest for the trees.”

Meanwhile, CISA’s emergency directive shows the agency will continue to monitor the Log4j situation into the new year. CISA is planning to provide a report by Feb. 15 to both DHS Secretary Alejandro Mayorkas and the White House on “identifying cross-agency status and outstanding issues,” according to the directive.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    (Amelia Brust/Federal News Network)

    CISA updates marching orders for agencies on critical ‘Log4j’ vulnerability

    Read more