Government and industry are still dealing with the fallout from the Log4j software vulnerability, but representatives from both camps say the critical bug helped demonstrate the promise of a public-cyber planning office established last year.
The rapid response to the bug in the open source software library was successful in large part because of the Joint Cyber Defense Collaborative or JCDC, according to officials. The Cybersecurity and Infrastructure Security Agency established the JCDC last August after Congress directed CISA to set up a joint cyber planning office with the private sector.
“We’ve been around long enough to know that public-private partnership doesn’t have a lot of substance if it’s not actionable,” Kiersten Todt, CISA’s chief of staff, said during a Feb. 9 event hosted by the Cipher Brief.
“That’s why one of the key pieces to what we’re doing is this operational collaboration,” she continued. “And that’s really what this Joint Cyber Defense Collaborative was launched to do is to really operationalize collaboration between industry and government. And Log4j was the first real front and center example of what that looks like, and how we can activate it.”
After the vulnerabilities, referred to as Log4shell, emerged publicly on Dec. 10, Todt said CISA officials quickly convened a call with JCDC members to share information about the exploit.
The agency used information from the JCDC and elsewhere to feed a Github repository of vulnerable products and associated patches. CISA also directed federal agencies to immediately patch Internet-connected devices containing Log4shell, while recommending private sector organizations do the same.
“The JCDC really turned out to be this tremendous vehicle,” Todt said. “When we look at the successes of the event, which obviously is something that we’re continuing to mitigate, CISA became the single authoritative source by design, both from industry as well as government, where we could collaborate and bring together information on what we were seeing.”
Private sector officials also applauded the JCDC’s role in the Log4j response during a Senate Homeland Security and Government Affairs Committee hearing this week.
“The information that we got through JCDC helped us to understand the techniques and attacks that were being observed in the real world, so that we could then marshal our resources in defense of that,” Cisco Systems senior vice president Brad Arkin said during the hearing. Cisco is a member of JCDC.
Arkin also suggested the government share cyber threat information at the lowest possible classification level.
“If I can’t share that information out to the rest of my company, I’m not going to be able to put it to its full effect,” he said. “Keeping things at the unclassified or For Official Use Only level is going to allow us to most rapidly push information out to the people who can put it to work in a defensive manner in our environment.”
The JCDC could also provide value to small- and medium-sized businesses that struggle to put resources behind cybersecurity measures, especially in the middle of a crisis like the Log4j vulnerability, according to Jen Miller-Osborn, deputy director of threat intelligence of Unit 42 at Palo Alto Networks, which is also a JCDC member.
“They’re not necessarily resourced to have an expert come in, and help them and evaluate it,” she said during the hearing. “So I see [JCDC] as a body to be able to put together that sort of guidance to help those organizations understand what they need to do in a prioritized manner.”
Chris Inglis, the White House’s National Cyber Director, said the JCDC’s efforts are an example of moving from “division of efforts to collective defense.”
But he said both the public and private sectors will have to boost their investments in cyber “resilience” to be prepared for the next Log4j scenario.
“We’ve done a magnificent job, I think, collectively across the private and public sector responding to a Log4j,” Inglis said during the Cipher Brief event. “But if we did that, again, and again, and again, that’s not a strategy. That’s simply just a response action. We would only lose more slowly if we got that close to perfect. Therefore, we need to figure out, how do we actually invest in the resilience of technology, people and doctrine, so that we avoid those events in the future.”
The Biden administration is also considering new software security rules for federal agencies and contractors under last year’s cybersecurity executive order.
Last week, the National Institute of Standards and Technology published Software Supply Chain Security Guidance for agencies. It recommends officials in charge of procuring software at least require a self-attestation from the contractor confirming that software was developed in accordance with secure development practices.
The new guidance is expected to form the basis of proposed contracting rules due in May, per the executive order.
Congress is also moving forward with cyber incident reporting requirements for federal agencies, contractors and critical infrastructure operators after the legislation narrowly missed out on passing as part of last year’s defense authorization bill.
Inglis pointed to an open source software summit hosted by the White House last month in the wake of the Log4j event. Attendees discussed ways to drive software assurance and security efforts forward.
“Secure by design, software transparency, and things like software bill of materials, were some of the big ideas there,” Inglis said. “We need to figure out how do we do that using market forces, enlightened self interest, and with a light touch, some degree of regulation to ensure that those things that require resilience and robustness, in fact, we don’t leave that to chance.”