Cyber Safety Review Board’s first report gives CISA thumbs up for Log4j response

To listen to the Federal Newscast on your phone or mobile device, subscribe in PodcastOne or Apple Podcasts. The best listening experience on desktop can be found using Chrome, Firefox or Safari.

The Cyber Safety Review Board’s first ever report gives high marks to the Cybersecurity and Infrastructure Security Agency for leading the response to the Log4j vulnerability, while warning that the software bug will continue to haunt systems for many more years.

The board’s inaugural report also...

READ MORE

To listen to the Federal Newscast on your phone or mobile device, subscribe in PodcastOne or Apple Podcasts. The best listening experience on desktop can be found using Chrome, Firefox or Safari.

The Cyber Safety Review Board’s first ever report gives high marks to the Cybersecurity and Infrastructure Security Agency for leading the response to the Log4j vulnerability, while warning that the software bug will continue to haunt systems for many more years.

The board’s inaugural report also contains 19 recommendations for government, industry and academia, including suggestions for how agencies could improve software security and transparency.

President Joe Biden directed the establishment of the Cyber Safety Review Board under the Department of Homeland Security as part of last year’s cybersecurity executive order. During a phone call with reporters, DHS Secretary Alejandro Mayorkas called the board a “foundational development” to improve cybersecurity across public and private sectors.

“I also want to also communicate that it is an independent body of public and private sector leaders focused on not accountability or blame, but on an objective analysis of what occurred, and it is focused on designing instructive solutions for government and critical infrastructure alike,” Mayorkas said.

DHS formally launched the board in February. It includes 15 members from both the government and the private sector. Rob Silvers, the undersecretary for policy at DHS, serves as the board’s chairman, while Google senior director for security engineering Heather Adkins is its deputy chairwoman.

While Biden’s executive order initially directed the board to examine the SolarWinds incident that affected multiple federal agencies and numerous companies, Silvers said DHS and the White House agreed earlier this year that the board’s first report should examine the Log4j vulnerability instead.

“Never before have the public and private sectors come together for such a rigorous effort to understand what happened in a significant cyber incident,” Silvers said.

The Log4j vulnerability is one of the most serious computer bugs “in history,” Silvers said, notable for its widespread use in networked systems, its ease of exploitation, and the critical access it gives to successful attackers.

The board’s report says unpatched versions of the open source logging utility will continue to exist for many years to come, potentially more than a decade, as Log4j is widely used and difficult to find in many systems.

“This event is not over,” Silvers said. “The risks remain. Network defenders have to stay vigilant.”

The report covers the initial reporting of the bug last November and the subsequent actions by the cybersecurity community to respond to the critical vulnerability.

It found CISA played the role of a “trusted entity” by publishing a joint cyber advisory, directing agencies to patch the vulnerability via an emergency directive, and maintaining a GitHub list of products known to contain instances of Log4j, among other actions.

“CISA’s response provided defenders with specific and comprehensive guidance for vulnerability management, including patch prioritization,” the report states. “Stakeholders provided positive feedback to the board about the utility of CISA’s guidance, saying it provided a trusted source for direction and specific resources.”

In the future, the board says CISA should “expand its capability to develop, coordinate, and publish authoritative cyber risk information.” It also recommends CISA accelerate “to the greatest extent possible” implementation of new cyber incident reporting requirements for critical infrastructure companies.

Software transparency requirements

Despite the unity of effort across the cybersecurity community in the initial days and weeks after Log4j was uncovered, the board’s report says even sophisticated security teams struggled to identify instances of the vulnerable code in their systems.

An unidentified cabinet-level department told the board it spent 33,000 hours on the Log4j response, according to the report.

“These costs, often sustained over many weeks and months, delayed other mission-critical work, including the response to other vulnerabilities,” it states.

Silvers said the monumental task of tracking down Log4j convinced the board of the need for stronger software transparency measures.

“This was a situation where it seemed like you had to patch almost everything,” Silvers said. “This revealed to the board opportunities for increasing software transparency and a company’s capacity to respond quickly to new vulnerabilities that will surely be discovered in the future.”

The report touts the potential use of Software Bills of Material, while acknowledging further developments in SBOM tooling and adoption are still needed.

The report recommends the White House Office of Management and Budget work with the Federal Acquisition Regulatory Council to “use various mechanisms to minimize the U.S. government’s use of software without provenance and dependency information, and should consider the use of procurement requirements, federal standards and guidelines, and investments in automation and tooling, to create clear and achievable expectations for baseline SBOM information.”

The report also recommends agencies consider new mechanisms for transparency. For instance, it suggests the National Institute of Standards and Technology work with CISA to study the potential of setting up a Cyber Safety Reporting System to incentivize anonymous reporting of critical software vulnerabilities.

“Similar to the National Aeronautics and Space Administration’s (NASA’s) Aviation Safety Reporting System, a CSRS could contribute to a system-wide view of the cyber ecosystem and expand and centralize the existing external reporting and coordination of cyber safety issues,” the report states.

The report also makes recommendations on how to better support security in the open source software community.

China’s response to Log4j

A notable development in the board’s report was securing a response from the Chinese government regarding its actions around the Log4j vulnerability. There were multiple reports that China had sanctioned Alibaba for failing to share the vulnerability with the Chinese government quickly enough.

The report raises concerns with potential regulations in China that prevent the sharing of software vulnerabilities, Silvers said. While an attaché from the People’s Republic of China embassy in Washington offered a response to the board stating that the PRC encourages vulnerability disclosure, Silvers said the attaché did not answer follow-up questions about reported retaliation against Alibaba.

“This lack of transparency heightened board concerns that China’s regulatory regime will discourage network defenders from engaging in beneficial vulnerability disclosure activity with software developers,” he said.

Related Stories

    Amelia Brust/Federal News Network

    Officials say Log4j response proves out promise of new public-private partnership

    Read more
    Amelia Brust/Federal News Network

    Despite ‘extraordinary’ federal response, Log4J will haunt agencies for months to come

    Read more
    (Amelia Brust/Federal News Network)

    CISA updates marching orders for agencies on critical ‘Log4j’ vulnerability

    Read more