The Department of Homeland Security’s cybersecurity agency was able to leverage a recently created partnership with the private sector to quickly nip a major software vulnerability, known as Log4j, in the bud, according to industry experts.
However, leaders at the Cybersecurity and Infrastructure Security Agency say that despite quick efforts by agencies to mitigate the vulnerability after it was discovered late last year, the government likely has not seen the end of the threat.
At a Feb. 8 Senate hearing, experts praised the Joint Cyber Defense Collaborative, an initiative CISA launched last August to help coordinate cyberthreat responses among federal agencies, the private sector, and state and local governments.
“Its structure provided a body to scramble a snap call on Saturday afternoon after Log4shell emerged to allow industry competitors act as partners with the government to share raw situational awareness and we must continue building upon this partnership,” Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks’ Unit 42 said during a hearing of the Senate Homeland Security and Government Affairs Committee, according to CyberScoop.
In December, CISA and private sector partners identified an exploitation, Log4Shell, which is a vulnerability in the broadly used, open-source Apache logging tool Log4j. CISA released a scanning tool for the vulnerability Dec. 21 and required federal civilian agencies to assess their exposure to Apache Log4j vulnerabilities and immediately patch those systems or implement other appropriate mitigation measures.
Click the banner to get access to customized content on cybersecurity by becoming an Insider.
What’s Next on the Log4j Vulnerability?
Although CISA has said that all large agencies have mitigated the threat and that no exploits have occurred in the federal government as a result of the vulnerability, CISA Director Jen Easterly has also said the government is not out of the woods yet, and that attacks could still occur.
“The weaknesses in Log4j is just one example of how widespread software vulnerabilities, including those found in open source code, can present a serious threat to our national and economic security. In terms of the amount of online services, sites and devices exposed, the potential impact of this software vulnerability is immeasurable,” Sen. Gary Peters said at the hearing, CyberScoop reports.
CISA said in early January that large agencies had successfully taken steps to mitigate the Log4j vulnerability.
“Agencies have reacted with significant urgency to successfully remediate assets running vulnerable Log4j libraries, even over the holiday season, or to mitigate the majority of affected applications identified that support ‘solution stacks’ that accept data input from the internet,” a CISA spokesperson tells MeriTalk.
“CISA has received status reports from all large agencies, which have either patched or deployed alternate mitigations to address the risk from thousands of internet-connected assets, the focus of the recent Emergency Directive,” the agency adds.
Despite that, agencies cannot let their guard down, as there may be a period of time between the discovery of the vulnerability and when attackers may seek to exploit it. “We do expect Log4j to be used in intrusions well into the future,” Easterly said on a call with reporters, according to CyberScoop. “There may be a lag between when this vulnerability is being used and when it is being actively deployed.”
The large-scale nature of the vulnerability, which affects tens of millions of internet-connected devices, makes it the worst Easterly said she has seen in her career, CNET reports. It’s also very easy for attackers to exploit the vulnerability.
“A threat actor can use the vulnerability to compromise the target system by typing only 12 characters into a text message, email subject line or chat window,” Easterly said.
CISA does expect the vulnerability “to be used in intrusions well into the future, and for this reason, we are remaining focused on driving remediation of vulnerable assets for months to come,” Easterly said on a call with reporters, MeriTalk reports.
The government will also be taking other steps to investigate the Log4j vulnerability. CyberScoop reports:
The Log4j vulnerability also will be one of the topics in the first report to come from the new Cyber Safety Review Board created recently by the Department of Homeland Security. That body will mirror what the National Transportation Safety Board does after aviation incidents.
RELATED: The shift to zero trust is about culture as well as technology.