A month after its first public warnings about the Log4j vulnerability, the Cybersecurity and Infrastructure Security Agency (CISA) is continuing to work with Federal agencies and the public to mitigate potential exposure, and also renewing calls for a software bill of materials (SBOM) to aid in system visibility and inventory management.
CISA Director Jen Easterly and Executive Director of Cybersecurity Eric Goldstein said today that the agency hasn’t seen any “significant intrusions” to date from the Log4j vulnerability. They said Federal agencies are still working to remediate all systems that feature the Log4j library – which is contained in thousands of products that each need their own unique patch – along with its Log4Shell vulnerability that Easterly said takes just 12 characters to exploit.
“This really is the most serious vulnerability I’ve seen in my career,” Easterly said on a Jan. 10 press call.
“But in many ways, it’s also exactly the type of event that CISA was built for as the nation’s cyber defense agency,” she said. “So, the good news is that we’re really tackling the challenge with an unprecedented level of operational collaboration with our industry, the research community, and international partners.”
“As I’ve often said, cyber has to be a team sport,” Easterly said. “The actions taken across the community to date to mitigate the risk of this vulnerability are emblematic of that type of teamwork.”
Goldstein said CISA has seen Federal agencies move to comply with the emergency directive to prioritize remediation of internet-connected assets, called for about a week after the initial announcement of the vulnerability discovery.
After meeting with Easterly and National Cyber Director Chris Inglis, Sen. Gary Peters, D-Mich., renewed his calls for mandatory incident reporting legislation, which is supported by both Easterly and Goldstein.
SBOM Progress
However, Goldstein also pointed to the SBOM – called for in President Biden’s cybersecurity Executive Order (EO) – as a way to make remediation of similar vulnerabilities easier in the future.
“Now, of course, we just went through a lot of urgent work to understand the threat and fix the vulnerabilities that we know are manifesting today, but we also know that really why we’re here is to avoid these sorts of situations from occurring again in the future,” Goldstein said. “So, we’re laser-focused on taking steps now that will result in a more secure and resilient technology ecosystem as we go forward.”
“There are a few key areas that we’re really prioritizing in that regard,” he added. “The first is making it easier for organizations to understand and prioritize the prevalence of vulnerable libraries and components across their environments through an effort called [a] software bill of materials, which you can think about just like an ingredient list of libraries of components that comprise a given piece of software or application which is invaluable to help an organization ideally, automatically understand if they are exposed to give a vulnerability and then quickly pivot to remediation, driving down that time that an adversary has to exploit a vulnerability.”
President Biden’s cyber EO includes a requirement for the National Telecommunications and Information Administration (NTIA) to develop guidelines on what the requirements for an SBOM should include. The NTIA sought feedback on its work in developing SBOM requirements last June.
“Certainly, what we’ve seen over the past month as a result of Log4j is catalyzing and accelerating these efforts to include software bill of materials,” Easterly said.
Easterly said that CISA’s work on SBOM is being aided by the addition of former NTIA Director of Cybersecurity Initiatives Allan Friedman to CISA’s team as a senior advisor and strategist. Friedman is currently leading CISA initiatives on SBOM efforts, including the launch of four workstreams: cloud and online applications, tools and implementation, sharing and exchanging SBOMs, and on-ramps and adoption, according to a LinkedIn post by Freidman today.
Goldstein said the Log4j vulnerability shows CISA how much work still needs to be done to increase organizations’ and agencies’ visibility into their own environments.
“I think this vulnerability reflects the work that we have yet to do, and I think that work will focus on ensuring that organizations have visibility into libraries and components in their environment – and in their software stacks – as well as ensuring that we as a community understand the most prevalent and critical open-source products and libraries that are used across critical infrastructure across the government,” Goldstein said.