The Cyber Safety Review Board (CSRB) – in its inaugural report released today – praised the Cybersecurity and Infrastructure Security Agency (CISA) for its response to the ongoing Log4j software vulnerability, and found that to date there have not been any significant Log4J-based attacks on U.S. critical infrastructure.
The CSRB was created in February by the Department of Homeland Security (DHS), stemming from instructions on President Biden’s cybersecurity executive order issued last year. The board’s job, DHS said, is to assess past cybersecurity events, “ask the hard questions, and drive improvements across the private and public sectors.”
Apache Log4j is an open source Java-based logging framework that collects and manages information about system activity. It is a key building block that can be useful for creating software at scale, but also can create dependencies and risks that are not understood until they become a security issue.
When a Log4j vulnerability came to public attention in December 2021, every organization that used the technology was at risk. It also meant that system owners may not know that vulnerable software lives in their IT environments.
“When such a vulnerability is also easy for a threat actor to exploit to obtain broad control over a compromised system, it can create a once-in-a-generation security event,” wrote CSRB.
The Log4j vulnerability impacted virtually every networked organization and the severity of the threat required fast action. Unfortunately, defender progress was hindered due to the fact that there is no comprehensive “customer list” for Log4j or a list of where it is integrated as a sub-system.
CISA issued a broad log4j warning on Dec. 22, 2021, with agency Director Jen Easterly emphasizing that “Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world” and imploring “all entities to take immediate action to implement the latest mitigation guidance to protect their networks.”
“Generally, the Cyber Safety Review Board … found that organizations that responded most effectively to the Log4j event understood their use of Log4j and had technical resources and mature processes to manage assets, assess risk, and mobilize their organization and key partners to action,” wrote CSRB.
CSRB praised the high levels of cooperation, extensive use of social media for rapid sharing of mitigation advice, and innovative response actions from CISA. Going forward, CSRB said that CISA should continue to expand its capability to develop, coordinate, and publish authoritative cyber risk information, as the Log4j event is not over.
The board said it considers Log4j as an “endemic vulnerability,” and that significant risk remains. The event “illustrates how counterintuitive cybersecurity defense can be, for both individual enterprises and for the ecosystem as a whole,” the board said.
For continued vigilance in addressing Log4j vulnerabilities long term, CSRB said:
- Organizations should prepare to address Log4j vulnerabilities for years to come;
- Organizations should continue to report and escalate observations of Log4j exploitation;
- CISA should expand its capabilities on cyber risk information; and
- Federal and state regulators should drive implementation of CISA guidance through their own regulatory authorities.