Log4j vulnerability prompts Senate Homeland Security Committee briefing, warnings for critical infrastructure

In response to hacker-discovered vulnerabilities in the widely used Java-based logging package Log4j, U.S. Sen. Gary Peters (D-MI) convened a committee briefing with top federal cybersecurity officials this week to address the issue’s mitigation.

The Homeland Security and Governmental Affairs Committee hearing followed a Dec. 22, 2021 advisory from numerous federal and foreign security agencies that listed the technical details, workarounds, and resources needed to address known vulnerabilities in the software library. It was meant to be usable by any organization using the program and urged immediate action.

Attending the hearing were Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), along with National Cyber Director Chris Inglis.

“The vulnerability in log4j is one of the most serious and widespread cybersecurity risks that we have ever seen, and it leaves countless major companies, government agencies, and small businesses susceptible to harmful attacks from cybercriminals and adversaries,” Peters, the committee chairman, said. He added, “I was pleased to hear how our government has swiftly mobilized to respond to this threat – including by requiring federal agencies to secure their systems and by offering support to impacted organizations. However, I remain concerned that we will likely never know the full scope and impacts of this widespread vulnerability or the risk posed to critical infrastructure.”

Compounding the issue, Peters said, is that the federal government lacks the insight needed to understand the threat, protect those at risk and pursue a response against the hackers. In the past, he has sought laws that would require critical infrastructure companies to report substantial attacks or any ransoms paid – measures, he noted, that would allow the government greater ability to assess national risks, prepare for hits to national security, and better coordinate responses.

The threat cannot be understated: back in December, Easterly described the Log4j exploit as one of the most severe she’s seen in her career.

“Log4j vulnerabilities present a severe and ongoing threat to organizations and governments around the world; we implore all entities to take immediate action to implement the latest mitigation guidance to protect their networks,” Easterly said back in December. “CISA is working shoulder-to-shoulder with our interagency, private sector, and international partners to understand the severe risks associated with Log4j vulnerabilities and provide actionable information for all organizations to promptly implement appropriate mitigations.”

Peters noted that he currently has two bills advanced through the Senate, which would bolster federal cybersecurity and require critical infrastructure owners and operators to submit the reports. Already this past year, he pushed through into law bills that would improve cybersecurity policy, cybersecurity assistance for K-12 schools, and provide $100 million to help victims of severe attacks recover.