House Energy and Commerce Committee leaders request federal briefings on network security over Log4j vulnerability

Through letters dispatched to the U.S. Departments of Commerce, Energy, Health and Human Services, the Environmental Protection Agency, and the National Telecommunications and Information Administration, leaders of the House Energy and Commerce Committee have requested briefings on federal network security efforts.

Signing on to the letters were more than a dozen chairs and ranking members of the House Energy and Commerce Committee, along with the subcommittees on Oversight and Investigations, Communications and Technology, Consumer Protection and Commerce, Energy, and Environment and Climate Change. As one, their concern focused on identifying and negating potential breaches in federal network security.

While the specifics shifted letter to letter, an example of their tack could be seen in the letter to U.S. Energy Secretary Jennifer Granholm, whom they questioned over the open-source software vulnerability known as Apache Log4j.

“The ubiquitous nature of this vulnerability and the hundreds of thousands of known exploits since its disclosure raise concerns about how the U.S. government is identifying and mitigating potential compromises to its network security,” the lawmakers wrote.

As far back as December last year, the Log4j vulnerability was being widely exploited, according to a statement from CISA Director Jen Easterly made at the time. Then, she also described it as an urgent challenge and later emphasized that it posed a severe risk that could only be minimized through collaborative efforts between government and private sector interests.

“Because the Log4j vulnerability is widespread and can affect enterprise applications, embedded systems, and their sub-components, the Committee is seeking to gain a comprehensive understanding of the scope of the vulnerability and actions being taken to mitigate its effects,” the members wrote to Granholm. “The risk to federal network security is especially concerning because nation-state threat actors have attempted to exploit this Log4j vulnerability.”

The lawmakers posed similar questions to Granholm and other department heads to which they requested answers by Aug. 24, 2022, including:

1. When did the department first learn of the Log4j vulnerability?
2. What actions were taken in response to CISA’s guidance in December 2021 and the subsequent directive on April 8, 2022, regarding the Log4j vulnerability?
3. What tools are used to detect instances of the Log4j vulnerability on department networks, and what is the schedule for identifying those vulnerabilities?
4. Does the department utilize software that makes use of Apache Log4j?
5. Have Log4j compromises or exploitations affected the department?
6. What are the requirements for reporting anomalies, and what thresholds are there for alerts linked to potential compromises?
7. Are there specific, ongoing plans to identify and fix software potentially vulnerable to cyber threats?