Absence of reporting law limits agency knowledge of cyberattacks
'I’m hopeful that this will pass,' cybersecurity director says of Senate chairman's bill
The absence of a federal law requiring operators of critical infrastructure to report cyberattacks to the federal government is likely leaving the Cybersecurity and Infrastructure Security Agency in the dark about possible attacks as the agency and others confront one of the most widespread software flaws ever discovered.
CISA, other U.S. agencies, cybersecurity researchers and companies around the world are scrambling to fix a flaw in a widely used logging software known as Log4j that could open the door to ransomware attacks by criminals as well as sophisticated exploitation by government spy agencies.
Although security researchers have seen tens of thousands of instances of criminal groups and sophisticated adversaries scanning computer networks in search of a loophole, no major intrusions have thus far been reported by any company or U.S. agency.
Belgium’s Ministry of Defense in late December said it had suffered a cyber attack as a result of the flaw.
“It may be the case that sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting” to launch an attack when attention to the flaw has dwindled, Jen Easterly, CISA’s director, told reporters on Monday.
“We are concerned that threat actors are going to take advantage of this vulnerability and having impacts on critical infrastructure,” Easterly said. “Because there is no legislation in place [to report attacks], we will likely not know about it.”
The recently passed Pentagon policy bill for 2022 didn't include a provision requiring federal agencies and private companies to report cyber attacks to CISA. Although the House and Senate versions of the bill contained slightly different requirements, the final bill didn't reconcile the differences.
Easterly said she and her agency colleagues had recently met with Sen. Gary Peters, D-Mich., chair of the Senate Homeland Security and Governmental Affairs Committee, who was the co-sponsor of the Senate cyber reporting bill.
Peters said that he would continue to push for such legislation, Easterly said. “I’m hopeful that this will pass” Congress soon, she said.
In the absence of a uniform cyber incident reporting requirement, victims and government agencies struggle to figure out who is in charge or who has been attacked, according to a memo prepared by the House Committee on Oversight and Reform last month.
The committee obtained records from CNA Financial Corp., JBS Foods and Colonial Pipeline, all of which suffered ransomware attacks last year.
CNA is said to have paid a ransom of $40 million in Bitcoin after it suffered a ransomware attack in March by a cybercriminal group called Phoenix.
In May, Colonial Pipeline was attacked by DarkSide and paid $4.4 million, also in cryptocurrency.
In June, JBS Foods was attacked by REvil and paid a ransom of about $11 million.
“Each company provided notice to a variety of different federal agencies, including federal law enforcement,” the committee memo said.
Security researchers have said the Log4j flaw is likely one of the most widespread vulnerabilities of the past decade.
In early December, a security researcher at Chinese online retailer Alibaba discovered and reported the software flaw in a widely used tool called Log4j. The open-source tool is a Java-based library developed by Apache that software developers use to track activity within an application.
Every time anyone on the internet logs on to a cloud-service provider or other site, the company managing the site or the service captures data about the activity and stores it in a log.
Hackers are now attempting to break into such logs and launch attacks.
Easterly said the Log4j library is embedded into thousands of commercial products. Given the widespread use of the tool, the vulnerability “is therefore likely present in hundreds of millions of individual” computers around the world, she said.
Although Apache, the original developer of Log4j, has issued a series of fixes for the flaw, each vendor of software that has embedded the Log4j into its own products “must produce their own unique patch” for the flaw, Easterly said.
Given the simplicity of exploiting the flaw — requiring only 12 characters to be entered in a chat box, email, text message — and the widespread use of the tool, attackers can gain “deep access” into a target network, Easterly said.
Since the flaw was first discovered on Dec. 10, CISA has rallied federal agencies, cybersecurity researchers, academics, and private companies to create a central repository of as many as 2,800 products that contain the Log4j tool, Easterly said.
CISA also has developed a scanning tool based on open source software that helps organizations assess whether they are exposed to the Log4j vulnerability, she said.