LAS VEGAS — Six months ago, the federal government created a new office and gave it a tough first assignment: to report on the public-private response to the Log4j vulnerability that left much of the web vulnerable to compromise at distance.
In a panel discussion Wednesday at the Black Hat Information Security Conference here, the chairman and vice chairman of that council shared key lessons learned from the effort, starting with a welcome willingness among types industry to talk to a government organization.
“I think what surprised a lot of people was how deep the investigation could go,” said Robert Silvers, chair of the computer security review board (and undersecretary for policy of the Department of Homeland Security), to panel moderator and Black Hat founder Jeff Moss. “We actually created a factual summary of how the process of disclosing the Log4J vulnerability, the response, went.”
Co-chair Heather Adkins, vice president of security engineering at Google, made the same point, saying she was “really pleasantly surprised” that more than 80 security organizations and researchers spoke to the board for the report. of 52 pages (PDF) which he published in July. . “We even heard of the People’s Republic of China.”
The Cybersecurity and Infrastructure Security Agency (CISA) created the 15-member board of directors in February, following a directive from the Executive Order on Information Security that President Biden issued in May 2021. It is loosely modeled after the National Transportation Safety Board, with the aim of bringing transparency to an area where the targets of attacks have often retreated into vague silence about what was wrong.
“Before CSRB was created, there really wasn’t anyone whose job it was to bring together 80 different companies and security researchers,” Silvers said. “Our mission was to figure out what happened just so the community could find out.”
He and Adkins praised organizations such as Chinese e-commerce giant Alibaba and the open-source Apache Software Foundation for sprinting to fix the vulnerability in Log4j (people also call this “vulnerability” Log4Shell or CVE-2021-44228). . Millions of sites use this open-source Java library developed by Apache to log their activities, but an undiscovered flaw has allowed attackers to remotely exploit it to execute arbitrary code on these servers.
But the fact that so many organizations are rushing for patches while sites are rushing to install them — “this may have been the greatest large-scale cyber response in history,” Silvers said — has led to further complications.
“There were a few iterations of the patch. We definitely found that it was inducing some patch fatigue,” he said. CISA attempted to alleviate this fatigue by releasing a GitHub repository of packages vulnerable to Log4j.
Adkins, in turn, commented that having these patches “out in the open” inevitably made some attackers more aware of the vulnerability: “We’re starting to see posts on WeChat in China, talking about this release candidate. who has this fix.”
Alibaba publicly reporting the vulnerability without notifying the Chinese government first also led Beijing to punish the company.
And while early exploits may have simply consisted of hackers snooping around, this was followed by remote installations of cryptocurrency mining software, the sale of exploit kits, and then their use by attackers. nation states.
“How can we build a software ecosystem where things can happen quickly?” she asked. “How can we make knowledge of the bug somewhat irrelevant? »
The rest of the panel focused on how the board and the industry in general could achieve this. Adkins approved measures to help open source foundations train developers and audit code that could make the group effort behind these projects more effective.
As she said, “We’re kinda skiing above a pretty good avalanche of support within the community,”
Silvers said the government should require software transparency from vendors, including providing a software bill of materials (SBOM, pronounced “s-bomb”) for deliverables. “The board totally believes in the SBOM concept, but it needs to evolve,” he said. “You need to know what you have and where.”