WASHINGTON, DC – Today, U.S. Senator Rob Portman (R-OH), Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, delivered opening remarks at a hearing on the response to and lessons learned from the threat posed by the vulnerability in Log4j software – which experts have said is one of the most serious and widespread cybersecurity risks ever seen. Portman highlighted that this vulnerability, as well as several others including the 2014 Heartbleed vulnerability, and the vulnerability that led to the Equifax breach, demonstrate the need for Congress to pass the bipartisan Strengthening American Cybersecurity Act he introduced with Senator Gary Peters (D-MI). The legislation would significantly enhance our nation’s ability to combat ongoing cybersecurity threats against our critical infrastructure and the federal government – particularly in the face of potential cyberattacks sponsored by the Russian government in retaliation for U.S. support of Ukraine.
The legislation combines language from three bills Portman and Peters authored and advanced out of their Committee – the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act. The combined bill, known as the Strengthening American Cybersecurity Act, will require critical infrastructure owners and operators and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a substantial cyberattack. It would also require critical infrastructure owners and operators to report ransomware payments to CISA, modernize the government’s cybersecurity posture, and authorize the Federal Risk and Authorization Management Program (FedRAMP) to ensure federal agencies can quickly and securely adopt cloud-based technologies that improve government operations and efficiency.
A transcript of his opening statement can be found below and a video can be found here.
“Thank you, Mr. Chairman, and thanks for the witnesses here before us today. This is an opportunity for us to hear from organizations who have distinct perspectives on Log4Shell, a pervasive cybersecurity vulnerability in a Java software library called Log4J. Log4J is open-source software, meaning unlike proprietary software, it’s available for anyone to use and access free of charge. Open-source software like Log4J has unique advantages in that sense, but also disadvantages relative to proprietary software that we’ll discuss at today’s hearing.
“Open-source software is ubiquitous in the software industry. It underpins much of our economy and numerous other software products. Companies benefit from not having to reinvent the wheel, and that’s a good thing when they are developing their products. As a result of these dependencies a vulnerability, though, in open source software can affect many other software products that rely on it. The Log4Shell vulnerability is a particularly severe vulnerability because the code is in so many places, the vulnerability is easy to exploit, requiring less than a sentence and because it provides a high level of access. To put this in perspective, we had CISA Director Jen Easterly described this as, ‘The most serious vulnerability she has seen in her decades long service in the area of cybersecurity.’
“This is not the first severe vulnerability in open-source software, by the way. In 2014, there was another open source software vulnerability called Heartbleed that allowed normally protected information to be stolen. Similar to Log4J, the open source product with the Heartbleed vulnerability was widely used, making the response very challenging.
“Then in 2017, of course, we had the Equifax massive breach due to a vulnerability in an open source Apache Software Foundation product called Apache Struts. Log4J is also maintained by Apache, who is here today. When I chaired the Permanent Subcommittee on Investigations, we released a bipartisan report, and Senator Carper and I did so together on Equifax’s failure to remediate the vulnerability, compromising the personal information of roughly 147,000,000 Americans. I’m concerned that without proper mediation of the Log4Shell vulnerability, we run the risk of experiencing one or even more incidents of the same magnitude as the Equifax breach.
“It’s clear that issues involving the security of open-source software have been around for a long time. I’m looking forward to hearing from our witnesses today. We’ve got a wide range of perspectives on how to address these challenges. This does, by the way, build on a previous hearing we had on Log4J just about a month ago, where we heard from National Cyber Director Chris Inglis and CISA Director Jen Easterly. In that briefing, we learned several things. First, we learned that this vulnerability is widespread. Hundreds and millions of devices have the vulnerability. David Nally, the President of the Apache Software Foundation, is here, and again I look forward to a conversation with him about the disclosure and subsequent remediation of this vulnerability.
“Second, we learned that fixing this vulnerability is not as easy as Apache, just putting out a one size fits all patch. Vendors who use this vulnerable code, not knowing it was vulnerable will have to issue their own patches for their own products. This makes the response even more complicated and time-consuming. I’m glad Brad Arkin, a Senior Vice President, Chief Security and Trust Officer at Cisco, is here to help provide some perspective from a company that’s had this vulnerability and has remediated it.
“Finally, we learned that because this response will be drawn out, attackers are going to have time to exploit the vulnerability and launch attacks. Just because the vulnerability exists does not mean it’s actively being used to attack an entity. But the concerning reality today is that our nation does not know how widespread attacks leveraging this vulnerability are and when they’re going to occur. It’s one reason that it’s more important than ever to pass this Cyber Incident Reporting Act that Senator Peters just talked about. That legislation will ensure that our nation has visibility into attacks exploiting the Log4Shell vulnerability against critical infrastructure.
“I’m looking forward to hearing from Jen Miller Osborne from Palo Alto about her work tracking and analyzing the threats stemming from this vulnerability. Open-source software isn’t inextricably woven into every bit of software we use every day. The answer to the problem is not to stop using it, but it is important that we use this hearing to understand how we can address the security risks in open-source products, working within the existing processes and strategically investing time and money to support the open-source community so it can be more secure.
“I’m also going to be asking some of our cybersecurity threat experts here today about the ongoing targeting of Ukraine by Russia in the cyberspace. I’m hopeful we’ll leave this hearing with a better understanding of the risks and benefits of open-source software and also what role the federal government should have in supporting these efforts to increase open-source security. Thanks very much for convening this hearing Mr. Chairman. I look forward to hearing from the witnesses.”