At a glance.
- CISA on Log4j risk mitigation.
- FTC on Log4j and regulatory risk.
- CISA's state coordinators coming on board.
- Arizona's Cyber Command Center sees cybersecurity training as a core mission.
- FCC working groups announced.
- Hybrid war and defending forward.
CISA reports Federal agency compliance with Emergency Directive 22-02.
The US Cybersecurity and Infrastructure Security Agency (CISA) has told MeriTalk that the Federal agencies it oversees have substantially complied with Emergency Directive 22-02, which required that they take specified actions to mitigate risk by December 23rd, and that they report their status by December 28th. A CISA spokesperson said, “Agencies have reacted with significant urgency to successfully remediate assets running vulnerable Log4j libraries, even over the holiday season, or to mitigate the majority of affected applications identified that support ‘solution stacks’ that accept data input from the internet. CISA has received status reports from all large agencies, which have either patched or deployed alternate mitigations to address the risk from thousands of internet-connected assets, the focus of the recent Emergency Directive."
The FTC is clear on its expectations of business with respect to Log4j.
The US Federal Trade Commission (FTC) yesterday gave the businesses it regulates some direct advice on how seriously they ought to take the recently discovered Log4j vulnerabilities: "The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action." It explicitly reminds businesses what happened when Equifax failed to patch:
"According to the complaint in Equifax, a failure to patch a known vulnerability irreversibly exposed the personal information of 147 million consumers. Equifax agreed to pay $700 million to settle actions by the Federal Trade Commission, the Consumer Financial Protection Bureau, and all fifty states. The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future."
The Commission refers businesses to CISA's Apache Log4j Vulnerability Guidance. If, after self-inspection and due diligence, a business finds itself exposed to the vulnerabilities, it should take the following steps without delay:
- "Update your Log4j software package to the most current version found here: https://logging.apache.org/log4j/2.x/security.html(link is external)"
- "Consult CISA guidance to mitigate this vulnerability."
- "Ensure remedial steps are taken to ensure that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act."
- "Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable."
Looking forward, the FTC clearly intends to look closely at that the supply chain risks open source software presents:
"The Log4j vulnerability is part of a broader set of structural issues. It is one of thousands of unheralded but critically important open-source services that are used across a near-innumerable variety of internet companies. These projects are often created and maintained by volunteers, who don’t always have adequate resources and personnel for incident response and proactive maintenance even as their projects are critical to the internet economy.[1] This overall dynamic is something the FTC will consider as we work to address the root issues that endanger user security."
CISA takes a state-by-state approach to cybersecurity.
The US Cybersecurity and Infrastructure Security Agency (CISA) is beginning to realize plans announced last year, addressing cybersecurity guidance and information sharing at the state level by creating a fifty-state network of federal cybersecurity coordinators. Laura Delaney, CISA’s deputy assistant director for the Integrated Operations Division, told Nextgov, “The CISA cybersecurity state coordinators play a central role in threat information sharing with state partners, but this also occurs through each State Fusion Center that typically includes several other federal partners, as well as the Multi-State Information Sharing and Analysis Center. The states share insight into their cybersecurity programs and practices, and having people on the ground in the states gives CISA a valuable resource for identifying incidents that may have national impact.” In addition to info sharing, coordinators lead workshops about state-level cybersecurity best practices, and also provide guidance for states applying for the Homeland Security Grant Program. So far, thirty-seven coordinators have been hired, and the selection process has begun for another five.
That said, the hiring process could be challenging, as it’s difficult, especially at the local level, to compete with the attractive compensation packages private companies offer cybersecurity professionals. Delaney hopes CISA’s new Cybersecurity Talent Management System, which “includes new hiring processes, new compensation structures and new development approaches designed specifically to recognize employees for their critical cybersecurity skills and mission contributions,” will help. Candidates are currently being sought for the cybersecurity coordinator programs in Alabama, Colorado, Iowa, Louisiana, Mississippi, New Mexico, South Carolina, and Tennessee.
Arizona Cyber Command Center to focus on cybersecurity training.
The states are also focusing on cybersecurity, last fall the state of Arizona launched its Cyber Command Center. Chamber Business News reports that Arizona and New Jersey are the only two states that officially categorize cybersecurity as a homeland security issue, and at the Center’s launch ceremony, Governor Doug Ducey stated, “Our society is becoming increasingly interconnected through technology, and cybersecurity has become one of the most important issues facing Arizona. This new command center will be critical in protecting Arizonans and ensuring our cyber infrastructure remains safe and secure.” Director of the Arizona Department of Homeland Security Tim Roemer, who oversaw the center’s launch, told Chamber Business News, “We can throw tens of millions and even hundreds of millions of dollars at advanced cyber protection technology and it won’t make a difference without coalition and partnership between business leaders in the private sector and the state government.” In just the month of September, Arizona’s Department of Homeland Security detected 68 million cyber threats, and between 2005 and 2020 data breaches cost the state more than $1.6 billion. To address this issue, Roemer advocates for improved employee cybersecurity training and the creation of “a culture of cybersecurity awareness.”
FCC announces working group membership.
The US Federal Communications Commission’s (FCC) Communications Security, Reliability, and Interoperability Council (CSRIC) advises the agency on maximizing the security and solvency of the country’s communications systems. MeriTalk reports that on December 30th the FCC announced the rosters of the CSRIC’s six working groups, which focus on such topics as 5G signaling security and reliability, Open Radio Access Network equipment, wireless emergency alerts, and virtualization technology. Group members include industry experts from AT&T, Oracle, Mavenir, and VMware.
Hybrid war and the prospect of a more assertive US forward defense.
An Atlantic Council policy paper recommends that the US recognize that, like it or not, this is effectively a period of hybrid war (both cyber and kinetic) and the US ought to act accordingly. “The [US Department of Defense] needs to compete now and engage in offensive hybrid warfare actions,” the recommendations say. “The United States must respond where competition with China and Russia is taking place today, primarily by playing an enhanced role in gray-zone competition.”
There is and has been, it must be noted, a lot of loose talk about war, and cyber war, where the concept of conflict is difficult to apply literally and unhelpful as a metaphor. But the Atlantic Council is thinking here in terms of the old spectrum of conflict, in which hybrid war occupies a kind of gray zone, falling between espionage and clear, undeniable kinetic military operations. Hybrid war includes some deniable kinetic action, but more importantly it includes offensive cyber operations that go beyond simple surveillance and collection to more directly disruptive action.
The Atlantic Council explains, “Accordingly, the Pentagon must embrace the paradigm of competition as a continuum from cooperation through competition to armed conflict. But embracing the continuum is not enough; the DoD, working with interagency partners where appropriate, must defend more aggressively and take offensive actions in the gray zone, consistent with American values.”