Cybersecurity experts struggle to answer lawmakers’ questions on Log4J hacking
Cybersecurity experts struggled Tuesday to answer lawmakers’ basic questions about the danger of a flaw in the open-source logging platform Apache Log4J that could plague computer network defenders for years to come.
The vulnerability was discovered in December, and the software’s widespread use led the FBI to tell victims in the immediate aftermath that it may not respond to them because of how large the pool of potential victims had grown.
After nearly two more months since its revelation, cybersecurity professionals said they were unable to answer senators’ questions about how the vulnerability may have been weaponized for years without detection and about the full picture of who was at-risk.
Potential victims reside in a range of industries including electric power, water, transportation, food, and manufacturing, according to the cybersecurity firm Dragos.
Apache Software Foundation president David Nalley told the Senate Homeland Security and Governmental Affairs Committee on Tuesday that he did not know how many users the flawed software has.
“Mr. Nalley, how many products use the Log4J code?” asked Sen. Josh Hawley, Missouri Republican, at the hearing. “Do you have any idea?”
“I have no insight into that,” Mr. Nalley said. “Unfortunately, our users are not required to enter into any contract to provide us with any contact information or tell us how or where or to what scale they’re using, so it is unknowable by me.”
Whatever the number of affected products is, it is likely still growing. Mr. Nalley said he heard that developers were still downloading a vulnerable version of Log4J in mid-January at a rate of roughly 10,000 downloads per hour. He said he did not know the number of attacks detected.
Cybersecurity companies have said they spotted hackers backed by China, Iran and others exploiting the vulnerability, which has spawned anxiety in U.S. cyber officials.
Asked about what China had done during the Senate hearing on Tuesday, Mr. Nalley said he did not know how the country used the flaw in his software.
Other cyber experts from Cisco, Palo Alto Networks, and the Atlantic Council, also had no answer.
Even if the cyber experts knew what China and other nations hostile to the U.S. might do now to leverage the hack against Americans, they may never know what has already happened. The vulnerable software appears to have been available since 2013.
Sen. James Lankford, Oklahoma Republican, asked the cyber experts what the chances were that the software flaw had been exploited in the previous nine years and the witnesses all sat in silence until he urged anyone to answer him.
Mr. Nalley said his team observed no evidence of exploitation before the flaw was disclosed in December but he noted that absence of evidence is not evidence of absence.
Cisco senior vice president Brad Arkin said using a sample of the problem investigators could look backward through computer logs to hunt for examples of where it was used previously.
“From our telemetry, I think there were some indications of exploit prior to Dec. 9 but only a week earlier, back to Dec. 2,” Mr. Arkin said. “There was no indication that we have of any exploits that went earlier than that.”
Details of the private sector’s inability to get its arms around how big of a problem the hack is and how it might have been leveraged in cyberattacks are being used by the homeland security committee’s leadership to push for passing new cybersecurity legislation.
Sens. Gary Peters, Michigan Democrat, and Rob Portman, Ohio Republican, said Tuesday they were bundling three bills the duo authored and advanced through committee into one package involving cyberincident-reporting requirements and rules for critical infrastructure operators, among other things.
Mr. Peters said Russia had reportedly used the vulnerability in its cyberattacks against Ukraine.
“The impacts of widespread vulnerabilities need to be better understood, and we need to pass incident reporting legislation to ensure that we actually have a full picture of the threat we are facing in this country,” Mr. Peters said at the hearing.
The Log4J hack has not produced clearly observable victims to the general public in the way that last year’s ransomware attack against the Colonial Pipeline yielded a disruption in fuel markets that led to gas lines along the east coast.
Cyberattackers could be waiting for the right moment to use the vulnerability to take advantage but other possibilities exist too.
The National Security Agency’s Greg Bednarski said on Twitter in January that the problem of missing victims could result from factors ranging from people not knowing they were victimized to network defenders being more competent than expected.
Last week, the Biden administration announced the creation of a “Cyber Safety Review Board” with members from the public and private sectors tasked to study the Log4J problem and file a report in the summer.
If cyber experts’ predictions become true, the Log4J problem will not cease before the report is due.
“Given the near-ubiquity of Log4J’s use, it may be months or even years before all the deployed instances of this vulnerability are eliminated,” Mr. Nalley said.
Gloss