Through letters to the U.S. Departments of Commerce, Energy, Health and Human Services, the Environmental Protection Agency, and the National Telecommunications and Information Administration, House Energy and Commerce Committee have requested information on federal network security efforts.
More than a dozen chairmen and senior members of the House Energy and Commerce Committee signed the letters, as well as the subcommittees of Oversight and Investigations, Communications and Technology, consumer protection and trade, energy and environment and climate change. As one, their concern has focused on identifying and denying potential federal network security breaches.
As the details changed from letter to letter, an example of their approach could be seen in the letter to US Energy Secretary Jennifer Granholm, whom they asked about the open source software vulnerability known as from Apache Log4j.
“The pervasive nature of this vulnerability and the hundreds of thousands of known exploits since its disclosure raise concerns about how the US government identifies and mitigates potential compromises to its network security,” the lawmakers wrote.
As of December last year, the Log4j vulnerability was widely exploited, according to a statement from CISA Director Jen Easterly made at the time. Then she also described it as an urgent challenge and later pointed out that it posed a serious risk that could only be minimized through collaborative efforts between government and private sector interests.
“Because the Log4j vulnerability is widespread and can affect enterprise applications, embedded systems and their subcomponents, the committee seeks to gain a comprehensive understanding of the scope of the vulnerability and the steps taken to mitigate its effects. “, wrote the members. in Granholm. “The security risk to the federal network is of particular concern because nation-state threat actors have attempted to exploit this Log4j vulnerability.”
Lawmakers posed similar questions to Granholm and other department heads whom they demanded answers by August 24, 2022, including:
- When did the department first discover the Log4j vulnerability?
- What actions have been taken in response to CISA guidance in December 2021 and subsequent guidance of April 8, 2022 regarding the Log4j vulnerability?
- What tools are used to detect instances of the Log4j vulnerability on service networks, and what is the timeline for identifying these vulnerabilities?
- Does the service use software that uses Apache Log4j?
- Have any Log4j compromises or exploits affected the department?
- What are the anomaly reporting requirements and what are the alert thresholds related to potential compromises?
- Are there specific and ongoing plans to identify and repair software potentially vulnerable to cyber threats?