The disclosure in December of a widespread and active cybersecurity vulnerability that has put at risk millions of government and private sector computer systems worldwide demonstrates the need for critical infrastructure companies to be required to report major cyber and ransomware attacks on their networks to the federal government, Sen. Gary Peters (D-Mich.), chairman of the Senate Homeland Security and Governmental Affairs Committee, said on Wednesday.
The committee on Wednesday hosted a virtual briefing with two of the top U.S. cybersecurity officials, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, and Chris Inglis, the National Cyber Director, to discuss the Biden Administration’s response to the Log4j vulnerability.
“The vulnerability in log4j is one of the most serious and widespread cybersecurity risks that we have ever seen, and it leaves countless major companies, government agencies and small businesses susceptible to harmful attacks from cybercriminals and adversaries,” Peters said in a statement following the briefing. “I was pleased to hear how our government has swiftly mobilized to respond to this threat, including by requiring federal agencies to secure their systems and by offering support to impacted organizations.’
He added that “I remain concerned that we will likely never know the full scope and impacts of this widespread vulnerability, or the risk posed to critical infrastructure. Our federal government still lacks the necessary insight to understand the threat facing our nation, protect our networks, and impose consequences on malicious hackers.”
Peters said he will continue to push for Congress to pass bipartisan legislation requiring critical infrastructure entities to report to the government when they have been hit with a significant cyber-attack or have paid a ransom. CISA has been a strong proponent of the legislation, which failed to pass Congress last year, because it will allow them to see cyber threats sooner and provide necessary alerts to those who may also be impacted or could also come under attack.
Easterly, on Dec. 11, two days after the vulnerability was discovered, warned in a message that the security vulnerability was “being widely exploited by a growing set of threat actors” and warned of “an urgent challenge to network defenders.”