Officials point to Apache vulnerability in urging passage of cyber incident reporting bill

Key federal cybersecurity officials are pushing for passage of legislation to create mandates for certain organizations to report cyberattacks amid the fallout from a massive vulnerability in Apache logging package Log4j, which has left organizations worldwide vulnerable.

Bipartisan legislation to establish cyber incident reporting standards was set to be included in the compromise version of the National Defense Authorization Act (NDAA), but was removed at the last minute due to concerns from Sen. Rick Scott (R-Fla.) about the scope of the bill. Scott’s concerns were addressed, but not in time for the provision to be included in the NDAA.

It was set to be the main congressional response to a series of major attacks this year that have included high profile ransomware attacks on Colonial Pipeline and JBS USA, along with the SolarWinds hack, which led to at least nine federal agencies and 100 private sector groups being breached.

The legislation would require critical infrastructure companies to report a cyberattack to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovery, and report any ransomware payments made within 24 hours. Currently, there is no law on the books requiring these organizations to report incidents, making it far more difficult for the federal government to respond.

In the wake of the new Log4j vulnerability, which has sent cybersecurity professionals worldwide racing to patch systems before nation states including China and Iran can exploit the issue, top officials are pushing hard for Congress to revisit cyber incident reporting. 

“CISA estimates that hundreds of millions of devices in use around the world are potentially susceptible to the log4j vulnerability,” CISA Director Jen Easterly said Thursday in a statement provided to The Hill. “We know malicious actors are actively exploiting this vulnerability in the wild. While we are not at this time tracking any confirmed incidents impacting critical infrastructure directly related to log4j, the Federal Government simply does not have the level of information it needs to definitively understand the breadth or nature of intrusions occurring as a result of this severe vulnerability.”

“A cybersecurity incident reporting law would ensure CISA and our partners receive timely information about successful exploitation of critical infrastructure networks quickly after they are discovered, enabling us to help victims mitigate the effects, stop the spread to additional victims, and better track the size, scope, and scale of any adversary campaigns to exploit widespread vulnerabilities like log4j,” Easterly said. 

Sponsors of the bill to create incident reporting are still continuing to push forward on the effort as well, despite missing out on passage through the NDAA.

“Newly discovered vulnerabilities in the log4j software that could have far ranging and severe impacts is just the latest example of why Congress must urgently pass my bipartisan bill to ensure critical infrastructure is reporting to CISA when they are hit by a substantial cyber-attack or when they pay a ransom,” Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.), the lead sponsor of the bill, said in a statement provided to The Hill.

“This will allow our federal government to warn others of the threat, determine risks to national security, and prepare for widespread impacts,” Peters said. “These attacks are only increasing in frequency and sophistication – and I’ll continue pushing my colleagues to pass this landmark legislation as soon as possible so our nation can take significant steps to deter foreign adversaries and cybercriminals from attacking our networks and disrupting American lives and livelihoods.”  

Senate Homeland Security Committee ranking member Rob Portman (R-Ohio), another sponsor of the bill, was similarly concerned about the impact of the Log4j vulnerability.

“CISA Director Jen Easterly has told me that with the discovery of the log4j vulnerability, enacting my bipartisan cyber incident reporting bill is more urgent than ever,” Portman said Thursday in a statement provided to The Hill. “This vulnerability is widespread and I am concerned that many adversaries—like Russia, China, and cybercriminals—will exploit it without our knowledge. We cannot allow that to happen.”

Since the discovery of the Log4j vulnerability late last week, cybercriminals and nation states have moved in to exploit it, with both Microsoft and Mandiant acknowledging Wednesday they had seen governments attempting to target organizations. 

“We must pass the Cyber Incident Reporting for Critical Infrastructure Act to provide the needed visibility so that, as a nation, we can fully detect, coordinate, and defend against cyberattacks from foreign governments and criminal organizations,” Portman said. “I am very disappointed it was not included in the NDAA and will be working to get it passed as soon as possible.”

The bill also has support in the House, where House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) and Rep. Yvette Clarke (D-N.Y.), the chair of the committee’s cybersecurity subcommittee, said in a statement earlier this month that House Speaker Nancy Pelosi (D-Calif.) was supportive of cyber incident response efforts.

Senate Intelligence Committee Chairman Mark Warner (D-Va.), another sponsor alongside most of the bipartisan members of his committee, told The Hill Wednesday that he was hopeful that cyber incident reporting could pass through unanimous consent (UC) in the Senate.

“I would love to see if we might be able to get a UC process through, as we all know, there is great bipartisan agreement, nothing is easy in this place,” Warner said. “That and saving democracy are the two Christmas presents I want the most.”

Updated at 7:16 p.m.