When researchers discovered a vulnerability in the ubiquitous open-source log4j system last year that could’ve affected hundreds of millions of devices, the executive branch snapped into action and major tech companies huddled with the White House.
Now, leaders of the Senate Homeland Security and Governmental Affairs Committee are introducing legislation to help secure open-source software, first reported by The Cybersecurity 202. Chairman Gary Peters (D-Mich.) and top ranking Republican Rob Portman (Ohio) plan to hold a vote next week on the bill they’re co-sponsoring.
Open-source software — which volunteers can see, modify, build and maintain — is nearly everywhere, from the “Minecraft” video game to Apple iCloud to devices used in sectors ranging from health care to energy.
The Peters/Portman legislation would direct the Cybersecurity and Infrastructure Security Agency to develop a way to evaluate and reduce risk in systems that rely on open-source software. Later, CISA would study how that framework could apply to critical infrastructure.
An engineer working for Chinese tech firm Alibaba in November discovered the log4j bug, known as Log4Shell, and reported it to the Apache Software Foundation, which runs the project. In December, staff for the “Minecraft” video game reported the flaw in a version of the game that hackers could use to take over players’ computers, causing the problem to spill out into the public.
There was a pretty big government response.
And yet, Log4Shell has not caused any known widespread damage so far.
That doesn’t mean Log4Shell doesn’t still pose risks. In July, the federal Cyber Safety Review Board called the log4j bug “endemic” and said it would pose a danger for decades. And House Energy and Commerce Committee members sought an update in August from agencies on how they were addressing the vulnerability.
“Log4j is one of the most serious software vulnerabilities in history,” Department of Homeland Security Undersecretary of Policy Robert Silvers said this summer.
Here’s how the Peters-Portman legislation works:
Portman said the bill “will ensure that the U.S. government anticipates and mitigates security vulnerabilities in open source software to protect Americans’ most sensitive data.”
At least one notable cyber expert supports the legislation.
“If signed into law, it would serve as a historic step for wider federal support for the health and security of open source software,” Trey Herr, director of the Cyber Statecraft Initiative at the Atlantic Council’s Scowcroft Center for Strategy and Security, said in a written statement.
Whatever comes of the Peters-Portman legislation in a Congress where there is still plenty of work to be done before the year ends, some of the potential fixes for what ails open-source software security fall outside the realm of government responsibility.
Five dozen civil rights organizations pleaded with Facebook parent Meta, Twitter, TikTok and YouTube to bolster the content moderation systems that the civil rights organizations believe allowed Trump’s baseless claims about election rigging to spread, but with less than two months until midterm elections, members of the Change the Terms coalition say they’ve seen little in the way of a response from the companies, Naomi Nix reports.
In memos, the coalition said Facebook parent Meta still allows posts supporting the idea that the 2020 election was stolen, Twitter’s ban on 2020 disinformation isn’t being consistently enforced and YouTube isn’t investing enough resources to fight problematic content in languages other than English.
“The comments by civil rights activists shed light on the political pressures tech companies face behind the scenes as they make high-stakes decisions about which potentially rule-breaking posts to leave up or take down in a campaign season in which hundreds of congressional seats are up for grabs,” Naomi writes. “Civil rights groups and left-leaning political leaders accuse Silicon Valley platforms of not doing enough to remove content that misleads the public or incites violence during politically cautious times.”
The social media companies defended their practices.
A group of senators from both parties asked Director of National Intelligence Avril Haines to review the security threat posed by Apple’s plan to use memory chips from Chinese chipmaker YMTC in its new iPhone 14, Ellen Nakashima reports.
Apple previously said YTMC chips aren’t used in its products and that it was “evaluating” whether to use the chips for some iPhones sold in China. All user data stored on such chips is “fully encrypted,” the company said. The company reiterated to The Post that it wasn’t planning to use the chips in iPhones sold in China. It declined to comment on the letter.
But the senators fear that the phones could make their way into the global market, according to a Senate aide who spoke on the condition of anonymity because they were not authorized to comment on the record.
“The senators also want Haines to look at what they said was YMTC’s role in aiding other Chinese firms, including the telecom equipment manufacturer Huawei, which is under strict U.S. export controls,” Ellen writes. “And they want her to examine YMTC’s alleged links to the Chinese military.”
The hackers, who called themselves “Homeland Justice,” had access to the Albanian government’s networks during that time and stole some emails, the FBI and CISA said. They eventually put ransomware on the networks, and when Albanian authorities began to respond, the hackers deployed malware intended to delete data from the networks.
Albania cut ties over the hack, and that marked the first time a government had made such an aggressive response to a cyberattack.
“In September 2022, Iranian cyber actors launched another wave of cyberattacks against the Government of Albania, using similar [tactics, techniques and procedures] and malware as the cyberattacks in July,” the FBI and CISA said in their report. “These were likely done in retaliation for public attribution of the cyberattacks in July and severed diplomatic ties between Albania and Iran.”