Sen. Gary Peters, D-Mich., is renewing calls for mandatory incident reporting legislation, after meeting virtually with Biden administration cybersecurity leaders on Jan. 5 for a briefing about the Log4j critical vulnerability.
After meeting with National Cyber Director Chris Inglis and Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, Peters again sounded the alarm on the vulnerability, which CISA has been helping Federal agencies to mitigate since last month.
The senator also lamented that without cyber incident reporting legislation, it will be impossible to understand the scope of the vulnerability’s impact.
“The vulnerability in log4j is one of the most serious and widespread cybersecurity risks that we have ever seen, and it leaves countless major companies, government agencies, and small businesses susceptible to harmful attacks from cybercriminals and adversaries,” Peters said in a press release.
“I convened a committee briefing with Administration officials to get additional information on how this cybersecurity threat is affecting the Federal government, critical infrastructure, and other entities, and what the Administration has been doing to help remediate the issue. I was pleased to hear how our government has swiftly mobilized to respond to this threat – including by requiring federal agencies to secure their systems and by offering support to impacted organizations.”
CISA first alerted the public of the vulnerability Dec. 11, adding it to the agency’s vulnerability catalog the same day and requiring Federal agencies to remediate the vulnerability. CISA has been working with Federal agencies in order to continue to help them mitigate any potential risks and remediate the vulnerability. It later upped the urgency factor by issuing an emergency directive Dec. 17.
“However, I remain concerned that we will likely never know the full scope and impacts of this widespread vulnerability, or the risk posed to critical infrastructure,” he continued. “Our Federal government still lacks the necessary insight to understand the threat facing our nation, protect our networks, and impose consequences on malicious hackers.”
Sen. Peters, who chairs the Senate Homeland Security and Governmental Affairs Committee, had worked with Ranking Member Rob Portman, R-Ohio, to get incident reporting legislation included in the fiscal year 2022 National Defense Authorization Act. However, that piece of the legislation was stripped from the conferenced version of the bill that was eventually signed by President Biden, to the shock of observers.
“I will continue pushing to pass my bipartisan legislation to require critical infrastructure companies to report a substantial attack or when they pay the ransom so the government can better assess national risk, prepare for national security impacts, and execute coordinated responses,” Sen. Peters pledged.