Officials at the White House are meeting with companies such as Apple, IBM, Apache, and others to talk about cybersecurity in the wake of the Log4j incident.
In December, White House National Security Advisor Jake Sullivan requested a meeting with companies over maintenance of open source software. The meeting was spurred by the serious Log4j bug affecting companies since late 2021.
On Thursday, National Cyber Director Chris Inglis tweeted about the issue, saying “#log4j has highlighted the need to improve our software security and the transparency of our software supply chain. Enjoying the discussion with @WHNSC and leading open source project managers about how to bring coherence to federal efforts to increase software resilience.”
Log4j is a Java-based logging tool managed by the Apache Software Foundation. The Foundation released documents to explain its response to the vulnerability and how it will take action.
Additionally, CISA director Jen Easterly and CISA’s Executive Assistant Director for Cybersecurity Eric Goldstein held a press conference in December. Mr. Easterly shared best practices and guidance rules to help partners, sharing the following steps:
- Exercise incident response and recovery playbooks;
- Open information sharing channels with the U.S. government;
- Consider a heightened monitoring and response posture and adequate staffing for SOCs and response teams; and
- Refresh and exercise continuity of operations plans.
On December 17 CISA had CISA issued an Emergency Directive requiring federal civilian executive branch agencies to take mitigation measures to secure their networks. Mr. Goldstein encouraged non-federal government participants on the call to review the directive and consider taking similar measures themselves.