I am very proud of this inaugural report from Cyber Safety Review Board (CSRB) on the #Log4j incident. Grateful for the leadership of our Board Chair @DHS_Policy and Deputy Chair @argvee. Here are the most important highlights from my perspective 🧵
https://twitter.com/DHS_Policy/status/1547552265774448641
1. CSRB has found NO EVIDENCE of any malicious exploitation of vulnerability prior to the December 9th public disclosure of the vulnerability. This is important since there was speculation about whether China or any other country may have had early knowledge and exploited the bug
Public reporting prior to our investigation had indicated the opposite, so it was important for us to try to get to the bottom of this issue
2. Alibaba and its researcher Chen Zhaojun had followed the recognized best practices for coordinated vulnerability disclosure in reporting the bug to Apache Software Foundation (ASF) and I believe they should be commended for it
3. CSRB was not able to conclusively determine how a researcher at BoundaryX, a Chinese firm, had uncovered (and then published) the vulnerability prior to its public disclosure
However, since ASF had opened a public issue in its tracking system and committed a fix to the vulnerability as early as Dec 5th, it is likely that BoundaryX had uncovered it from reverse engineering of these actions
4. CSRB heard from the official representative of the Chinese government, as well as other sources, that Alibaba reported the vulnerability to the Chinese Ministry of Industry and Technology (MIIT) on Dec 13th, well after the public disclosure
5. Chinese government chose not answer CSRB’s questions about whether public reports about Alibaba being sanctioned by MIIT for not reporting the vulnerability to them earlier are accurate, which increased the Board’s concerns about China’s mandatory vulnerability disclosure laws
Such laws can provide Chinese government (and their intelligence services) early access to exploitable vulnerabilities before they are patched
The reports about alleged sanctions of Alibaba by MIIT (whether true or not) could create a chilling effect and deter other Chinese researchers from following Alibaba’s example and disclosing vulnerabilities responsibly
It was highly unfortunate that the Chinese government did not take the opportunity to dispel or confirm these reports in their response to CSRB
Beyond these important fact-findings, CSRB has issued 19 recommendations for industry, CISA, OMB, NCD, NIST, federal and state regulators, and other parties
It was my great honor to work with an all-star team of senior government and private sector leaders on this report. Being a new board, it was not an easy process to do a complex investigation involving parties in multiple countries like this but I believe we met the challenge
• • •
Missing some Tweet in this thread? You can try to
force a refresh
