White House officials are meeting with companies including Apple, IBM, Apache and others to discuss cybersecurity following the Log4j incident.
In December, White House national security adviser Jake Sullivan requested a meeting with the companies about maintaining open source software. The meeting was spurred by the serious Log4j bug affecting enterprises since late 2021.
On Thursday, National Cybersecurity Director Chris Inglis tweeted about it, saying “#log4j has highlighted the need to improve the security of our software and the transparency of our software supply chain. J appreciate the discussion with @WHNSC and key open source project leaders on how to bring consistency to federal efforts to increase software resiliency.
Log4j is a Java-based logging tool maintained by the Apache Software Foundation. The Foundation has released documents to explain its response to the vulnerability and how it will act.
Additionally, CISA Director Jen Easterly and CISA Executive Assistant Director for Cybersecurity Eric Goldstein held a press conference in December. Mr. Easterly shared best practices and guidelines to help partners, sharing the following steps:
- Exercise and recovery incident response manuals;
- Open channels for sharing information with the US government;
- Consider a strengthened surveillance and response posture and adequate staffing for SOCs and response teams; and
- Update and exercise the continuity of operations plans.
On December 17, CISA had CISA issue an emergency directive requiring civilian federal executive branch agencies to take mitigating measures to secure their networks. Goldstein encouraged nonfederal participants in the call to review the directive and consider taking similar action themselves.