Reporting by XinZhiyuan
Edit: David
The log4j2 vulnerability incident is boiling over, and the US government can't sit still. The White House is poised to invite tech companies to discuss the security of open source software, elevate it to "national security" heights, and introduce regulations that vulnerabilities must be reported to the government when they are discovered. In fact, China on the other side of the ocean has introduced similar regulations.
Recently, a Java open source tool log4j2 vulnerability incident sparked a big discussion about the security of open source software.
Log4j2 is an open source logging component tool for Java applications that is widely used by organizations and enterprises around the world for business system development. At present, google, Microsoft, Amazon and other technology giants are widely using this tool.
Recently, the tool was exposed to a serious vulnerability that hackers could exploit to install malware on affected systems. The vulnerability is considered one of the worst software security vulnerabilities in recent years and has already affected a large number of systems.
Currently, Log4j2 is maintained by volunteers from the nonprofit Apache Software Foundation.
The Apache Software Foundation has released patches and guidelines explaining how users can fix vulnerabilities if patches can't be downloaded.
Still, in just a few days after the vulnerability was disclosed, hundreds of thousands of attacks were generated against the vulnerability.
This incident undoubtedly exposed the lack of power of the open source software community in terms of security maintenance. Isn't it far from enough for such widely used open source tools to maintain their security on volunteers alone?
The U.S. government intervened again.
According to Bloomberg, White House National Security Adviser Jake Sullivan has invited several technology companies to discuss how to improve the network security of open source software. These technology companies include "major software companies and developers" as well as cloud service providers.
Anne Neuberger, deputy U.S. national security adviser on cyber and emerging technologies, will hold a one-day discussion with representatives of invited technology companies next January. The discussion will involve "executives of companies responsible for open source projects and security."
In a letter to invited tech companies, Sullivan reportedly said discussions between tech executives and White House officials were necessary.
He said open source software projects are very popular and have a huge number of users, but are only maintained by community volunteers, which could pose "national security issues, like the Log4j vulnerability."
In fact, the U.S. government has a long history of attention to cybersecurity issues.
In August, Biden met with executives from tech giants such as Amazon, Google, and Microsoft to discuss cybersecurity. A communiqué issued after the meeting said cybersecurity issues were "core national security challenges."
In May, the Biden administration issued an executive order to "strengthen the security of the software supply chain" as one of the explicit measures to improve the federal government's cybersecurity, requiring government-purchased software to meet minimum security standards.
Faced with government demands, several U.S. tech giants have pledged to invest billions of dollars in cybersecurity-related projects over the next few years.
Major players in the open source software ecosystem are also taking steps to improve cybersecurity.
The Linux Foundation announced in October that it had raised $10 million from more than two dozen tech companies and other companies to support a project called the Open Source Security Foundation. The program is a cross-industry collaboration designed to improve the security of open source software.
The "same paragraph" between China and the United States stipulates that loopholes are found and reported to the government
In December, shortly after the Log4j vulnerability was exposed, the U.S. government's Cybersecurity and Infrastructure Security Agency (CISA) issued guidelines for dealing with the vulnerability.
The document further reinforces the government's priority in the relevant vulnerability reporting chain, making it clear that once such cybersecurity threats are discovered, they should be reported to the government's information security authorities and the FBI.
The document was signed by the United States with the United Kingdom, Canada, Australia and New Zealand, the so-called Five Eyes, and several other countries have introduced similar rules.
In fact, cybersecurity is really a top priority, not only in the United States across the ocean, but also in China.
In the "Provisions on the Management of Network Product Security Vulnerabilities" (hereinafter referred to as the "Provisions"), jointly issued by the Ministry of Industry and Information Technology, the Cyberspace Administration of China and the Ministry of Public Security, the reporting obligation after the discovery of network security vulnerabilities is also clearly stipulated: to report to the Ministry of Industry and Information Technology.
The Provisions clearly state that while "immediately notifying the relevant product providers", network product providers should "submit relevant vulnerability information to the Cybersecurity and Vulnerability Information Sharing Platform of the Ministry of Industry and Information Technology within 2 days.""
It was previously reported that as early as the end of November, Alibaba Cloud developers found the Log4j2 vulnerability and reported it to the software provider Apache, but did not report it to the Ministry of Industry and Information Technology in time.
Until December 9, the Ministry of Industry and Information Technology reported the discovery of vulnerabilities by security agencies, and then issued security risk warnings:
Alibaba Cloud's behavior clearly violated the Provisions, and Alibaba Cloud was also notified and punished by the Ministry of Industry and Information Technology, and the cooperation unit of the network security threat information sharing platform of the Ministry of Industry and Information Technology was suspended for 6 months.
Recently, after Alibaba Cloud discovered the hidden danger of serious security vulnerabilities in the Apache Log4j2 component, it failed to report to the telecommunications authorities in a timely manner, and did not effectively support the Ministry of Industry and Information Technology to carry out network security threat and vulnerability management. After research, Alibaba Cloud is suspended as the above-mentioned cooperative unit for 6 months. After the expiration of the suspension period, according to the rectification of Alibaba Cloud, the above-mentioned cooperative units will be studied and restored.
In response, Alibaba Cloud responded:
Because the severity of the vulnerability was not realized at an early stage, the vulnerability information was not shared in a timely manner. Alibaba Cloud will strengthen vulnerability management, enhance compliance awareness, and actively coordinate with all parties to prevent network security risks.
In this regard, some netizens believe that Aliyun's punishment this time is not unjust. In this incident, Alibaba Cloud's handling did lack the necessary "compliance awareness".
What do you think about that?
Resources:
https://www.zhihu.com/question/507698803
http://www.gov.cn/gongbao/content/2021/content_5641351.htm
https://siliconangle.com/2021/08/25/white-house-holds-summit-discuss-national-cybersecurity-strategy/
https://www.bloomberg.com/news/articles/2021-12-23/white-house-extends-invitation-to-improve-open-source-security