Avatar

I recently had the privilege of providing testimony to the U.S. Senate Homeland Security and Governmental Affairs Committee regarding Cisco’s remediation of the Log4Shell vulnerability. To clarify, Log4Shell is the software vulnerability in Apache Log4j 2, the popular Java library for logging application error messages.

My testimony included addressing how Cisco responded to protect its enterprise and our Cisco customers, the security challenges resulting from the ubiquity of open-source code, and actions the Federal government and Congress can take to improve software security. I was one of four security-industry witnesses, who provided both written and verbal testimony to the Committee.

The impact of Log4Shell

To share some brief background, on December 9, 2021, a critical vulnerability was revealed in the Log4j library used in most java applications on the Internet. This forced organizations around the world to figure out how they were using Log4j, the potential exposure that needed to be addressed, and how they could best manage the associated risks.

For Cisco, the scope and diversity of our technology business include protecting both our internal enterprise and our customers who use Cisco’s on-premises hardware products and cloud-delivered services. We needed to quickly identify the presence of the vulnerability to apply necessary fixes, using risk assessments to prioritize our efforts. With Log4j, our internal networks were patched, and fixes were available for vulnerable on-premises products within the first two weeks of notification.

Cisco’s rapid response to Log4Shell

This significant speed in response time was driven by lessons learned from the past, Cisco’s ongoing automation, and numerous security investments which allowed us to assess and mitigate very quickly. We also collaborated closely with industry peers and government agencies, including the Department of Homeland Security’s Cybersecurity and Infrastructure Agency (CISA), to gain a better understanding across public and private sectors during incidents like Log4j.

Cisco is among the world’s largest users of, and contributors to commercial open-source software (OSS). We do recognize that there are shared risks from shared development infrastructure, which is why Cisco makes significant investments to improve the security of widely used open-source projects, including our work with the Apache Foundation.

Boosting cyber resilience

Given its inherent reliance on human interface, all software, not just OSS, has the potential to contain vulnerabilities and requires secure lifecycle management. While there is no silver bullet to safeguard us from further vulnerabilities, we need to continually improve baselines for all software security, increase our speed and efficiency at finding and fixing problems, and boost our resilience against attacks.

The secure software development and zero-trust networking requirements in Executive Order 14028 are important steps forward—regardless of whether they would have prevented the Log4Shell vulnerability. We will continue our efforts to shape these requirements in partnership with key federal agencies, including CISA, and to drive adoption within Cisco and by our industry peers.

Additional resources

 



Authors

Brad Arkin

No Longer with Cisco