E&C Bipartisan Leaders Request Briefings to Address Ongoing Efforts to Strengthen U.S. Government Network Security

Washington, D.C. — House Energy and Commerce Committee Republican Leader Cathy McMorris Rodgers (R-WA), Committee Chairman Frank Pallone, Jr. (D-NJ), and Subcommittee Leaders sent letters to the Departments of Commerce, Energy, Health and Human Services, and the Environmental Protection Agency requesting briefings to address concerns about how the U.S. government is identifying and mitigating potential compromises to its network security. 

Oversight and Investigations Subcommittee Republican Leader Morgan Griffith (R-VA), Subcommittee Chairwoman Diana DeGette (D-CO), Communications and Technology Subcommittee Republican Leader Bob Latta (R-OH), Subcommittee Chairman Mike Doyle (D-PA), Consumer Protection and Commerce Subcommittee Republican Leader Gus Bilirakis (R-FL), Subcommittee Chairwoman Jan Schakowsky (D-IL), Energy Subcommittee Republican Leader Fred Upton (R-MI), Subcommittee Chairman Bobby Rush (D-IL), Environment and Climate Change Republican Leader David McKinley (R-WV), Subcommittee Chairman Paul Tonko (D-NY), Health Subcommittee Republican Leader Brett Guthrie (R-KY), and Subcommittee Chairwoman Anna G. Eshoo (D-CA) also joined in sending the letters to the federal agencies. 

Excerpts and highlights from the letter to Energy Secretary Jennifer Granholm: 

“Secretary Granholm:  

“We write to request a briefing from your department related to the recent open-source software vulnerability—Apache Log4j. The ubiquitous nature of this vulnerability and the hundreds of thousands of known exploits since its disclosure raise concerns about how the U.S. government is identifying and mitigating potential compromises to its network security.” 

[…] 

“On December 11, 2021, CISA Director Jen Easterly stated that ‘this vulnerability, which is being widely exploited by a growing set of threat actors, presents an urgent challenge to network defenders given its broad use.’ She later added, ‘[t]o be clear, this vulnerability poses a severe risk. We will only minimize potential impacts through collaborative efforts between government and the private sector.’” 

[…] 

“Over the past several years, the Committee has done extensive work on cyber threats, including hearings and investigations examining the information-security programs and controls over key computer systems and networks at multiple agencies under the Committee’s jurisdiction. Because the Log4j vulnerability is widespread and can affect enterprise applications, embedded systems, and their sub-components, the Committee is seeking to gain a comprehensive understanding of the scope of the vulnerability and actions being taken to mitigate its effects. The risk to federal network security is especially concerning because nation-state threat actors have attempted to exploit this Log4j vulnerability. 

“Accordingly, we request a staff briefing to discuss your department’s response to the Log4j vulnerability by August 10, 2022, including the following questions: 

  1. When did your department first learn of the Log4j vulnerability? 
  2. When did your department first learn of the Log4j vulnerability? 
  3. What specific actions has your department taken in response to CISA’s guidance in December 2021 and subsequent directive on April 8, 2022, regarding the Log4j vulnerability? 
  4. What tools does your department employ to detect all instances of the Log4j vulnerability on your networks? What is your department’s schedule for identifying the Log4j vulnerability? 
  5. Does your department employ software that utilizes Apache Log4j? If so, how many software products employed by the department include the Log4j vulnerability? 
  6. Has your department been impacted by a compromise or exploitation of the Log4j vulnerability? If so, when was your department first compromised, when did you detect the compromise, what was the extent of the compromise, and how did the department address the compromise? 
  7. What incident alert thresholds does your department have for potential compromises generally, and what are your requirements for escalating and reporting anomalies? 
  8. Does your department have a specific plan to identify and remediate, on an ongoing basis, software that it uses to ensure the department is not currently using software vulnerable to a cyber threat?” 

CLICK HERE to read the letter to the Department of Commerce.  

CLICK HERE to read the letter to the Department of Energy.  

CLICK HERE to read the letter to the Department of Health and Human Services.  

CLICK HERE to read the letter to the Environmental Protection Agency.  

CLICK HERE to read the letter to the National Telecommunications and Information Administration.