A computer vulnerability discovered last year in ubiquitous software is an “endemic” problem that will pose security risks for potentially a decade or more, according to a new cybersecurity panel created by President Joe Biden.
The Cyber Safety Review Board said in an April 14 report that although there have been no signs of a major cyberattack due to the Log4j flaw, it will still be “exploited for years to come”. .
“Log4j is one of the most severe software vulnerabilities in history,” Board Chairman, Department of Homeland Security Undersecretary Rob Silvers told reporters.
The Log4j flaw, made public late last year, makes it easy for Internet-based attackers to take control of everything from industrial control systems to web servers and consumer electronics. The first clear signs of the exploit being exploited appeared in Minecraft, a hugely popular online game owned by Microsoft.
The discovery of the flaw triggered urgent warnings from government officials and massive efforts from cybersecurity professionals to patch vulnerable systems.
Big companies rush to patch software flaws before hackers strike
The board said on April 14 that “somewhat surprisingly” exploitation of the Log4j bug had occurred at levels lower than those predicted by experts. The council also said it was not aware of any “significant” Log4j attacks on critical infrastructure systems, but noted that some cyberattacks go unreported.
The council said future attacks are likely in large part because Log4j is regularly integrated with other software and can be difficult for organizations running in their systems to find.
“This event is not over,” Silvers said.
Log4j, written in the Java programming language, records user activity on computers. Developed and maintained by a handful of volunteers under the auspices of the open-source Apache Software Foundation, it is extremely popular with commercial software developers.
10 cyberattacks in 2021 cost $600 million with 40,000 businesses at risk
A security researcher from Chinese tech giant Alibaba informed the foundation on November 24. It took two weeks to develop and release a patch. Chinese media reported that the government punished Alibaba for not reporting the flaw sooner to state officials.
The board said it found “troubling elements” in the Chinese government’s policy on vulnerability disclosure, saying it could give Chinese hackers early insight into vulnerabilities they could use for purposes. nefarious things like stealing trade secrets or spying on dissidents. The Chinese government has long denied wrongdoing in cyberspace and told the board it encourages better information sharing about software vulnerabilities.
The council offered a number of recommendations on mitigating the fallout from the Log4j flaw as well as improving cybersecurity in general. This includes the suggestion that universities and community colleges make cybersecurity training a required part of computer science degree and certification programs.
The Cyber Safety Review Board is modeled after the National Transportation Safety Board, which reviews plane crashes and other major accidents, and was mandated by an executive order signed by Biden last May. The 15-member board is made up of FBI, National Security Agency and other government officials as well as individuals from the private sector. Some supporters of the new council criticized DHS for taking so long to get it up and running.
Biden’s executive order directed the board to conduct its first review of the massive Russian cyber-espionage campaign known as SolarWinds. Russian hackers were able to breach multiple federal agencies, including accounts belonging to senior cybersecurity officials at DHS, though the full fallout from this campaign is still unclear.
Silvers said DHS and the White House agreed that looking into the Log4j flaw was a better use of the new council’s expertise and time.
Copyright 2022 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
Interested in Internet?
Receive automatic alerts for this topic.