According to a new cybersecurity panel formed by President Joe Biden, a computer software flaw uncovered last year in an omnipresent piece of software is an “endemic” situation that will pose security threats for potentially a decade or more. The Cyber Safety Review Committee stated in a report that while there hasn’t been an indication of any significant cyberattack due to the Log4j vulnerability, it will still “be exploited for years to come.”
“Log4j is one of the most serious software vulnerabilities in history,” the panel’s chairman, Department of Homeland Security Under Secretary Rob Silvers, briefed reporters.
The Log4j security vulnerability, which came to light late last year, allows internet-based hackers quickly hold control of everything from web servers to industrial control systems and consumer electronics. The first noticeable indications of the flaw’s exploitation emerged in Minecraft, a trendy online game owned by Microsoft.
The software flaw’s finding initiated critical warnings by government bureaucrats and immense efforts by cybersecurity experts to fix vulnerable systems.
The board said that “somewhat surprisingly”, the exploitation of the Log4j flaw had appeared at lower levels than professionals anticipated. The board also communicated it was unaware of any significant Log4j attacks on crucial infrastructure systems but stated that some cyberattacks go unreported.
The panel stated that future attacks are potential largely because Log4j is routinely embedded with different software and can be challenging for institutions to trace running in their systems.
Log4j flaw, written in the Java programming language, logs user movement on computers. Created and maintained by a handful of volunteers under the auspices of the open-source Apache Software Foundation, it is prevalent with commercial software architects.
A security investigator at the Chinese tech giant Alibaba reported the foundation on November 24. However, it almost took two weeks to develop and release a patch. In addition, according to Chinese media reports, the state government penalized Alibaba for not conveying the flaw earlier to state administrators.
The board said it found “alarming elements” with the Chinese national policy toward vulnerability disclosures, stating it could provide Chinese hackers an early peek at computer bugs they could use for shady means like embezzling trade secrets or spying on dissidents. The Chinese state administration has long denied mischief in cyberspace and told the board that it facilitates enhanced knowledge sharing on software flaws.
The board proposed several recommendations on mitigating the fallout of the Log4j flaw and enhancing cybersecurity in general. That includes offering that community colleges and universities make cybersecurity teaching a mandatory feature of computer science degrees and diploma courses.
This new Cyber Safety Review Board is modeled after the National Transportation Safety Board, which examines airplane crashes and other major mishaps, and was mandated by an executive order president Biden signed last May. The 15-member panel comprises the FBI, National Security Agency, other government officials, and private sector people. Some supporters of the new board slammed DHS for taking so long to get it up and running.
President’s executive order mandated the board to perform its first examination on the vast Russian cyber-spying campaign known as SolarWinds. Russian hackers breached several federal agencies, including reports belonging to top cybersecurity officials at DHS, though the full fallout from that drive is still vague.