CISA issues 'emergency directive,' orders federal agencies to address Log4j vulnerability

The Cybersecurity and Infrastructure Security Agency on Friday issued an “emergency directive” ordering federal civilian entities to take immediate action against the recently discovered vulnerability in Log4j software.

“The log4j vulnerabilities pose an unacceptable risk to federal network security,” CISA Director Jen Easterly said in a statement accompanying the order.

The directive gives federal agencies until December 23 to detail all of the internet-facing installations of the software on their networks and turn the information over to CISA. Agencies must also check to see if their networks employ publicly-available software that utilizes Log4j.

Easterly said the Homeland Security Department’s cyber wing issued the guidance, which is more urgent than a directive issued earlier by the agency, to “drive federal civilian agencies to take action now to protect their networks, focusing first on internet-facing devices that pose the greatest immediate risk.”

CISA also “strongly urges every organization large and small to follow the federal government’s lead and take similar steps to assess their network security and adapt the mitigation measures outlined in our Emergency Directive,” according to Easterly. “ If you are using a vulnerable product on your network, you should consider your door wide open to any number of threats.”   

Federal officials have sounded the alarm over the Log4j flaw, warning that potentially hundreds of millions of devices around the globe could be affected. This week CISA officials said they saw no signs of malicious actors using the vulnerability to break into the systems of federal departments and agencies.

However, Microsoft warned in a blog post that hackers with links to the governments of China, Iran, North Korea and Turkey have sought to exploit the flaw.

On Thursday, Homeland Security Secretary Alejandro Mayorkas said that he’s “extraordinarily concerned” about the newly-uncovered critical flaw.

"It's uppermost in our minds, and, quite frankly, uppermost in our action plans," Mayorkas said during an event with the German Marshall Fund of the United States.

“The challenge it presents is its prevalence, because they attacked a software that is omnipresent, and then there's a vulnerability that has been exposed and others can jump in in the exploitation of that vulnerability and really multiply the harm,” according to Mayorkas.

He stressed that the federal government is working "very, very quickly" on the issue.

The emergency directive "remains in effect until CISA determines that all agencies operating affected software have performed all required actions from this Directive or the Directive is terminated through other appropriate action," the guidance states.