First Cyber Safety Review Board report finds Log4j has become an 'endemic vulnerability'

The flaw uncovered late last year in the widely-used Log4j Java library will remain a danger for many years to come, the independent body charged with investigating the global incident said Thursday.

The inaugural report by the Homeland Security Department’s Cyber Safety Review Board found that, despite efforts by organizations across the federal and private sectors to protect their networks, Log4j has become an “endemic vulnerability” — meaning unpatched versions of the omnipresent software library will remain in systems for the next decade, if not longer.

“This event is not over. The risk remains. Network defenders have to stay vigilant,” Rob Silvers, the undersecretary for policy at DHS, and the panel’s chair, told reporters on Wednesday during a conference call.

The report is the culmination of roughly five months of work by the board, which was created last year as part of President Joe Biden’s sweeping executive order meant to revamp the federal government’s approach to cybersecurity. 

The 15-person panel — which is loosely modeled after the National Transportation Safety Board and features officials from across the public and private sectors — was tasked in February to dig into how the Log4j weakness occurred and come up with lessons the digital security community could take from the worldwide response.

Silvers said board members conducted interviews with around 80 organizations and engaged with industry, foreign government and security experts to obtain information. Recorded Future, the parent company of The Record, was contacted during that process.

The board also spoke with representatives from the Chinese government, since it was an engineer at Alibaba — one of China’s largest cloud providers — that originally uncovered and reported the flaw in the open-source software tool.

The government confirmed that Alibaba reported the vulnerability to the Chinese Ministry of Industry and Information Technology on December 13, more than two weeks after it was first found, according to Silvers, adding that Beijing didn’t answer questions about alleged sanctions against the company. 

He also noted that the board “did not find evidence” that China used its advanced knowledge of the weakness to exploit networks, which was a concern given Beijing’s track record of massive intrusions and intellectual property theft.

Overall, the board made 19 recommendations for entities to undertake as they stay alert against Log4j. The board’s conclusions also encourage raising the bar for security within the cyber community, especially the open source sector where software developers are “thinly resourced” and volunteer-based, Heather Adkins, Google’s Vice President for Security Engineering and the panel’s deputy chair, told reporters.

“We hope that the findings we have are both inspirational for the community, but also not surprising or unattainable,” she said.

In a statement, Homeland Security Secretary Alejandro Mayorkas said the examination provided the government and industry with “clear, actionable recommendations that DHS will help implement to strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security.”