New Alert from U.S. Government about “Endemic” Cyber Vulnerability

When was the last time your company’s software was updated?  If it was more than six months ago, your cybernetwork is at serious risk of exposure by hackers and you may be at risk of not complying with the new, 72-hour mandated reporting law. 

On July 14, 2022, the United States Cyber Safety Review Board (“CSRB”) released a review of a new, “endemic” vulnerability called Log4j, which revealed potent flaws in software used in industries around the world.[1]  The CSRB warned that it is vital for companies, especially those holding sensitive information, to upgrade their software to the latest version to patch the problem or risk falling prey to a cyber-attack.

What is Log4j?

“Log4j is one of the most serious software vulnerabilities in history,” said the Department of Homeland Security Under Secretary Bob Silvers.[2] Log4j is a part of the Apache Logging Services Project, which is a free and popular resource used by developers to build Java-based software.  It was first detected in late 2021 in Minecraft, the incredibly popular video game owned by Microsoft.  The flaw was verified and reported by software security technicians at Alibaba, China’s premier online retailer. 

What Software is Affected?

Due to its ubiquitous use, many organizations and companies may not be aware that they are using Log4j and are therefore at risk. It in embedded in thousands of pieces of software, including extremely popular ones such as VMWare and Apple iCloud.

How do I Fix it?

Unfortunately, CRSB warned that Log4j vulnerabilities will persist for the next decade.  To best address these risks, CRSB suggests that companies do the following:  

1. Implement your company’s cyberthreat protocol to determine whether your software is affected and address the threat.  If your company does not have a dedicated protocol to address cyber breaches, viruses, or threats, reach out to your outside counsel for recommended next steps.
2. Update your software to the latest version.  Patches to fix the Log4j vulnerability are available across software systems since December 2021.  If your company relies upon software from third-party venders, contact those venders to arrange for an update.
3. If you are exposed through a Log4j cyber-attack, report it to the FBI or the Cybersecurity and Infrastructure Security Administration.  If your company is in a “critical infrastructure sector,” such as financial services, information technology, energy, healthcare, transportation, and manufacturing, you are mandated to report such a cyber-attack within 72-hours to the Department of Homeland Security. 
4. Practice good “cybersecurity hygiene” by running preemptive scans for potential malware and weaknesses.  Be prepared to invest in or adopt new technologies and strategies to mitigate potential cyber threats. 

As our world becomes more dependent on technology, companies must stay aware of cyber vulnerabilities and quickly respond.  If your company needs assistance in implementing these protocols, contact Alex Boyer or Erin Beckner Conlin, Chief Compliance Officer at Tucker Arensberg, P.C.

[1] Cyber Safety Review Board (CSRB), “Review of the December 2021 Log4j Event,” July 2022, https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf.

[2] Associated Press, “Log4j Software Flaw ‘Endemic,’ New Cyber Safety Panel Says,” July 14, 2022, https://apnews.com/article/biden-technology-software-hacking-4361f6e9b386259609b05b389db4d7bf.