A new government-industry board stood up earlier this year to assess major cybersecurity events and make related recommendations has published its first ever report, which warns that the Log4j open-source software used in millions of information systems worldwide contains a serious vulnerability discovered in late 2021 that will persist for years but so far there appear to be no major attacks on critical infrastructures due to the security flaw.
Still, the report by the Cyber Safety Review Board (CSRB) suggests that a full accounting of exploits against the vulnerability remains sketchy.
“Somewhat surprisingly, the Board also found that to date, generally speaking, exploitation of Log4j occurred at lower levels than may experts predicted, given the severity of the vulnerability,” says the 52-page report, Review of the December 2021 Log4J Event. “It has been difficult to arrive at this conclusion. While cybersecurity vendors were able to provide some anecdotal evidence of exploitation, no authoritative source exists to understand exploitation trends across geographies, industries, or ecosystem.”
The report highlights that, for the most part, incident reporting remains voluntary. It also warns that the vulnerability will be around for a while.
“Most importantly, however, the Log4j event is not over,” it says. “The Board assesses that Log4j is an ‘endemic vulnerability’ and that vulnerable instances will remain in systems for many years to come, perhaps a decade or longer. Significant risk remains.”
Dmitri Alperovitch, who co-founded the cybersecurity firm CrowdStrike [CRWD] and now helps run the bipartisan policy firm Silverado, tweeted that that the lack of evidence for major exploitation of the Log4j is one of the key findings of the report.
“This is important since there was speculation about whether China or any other country may have had early knowledge and exploited the bug,” tweeted Alperovitch, who is a member of the CSRB.
Board membership consists of government and industry representatives and is led by Robert Silvers, deputy under secretary for policy at the Department of Homeland Security, as chair, and Heather Adkins, the deputy chair, who is vice president of security engineering at Google [GOOG].
The CSRB was stood up earlier this year at the direction of President Biden to bring together government and industry experts to examine cybersecurity events in partnership. DHS said the board worked with nearly 80 organizations and individuals to learn about the Log4j event and develop recommendations.
The board made 19 recommendations, including urging organizations remain ready to address vulnerabilities for years and report on observations of Log4j compromises, and invest in secure software development and open-source software security.
“Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future,” Silvers said in a statement. “Our review of Log4j produced recommendations that we are confident can drive change and improve cybersecurity.”