In late 2021, a major cyber vulnerability was detected in Apache Log4j, a logging function of Java that is present in billions of software and devices. It is debated whether the bug was first discovered on November 24 by Chen Zhaojun, a member of Alibaba Cloud’s security team, or by anonymous users on Minecraft forums, but by December 6, a patch had been developed to fix the vulnerability. Despite this, the pervasiveness of Log4j, which can still be exploited in any system that has not been patched, has led numerous outlets and cybersecurity experts to describe the vulnerability as the biggest and most critical one ever recorded.
What’s worse, the revelations surrounding Log4j came on the heels of Congress’ decision to exclude a requirement for companies to report cyberattacks that happen to them within a specified window of time from this year’s Defense spending bill. The confluence of these events means that companies in the US who fall victim to a data breach caused by Log4j have no specific timetable to report such incidents to government bodies like the Cybersecurity and Infrastructure Security Agency (CISA), which otherwise just received funding to protect Americans from those very attacks. Without mandatory reporting requirements for confirmed cyber incidents on US companies, it is all the more likely that the Log4j vulnerability could lead to the most disastrous breach of personal data in the history of the internet.
What is Log4j?
Log4j is a popular open-source Java logging framework first released by the Apache Software Foundation on January 8, 2001 and succeeded by Apache Log4j 2 in July 2014. It is used to log error message data within web applications, cloud services, and email platforms. Given the foundational nature of Java as a means of developing software in general, Log4j is widely utilized by software developers across a multitude of Big Tech companies, government agencies, operators of critical infrastructure, and more.
What is the Log4j vulnerability?
The exploit discovered in Log4j, also referred to as Log4Shell, is described as a “zero-day” vulnerability involving “arbitrary code execution”. In simple terms, the vulnerability, which was previously unknown to its developers or potential targets, allows hackers to use Log4j to run their own code inside another system remotely. The fact that Java runs on billions of devices means that the vulnerability could potentially give malicious actors unfettered access to a huge swath of systems that leave Log4j unpatched. These hackers can then instigate attacks as devastating as full server takedowns.
Too little too late?
Despite the fact that Log4j was patched 12 days after its discovery, the bug has been described since as “arguably the most severe vulnerability ever.” In response, CISA, along with other cybersecurity agencies including those in the EU and Australia, issued alerts about the vulnerability. The FTC also warned companies that it would take full legal action against them for failing to take reasonable steps to update their Log4j software to the most current version. The Chinese Ministry of Information Technology, which was alerted to the vulnerability by a third party on December 9, issued its own notice a week later. Shortly thereafter, the Chinese government suspended its major cyber security deal with Alibaba Cloud over the incident.
Big Tech has been on the case as well, with companies like Amazon releasing their own hotpatches and guides for users to protect their data. Google, too, deployed its army of engineers to comb through its software. Yet the overarching message from government officials, industry leaders, and academics has been largely the same: strap in, and hope for the best – because the worst is yet to come.
Log4j demonstrates the need for mandatory cyber reporting
We are now in the eye of the storm. In the wake of the revelations surrounding Log4j, the Belgian Defense Ministry confirmed that it had been subjected to a cyberattack instigated by an exploitation of Log4Shell, and cybersecurity provider Check Point reported that it had thwarted attempts by Iranian hackers targeting Israel. Yet despite the sheer amount of systems made vulnerable by Log4Shell, US federal agencies have not been subjected to attacks stemming from Log4j, nor have any major data breaches occurred due to the vulnerability.
That is, none that we know of. Speaking to reporters on January 10, CISA Director Jen Easterly pointedly stated that while no major cyberattacks involving the bug have been reported in the US, “many attacks go unreported”. In that same statement, Easterly referred to the 2017 Equifax data breach – in which the credit bureau waited nearly 40 days to disclose that the data of over 140 million Americans had been compromised by hackers exploiting open-source software.
In order to have at least a chance of preventing, or at least mitigating, major data breaches executed by hackers exploiting Log4Shell, companies that process large troves of data must be obliged to report cyber incidents to relevant authorities in a timely manner. The European Union made major headway on this topic by adopting the General Data Protection Regulation (GDPR) in 2018, which requires companies to report confirmed cyber incidents within 72 hours. China is looking to go a step further, as outlined by its draft Regulations on the Management of Online Data Security released on November 14, 2021. While the draft regulations require data processors to notify interested parties within 72 hours as a baseline of a security incident that causes harms to individuals and/or organizations, data security incidents related to “important data” or personal information of over 100,000 people have to be reported to the government within eight hours of the incident’s occurrence.
Yet, even after the Log4j vulnerability was discovered, Congress ultimately excluded mandatory cyber incident reporting from the 2022 National Defense Authorization Act (NDAA) at the eleventh hour. Months previously, several bipartisan pieces of legislation had been circulated – each with varying levels of requirements ranging from a 24-hour reporting window to a grace period of at least 72 hours. Even after a compromise was reportedly reached on a final version of the mandatory reporting provisions on the night of December 6, no such language was included before the final text of the bill was published the next day.
The failure of a cyber reporting provision to make it into the NDAA occurred just before news of Log4j went viral. While January may seem to have been a quiet month in the face of much-warranted catastrophizing over the Log4j vulnerability, that is not to say that the next Equifax breach hasn’t already happened – we just might not know it. As expediently as possible, Congress needs to renew its efforts to require timely reporting on confirmed cyber incidents for CISA and other relevant agencies to adequately mitigate and respond to major breaches. If it doesn’t, we may just have to wait for the next Minecraft forum to hear about it instead.
Subscribe to our news alerts here.