The Biden administration is warning that a widespread cyber vulnerability discovered last year will linger for several years — perhaps more than a decade.
The flaw in the open-source logging platform Apache Log4J panicked the public and private sector last year because of the widespread use of the tool.
Cybersecurity experts’ worst fears of devastating attacks on critical systems have not materialized, but people are not safe from attacks exploiting the flaw, according to the Cyber Safety Review Board.
President Biden created the board this year with members from the public and private sectors to study Log4J and report back this summer.
“The Board assesses that Log4j is an ‘endemic vulnerability’ and that vulnerable instances of Log4J will remain in systems for many years to come, perhaps a decade or longer,” the board said in its report published Thursday. “Significant risk remains.”
Despite the board’s assessment of the danger, its report noted that it did not see anticipated destruction to critical infrastructure. Cybersecurity firm Dragos previously pointed to potential victims in industries such as electric power, food, water, transportation and manufacturing.
“At the time of writing, the Board is not aware of any significant Log4J-based attacks on critical infrastructure systems,” the board wrote. “Somewhat surprisingly, the Board also found that to date, generally speaking, exploitation of Log4J occurred at lower levels than many experts predicted, given the severity of the vulnerability.”
Earlier this year, the software security firm Rezilion said nearly 60% of software packages affected by Log4J problems were not resolved nearly four months after the problem was first discovered.
Among the bigger challenges that the board detailed was the amount of time that information technology workers and cybersecurity defenders spent responding to the vulnerability.
The board said many organizations reported negative consequences to business operations because of time spent responding to Log4J, and the board noted that people’s exhaustion could drain talented network defenders from staying in their jobs.
“One federal cabinet department reported dedicating 33,000 hours to Log4j vulnerability response,” the board said. “These responses, often sustained over many weeks and months, resulted in high costs and delayed other mission-critical work, including responding to other vulnerabilities.”
The board’s members comprise 15 people from government and businesses including representatives from companies such as Google, Microsoft and Verizon, and federal agencies such as the Department of Homeland Security, the FBI and the National Security Agency.
The report listed 19 recommendations and predicted that vulnerable versions of systems will remain active for a decade and continue to be exploited. The report said the board is not focused on assigning blame or functioning as a regulator.
Hostile foreign adversaries have leveraged the flaw to attempt to harm Americans. The cybersecurity firm Mandiant has said it observed hackers from China and Iran using the vulnerability, and Microsoft spotted groups from North Korea and Turkey as well.
The Cybersecurity and Infrastructure Security Agency and the U.S. Coast Guard Cyber Command published an alert last month saying state-sponsored cyberattackers were using the flaw to get initial access into organizations that did not patch the problem or develop workarounds.
Homeland Security Secretary Alejandro Mayorkas delivered the board’s new report to Mr. Biden. Mr. Mayorkas said in a statement that his agency would work to implement the board’s recommendations.