Log4j is popular Java-based software intended to assemble a log to troubleshoot problems or record data. In November 2021, users noticed that there was an error in the program, which impacted almost a third of the world’s web servers. Organizations such as Twitter, Amazon, Microsoft, Cisco, and more were reportedly made vulnerable by the system flaw.
4 million hacking attempts were made in a matter of weeks as a result of the error, posing a crisis-level threat. Microsoft reported that state-based hackers from China, Iran, Turkey, and North Korea made attempts to exploit the error. U.S. Cybersecurity and Infrastructure Security Agency Director Jen Easterly called it “the most serious security breach ever.”
Michael Baker, chief information security officer at General Dynamics Information Technology, spoke to John Cofrancesco of Fortress Information Security about the implications of the breach, noting that while the IT community knows the places where the error has been reported so far, “we’re under no delusions that that’s the only place it’s going to rear its ugly head.”
Baker stressed what an all-consuming task it is cleaning up the mess caused by the breach. His role at GDIT entails cyber operations, vulnerability and risk management and architecture.
In referencing President Joe Biden’s May 2021 “Executive Order on Improving the Nation’s Cybersecurity,” Baker said, “it was aggressive but it was necessary,” citing the fact that the log4j error comes almost exactly one year after the SolarWinds breach of 2020, another significant software error that negatively impacted federal government data.
One element of President Biden’s executive order Baker honed in on as important was the “Software Bill of Materials,” which necessitates that developers provide customers with a list of details and supply chain relationships of elements used for the construction of each product by making it available on a public website.
Baker concluded that the breach should prompt an inquiry into how organizations use and consume open-source software, but that risk is going to be inherent to the IT world absent some sweeping changes or putting serious constraints on conducting business.
“We must have hard discussions around open source and freeware software – but it’s not like that’s the only place where the problem exists. It exists in off the shelf software as well. Risk is risk is risk; you accept it, you buy it down or you transfer it,” said Baker.