Log4J Cyber Threat Requires New Approach to Design Flaws
Information security professionals have spent the past month battling one of the most significant cyber threats to the computer systems that control America’s critical infrastructure. To put it in perspective, this software is so commonly used that it would be akin to security managers discovering that every lock bought via the commercial supply chain could be opened with a few clicks of a keyboard.
The threat comes from a newly discovered flaw in a widely used piece of software known as Apache’s Log4J. The White House called this discovery a “national security concern” just days ago when it announced it was convening a summit of software company chief executive officers, signaling the gravity of the threat and the continuing fallout.
Accordingly, it’s time for builders of systems to adopt a “zero trust” approach. Zero trust has traditionally meant not trusting any connection — assuming that every connection carried malware. Now, it’s clear there should be “zero trust” for all software components within a system, even — and especially — if it is something that “everybody” uses.
Log4J is a standard piece of software that keeps a log of activity on a system. It is popular among software engineers who can incorporate the open-source technology into a wide variety of computer systems. Log4J is omnipresent in servers, within cloud computing systems, and in many gaming or personal device systems. In short, it is everywhere.
The Log4J issue presents an enormous challenge to security professionals. If the building-block elements of a computer system are vulnerable, no amount of cyber best practices — such as changing passwords or using multifactor authentication — will keep the hackers out. They can just pick the locks at will.
Besides setting off alarm bells at the White House, the Log4J threat has sparked worry among chief information security officers and prominent U.S. technology companies, prompting round-the-clock efforts to mitigate what may be the most alarming cyber development since the discovery of the Solar Winds hack in December 2020.
On Dec. 9, 2021, researchers discovered that by changing some lines of code in Log4J, hackers can gain access to almost any system, including those that control banks, transportation systems, the energy grid, and other elements of critical infrastructure.
This discovery led to an urgent warning by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which published an “emergency directive” on Dec. 17. The directive ominously warned that “exploitation of [Log4J] vulnerabilities allows an unauthenticated attacker to remotely execute code on a server” — meaning that an attacker could gain access to and possibly take over a system. The agency directed other federal agencies to patch the vulnerability and urged all operators of private-sector systems to do the same.
Additionally, the Federal Trade Commission issued one of its starkest responses about the vulnerability, warning companies that it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4J, or similar known vulnerabilities in the future.” The heavy-handed nature of the commission’s reaction to the flaw was proportional to the threat that it posed to consumers and the overall digital security of the nation.
There are already significant national security dimensions to this problem. Microsoft indicated on Dec. 14 that the Apache Log4J vulnerability has been exploited by multiple threat actors, including China, Iran, North Korea, and Turkey. The cyber company Mandiant also noted that both Chinese and Iranian government hackers have been using the vulnerability to create footholds for further activity in a “wish list” of targets.
A zero-trust approach could have avoided foreign infiltration into critical systems, adding a layer of scrutiny to U.S. digital security and, therefore, protecting American software from hostile state actors. Instead, the damage caused by this flaw remains unknown.
In fact, recently, Sen. Gary Peters, chair of the Senate Homeland Security Committee, said that he is “concerned that we will likely never know the full scope and impacts of this widespread vulnerability, or the risk posed to critical infrastructure.” Still, this threat requires urgent action across all federal agencies and operators of critical infrastructure. Security teams should immediately implement the Cybersecurity and Infrastructure Security Agency’s directive and share information quickly on the threats that they are detecting from this flaw.
In the short term, security teams should also catalog all of the key components of their systems — including the commercial or open-source ones that “everyone” uses, in addition to and including Log4J. These components need to be analyzed for flaws, and if those flaws cannot be resolved they may need to be ripped and replaced by trusted components.
The long-term solution lies in a more sophisticated approach to building security into the design of a system — an approach that can identify and recommend trusted components that don’t have security flaws.
At Paladin, where we have been investing in innovative cyber technologies for more than 20 years, we know there are small disruptive companies building capabilities to spot, diagnose, and mitigate these design flaws in components. This is a growing field, but one that needs even more investment to grow faster and keep pace with demand. The government can issue directives, but private investors can issue something arguably more valuable — funding to drive innovation in this space.
Smaller disruptive cyber startups will be where “white hat” hackers can hunt for vulnerabilities in existing components and field technology solutions to find these flaws long before they get built into the foundation of a computer system. Cyber innovators can also build niche tools to help system administrators tell if they are being targeted by a design flaw.
The innovation that we are seeing in this space is a significant boost to the zero-trust approach. We need to assume that no system is safe and we need to invest in and adapt additional technologies that can identify devastating security flaws before the flaw is exploited and becomes a national security threat.
Jeremy Bash is managing director at Beacon Global Strategies, a consulting firm, and the former chief of staff at the CIA and the Defense Department under President Barack Obama. Michael Steed is founder and managing partner of Paladin Capital Group, which invests in cybersecurity companies.
Image courtesy of Pacific Northwest National Laboratory