‘Endemic’ software flaw could take years to address, US government review finds


It could take a decade to fully eradicate a critical vulnerability found last year in software used by governments and tech firms around the world from some computer systems, a Department of Homeland Security review board said Thursday.

The review board, which the White House established last year to investigate major cybersecurity incidents, called on the government and the private sector to invest much more in securing the open-source software that underpins global IT infrastructure.

“The US government is a significant consumer of software, and should be a driver of change in the marketplace around requirements for software transparency,” said the report from the DHS-backed Cyber Safety Review Board, which consists of government officials and executives from prominent cybersecurity firms.

The endemic vulnerability reviewed by the board is in software known as “Log4J” that tech companies from Amazon to IBM use in their software. US officials estimated that hundreds of millions of devices around the world were exposed to the flaw when it was publicly disclosed in December.

That the Log4J flaw is easy for hackers to exploit and offered a potentially useful foothold into computer systems set off alarm bells in boardrooms and government agencies around the world. The Biden administration ordered all federal civilian agencies to quickly address the issue. The DHS board on Thursday labeled the flaw an “endemic vulnerability,” underscoring how enduring it will be in the software ecosystem.

But while there were reports of ransomware gangs and governments from China to Turkey exploiting the software vulnerability, the high-impact hacks that some analysts anticipated have yet to materialize.

“At the time of writing, the board is not aware of any significant Log4j-based attacks on critical infrastructure systems,” the DHS-backed panel wrote.