The federal body said it wouldn’t hesitate to use its full legal authority “to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”
The statement shifted the calculus of risk and liability for businesses. Threatened with legal action, they feel compelled to act. The challenge, though, is finding out whether they’re affected.
Log4j’s ubiquity makes it difficult to know whether any individual organization is affected. First discovered in Minecraft, the Log4j vulnerability has since been found in cloud applications, enterprise software, and on everyday web servers. The program is an event recorder, monitoring simple actions, both routine and errors, and reporting them to system administrators or users. And Log4j is one small but common component in tens of thousands of products—many of which are then bundled up into bigger projects. So-called indirect dependencies—packages or parts of programs that businesses use as part of their IT solution that unwittingly use Log4j—are one of the biggest risks, reckons Google, with more than four in five vulnerabilities hidden several layers deep into the interconnected web of software.
“The FTC has decided to swing a big hammer,” says Ian Thornton-Trump, chief information security officer at threat intelligence firm Cyjax. But he doesn’t necessarily think it’s the right move, calling it “impudent” and an unhelpful way of ramping up the situation. Large companies are conscious of what they need to do when confronted by such an issue, Thornton-Trump believes, and don’t need the FTC breathing down their neck to make them act. “What you don’t need is a federal government agency telling you what the priorities are for your business when they don’t even know what your actual business risk might be,” he says.
Others disagree. “Part of the chaos is that all of these big supply chain issues can cause a disjointed effort at remediation,” says Katie Moussouris, founder and CEO of Luta Security, a cybersecurity consultancy. “So I do think the FTC’s pressure is important.”
The FTC’s bravado in compelling companies to act is the end result of a government department wanting to genuinely help businesses in the United States and abroad but constrained by the lack of political will to push through meaningful cybersecurity legislation that isn’t focused on particular, limited areas, such as health care or financial data, says Thornton-Trump. As a result, US cybersecurity policy is reactive, trying to fix issues once they arrive under penalty of legal action, rather than proactive, he argues. Nevertheless, the FTC’s move is an important one: Though the FTC is to date the only government body globally to issue a warning to companies to fix the problem or else, the Log4j vulnerability affects hundreds of millions of devices.
Some businesses that fall under the regulator’s scope may have unexpected crises to deal with—for example, companies that have CCTV security cameras that are exposed to the internet with no compensating controls could find it “absolutely devastating,” says Thornton-Trump. Any internet-of-things devices that use Log4j and are vulnerable could act as an open door for hackers, easily allowing them access to a much bigger, more lucrative network through which they could wreak havoc. Thornton-Trump saw such an attempt happen at one of his clients, a managed service provider in Canada. “The firewall detected Log4j exploit attempts hitting CCTV cameras that were exposed,” he says. Thankfully, it was a security company scanning for vulnerabilities, and not a malicious attack.
It’s unlikely that many businesses will be able to meet the FTC’s demand to find and path the Log4j vulnerability immediately. Nor is it clear exactly how the FTC would be able to check if an organization was exposed to the Log4j vulnerability and hadn’t done anything, given how troublesome businesses are finding uncovering their own exposure. In fact, the FTC’s warning comes at a time when there’s a global shortage of cybersecurity professionals and work from home practices are putting more strain on the system than ever before, says Thornton-Trump. “They might not even have the capability to patch an update on this because their software that is vulnerable is out of lifecycle, or the developer has been sold.”