Cybersecurity

DHS review board says it could take years to fix government software vulnerability

A vulnerability in software that governments and companies around the world use could take years to eliminate, according to a report from a Department of Homeland Security (DHS) review board. 

The analysis states that a security engineer from the Alibaba Cloud Security team in China first reported the vulnerability to the Apache Software Foundation, a nonprofit organization that provides support for Log4j, the software. 

The software collects and maintains information about system activity. 

The DHS’s Cyber Safety Review Board concluded that the vulnerability will be “endemic” and may remain in systems for up to a decade or more. 

The report notes that the board is not currently aware of any significant attacks on the Log4j software and that the exploitation of the software happened at lower levels than expected based on the vulnerability’s severity. 

The report states that organizations spent significant resources to deal with the vulnerability, and the organizations that responded most effectively were the ones that understood their own use of the software and have the technical resources to manage assets, assess the risk that the vulnerability posed and mobilize response actions. 

The board made a series of recommendations to Homeland Security Secretary Alejandro Mayorkas for actions that should be taken in the future. 

The recommendations are categorized into four main focuses — addressing the continued risks of Log4j, adopting industry-accepted practices for managing vulnerabilities, building a more proactive model of vulnerability management and making investments for the country’s digital security in the future.