CISA director: We'll be dealing with Log4j for a long time

The bug's impact will be massive, requiring lots of tech to be patched or locked down.

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, two star marathoner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise Cybersecurity, Digital Privacy, IoT, Consumer Tech, Running and Fitness Tech, Smartphones, Wearables
Bree Fowler
2 min read

CISA Director Jen Easterly says the Log4j security flaw is the worst she has seen in her career.


Security professionals will be dealing with the fallout from the Log4j bug for a long time to come, top officials for the Cybersecurity and Infrastructure Security Agency said Monday.

If left unpatched or otherwise unfixed, the major security flaw discovered a month ago in the Java-logging library Apache Log4j poses risks for huge swaths of the internet. The vulnerability in the widely used software could be exploited by cyberattackers to take over computer servers, potentially putting everything from consumer electronics to government and corporate systems at risk of a cyberattack.

No US federal agencies have been compromised as a result of the vulnerability, CISA Director Jen Easterly told reporters on a call Monday. In addition, no major cyberattacks involving the bug have been reported in the US, though many attacks go unreported, she said. 

Easterly said the sheer scope of the vulnerability, which affects tens of millions of internet-connected devices, makes it the worst she has seen in her career. It's possible, she said, that attackers are biding their time, waiting for companies and others to lower their defenses before they attack. 

"We do expect Log4Shell to be used in intrusions well into the future," Easterly said, using the name for the bug in the Log4j software. She noted the Equifax data breach in 2017, which compromised the personal information of nearly 150 million Americans, stemmed from a vulnerability in open-source software.

Most of the attempts to exploit the bug, so far, have been focused on low-level crypto mining or attempts to draw devices into botnets, she said.

One of the first known attacks using the vulnerability involved the computer game Minecraft. Attackers were able to take over one of the world-building game's servers before Microsoft, which owns Minecraft, patched the problem.

There have been big attacks elsewhere. Last last month, the Belgian Defense Ministry confirmed at its systems had been breached as a result of the bug.