There’s a huge hole in internet security, DHS warned. It could “take a decade to fully eradicate a critical vulnerability found last year in software used by governments and tech firms around the world.” The special review board warns both government and private sector developers to “invest much more in securing the open-source software that underpins global IT infrastructure.”
Security flaw affects everything
Internet security is a dangerous vulnerability in modern society. According to the Cyber Safety Review Board, which the Biden regime carved out of DHS last year, “the US government is a significant consumer of software, and should be a driver of change in the marketplace around requirements for software transparency.”
The special panel made up of “government officials and executives from prominent cybersecurity firms” are particularly concerned with the “Log4J” breach.
That security failure is now being considered “endemic.” That means it will be with us for a while. Virtually every tech company on the planet uses the compromised software.
“U.S. officials estimated that hundreds of millions of devices around the world were exposed to the flaw when it was publicly disclosed in December.” They’re no closer to fixing it now.
A foothold in computers
The Log4J security flaw is so easy for hackers to exploit that it “offered a potentially useful foothold into computer systems.”
That’s what “set off alarm bells in boardrooms and government agencies around the world.” The Biden administration “ordered all federal civilian agencies to quickly address the issue.”
We know now, that won’t be possible. They announced July 14 that this one is an “endemic vulnerability,” underscoring “how enduring it will be in the software ecosystem.” So far, security experts agree that we have all been lucky.
“While there were reports of ransomware gangs and governments from China to Turkey exploiting the software vulnerability, the high-impact hacks that some analysts anticipated have yet to materialize.” The board backs that up. “At the time of writing, the board is not aware of any significant Log4j-based attacks on critical infrastructure systems.“