FTC Threatens Action Against Orgs Failing to Mitigate Log4jConsumer Protection Agency to 'Use Legal Authority to Pursue Companies'
The U.S. Federal Trade Commission, the nation's top consumer protection agency, issued notice that organizations failing to mitigate against Apache's Log4j vulnerabilities may face legal action.
A serious vulnerability in Log4j, a ubiquitous piece of software used to record activities in a wide range of systems found in consumer-facing products and services, left enterprise security teams scrambling to patch or mitigate before the holidays.
In its notice, the regulator warns that it "intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future."
The vulnerability in the popular Java logging package - the first and most severe tracked as CVE-2021-44228 - poses a risk to millions, or hundreds of millions, of products, enterprise software and web applications, officials have warned.
'A Duty to Take Reasonable Steps'
In recent weeks, the U.S. Cybersecurity and Infrastructure Security Agency, along with several private technology firms, has reported sophisticated attack attempts and scanning efforts to pinpoint vulnerable devices. Officials at the FTC also confirm that the "vulnerability is being widely exploited by a growing set of attackers."
Last week, CrowdStrike reported that its threat hunting unit denied a Log4j-based attack on "a large academic institution." And Vietnamese cryptocurrency platform Onus last week reported it had fallen victim to a ransomware attack traced back to the logging utility bug (see: Crypto Platform Suffers Log4j-Related Ransomware Attack).
Citing risks of data breaches, financial loss or "other irreversible harms," the FTC says that, per laws like the Federal Trade Commission Act, which established the FTC, and the Gramm-Leach-Bliley Act, which introduced several control requirements around the security and privacy of consumers' financial information, organizations "have a duty" to take "reasonable steps" to mitigate known software vulnerabilities.
"It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action," the notice reads.
Elizabeth Wharton, a former senior assistant city attorney for the City of Atlanta and currently the vice president of operations at SCYTHE, an adversary emulation and consulting platform, says, "To meet these requirements [including a Final Rule by the FTC under the Gramm-Leach-Bliley Act, financial institutions] need to continuously validate their people, processes, and technologies, especially as new supply chain attack vectors like Log4j become more prevalent."
In its advisory, the FTC also cites the Equifax data breach, in which the consumer credit reporting agency failed to patch a known vulnerability and exposed the PII of some 147 million consumers. It agreed to pay $700 million to settle actions by the FTC, the Consumer Financial Protection Bureau, and all 50 states, in 2019.
The FTC also points organizations to CISA's Log4j guidance, and urges them to update the Log4j software package to the most current version; ensure remedial steps are taken; and to distribute mitigation information to "relevant third-party subsidiaries."
"The Log4j vulnerability … is one of thousands of unheralded but critically important open-source services that are used across a near-innumerable variety of internet companies," the FTC warns. "These projects are often created and maintained by volunteers, who don't always have adequate resources and personnel for incident response and proactive maintenance even as their projects are critical to the internet economy. This overall dynamic is something the FTC will consider as we work to address the root issues that endanger user security."
The Apache Software Foundation, the nonprofit that manages Apache's open-source projects, continues to push out semi-regular updates for its logging library - the latest being 2.17.1, to address another, less-severe RCE vulnerability, CVE-2021-44832 - disclosed late last month by the firm Checkmarx (see: Apache's Log4j Version 2.17.1 Addresses New Flaw).
FTC Warning 'Not a Paper Tiger'
Citing action the FTC took against Equifax, Nasser Fattah, an adjunct professor of cybersecurity at New Jersey Institute of Technology, says, "When FTC comes out with a warning statement for companies to address [the] Log4j vulnerability, historically the FTC has proven that they will take appropriate measures, if necessary. It is not a paper tiger."
Fattah, who chairs the North America Steering Committee for the third-party risk platform Shared Assessments, adds, "Though companies may be victims of a cyberattack themselves, that does not negate companies from civil liability from their customers when there is a data breach."
Additionally, J.J. Guy, co-founder and CEO of the firm Sevco Security, and a former network engineer for the U.S. Air Force, still says the underlying Log4j challenge may be that organizations lack full visibility of their assets.
"This will be one of the larger hidden challenges in every organization's response because few have a comprehensive asset inventory, despite the fact that it has been a top requirement in every security compliance program for decades," Guy says.
Agency-Level Mitigation Efforts
CISA, which imposed a pre-Christmas deadline on federal agencies to remediate the Log4j vulnerability, this week cited progress among "large agencies" in safeguarding their systems.
A spokesperson for CISA tells ISMG, "Agencies have reacted with significant urgency to successfully remediate assets running vulnerable Log4j libraries, even over the holiday season, or to mitigate the majority of affected applications identified that support 'solution stacks' that accept data input from the internet."
The spokesperson continues, "CISA has received status reports from all large agencies, which have made significant progress in either patching or deploying alternate mitigations to address the risk from vulnerable assets, including by already mitigating thousands of internet-connected assets, the focus of the recent Emergency Directive."
The spokesperson says CISA "continues to work with each agency to drive further progress toward remediating all assets at risk." They did not provide a status update on mitigation efforts among smaller agencies.
The agency, to date, has not confirmed any breaches of government networks by way of Log4j.
The vulnerability was first disclosed on Dec. 9, allegedly by Alibaba's cloud security unit. By Dec. 11, CISA added Log4j to the agency's vulnerability catalog. An emergency directive issued Dec. 17 then trumped the earlier deadline, requiring agencies to patch or any systems running the logging utility "immediately" or follow specific mitigation steps (see: CISA to Agencies: Patch Log4j Vulnerability 'Immediately').