Log4j and the Actions that the FTC Is Taking

In a recent CNBC interview, Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency, said that “the log4j vulnerability is the most serious vulnerability I have seen in my decades-long career.”

To fully understand why log4j is such a critical issue and why the FTC, in particular, is handling investigations and punishments requires some background on log4j itself.

Open-Source Software

Log4j is open-source software, which means that its source code is freely available to any user. It was created by and is maintained by volunteers. Because creating new code is time-consuming, money can be saved by using open-source software to perform certain functions when developing programs.

This approach has been an incredible time saver and has reduced the cost of developing some widely used applications. The downside of this practice is that if a piece of widely used open-source software contains a security vulnerability, it can compromise hundreds, thousands, or even tens of thousands of systems.

The Purpose of Log4j

The reason log4j has become so widespread is that it has a useful logging function. Think of it as a journal of the activity within a system or program. As such, it’s been integrated into numerous applications.

When log4j is fed a line of malicious code, in addition to trying to log the code, it executes it, as well. This unrestricted execution allows hackers to circumvent normal security measures to gain access and take control of a computer system.

With most security vulnerabilities, the systems that could be infected are relatively few. Those vulnerabilities can still cause widespread damage, such as the Colonial Pipeline shutdown or the Target customer data breach, but they are easy to contain.

Where log4j differs is in how many programs and applications have used its code. From Amazon to Google to smart TVs to security cameras, log4j can be found all across the modern internet.

Tracking Down Log4j

Log4j is not just ubiquitous, but many times, it’s also well hidden. Companies may not even realize the software they’re using has log4j in its code because it can be so deep in the structure of products.

IT departments and cybersecurity firms have been working to identify all instances of the log4j code. However, it’s not just security personnel working to find out where log4j lurks. Hackers and scammers are in a race with cybersecurity experts to sneak in and take over networks where the code is used.

How Does the FTC Fit In?

It may seem strange that the Federal Trade Commission (FTC) is in charge of levying punishments and investigating companies that have not eliminated log4j ridden software.

The aforementioned Cybersecurity and Infrastructure Security Agency (CISA) would seem the more logical enforcer. However, the CISA can only punish government and critical infrastructure violators. The FTC has jurisdiction over private companies and over 80 years of experience.

The FTC looks for “unfair or deceptive acts or practices in or affecting commerce.” While this wouldn’t seem to give them authority in matters of cybersecurity, the federal government disagrees.

Although cybersecurity practices may differ among companies, the FTC is concerned with ensuring companies are doing their due diligence finding and eliminating all instances of log4j code lurking in their systems.

Reasonableness vs. Unreasonableness

The metric by which the FTC judges whether a company is liable is the “reasonableness” of a company still having software plagued with log4j.

Unfortunately, “reasonableness” is up for interpretation. Each case will need to be considered on its own terms, and considering how widespread log4j is, there will be a vast number of cases to examine.

There are three scenarios in which companies may still have log4j software:

  1. They’re aware they have log4j, but they either don’t care or accept the risk
  2. They’re aware they have log4j, but they can’t patch it out
  3. They don’t realize log4j is still in their codebase

As for the FTC enforcing a punishment, the first two situations are the most obvious ways that a business could get in trouble.

If a company knowingly puts their and their customers’ data at risk by not eliminating log4j for any reason, whether due to cost, laziness, or ineptitude, there’s no question they’ll find themselves on the FTC’s bad side.

Some businesses can’t get rid of the software that contains log4j code. Perhaps this is because the software is so integral to their business that to eliminate it would be to cease functioning.

Some software running with log4j integrated may not have an immediate replacement or may not function at all if the log4j code is removed. Even so, it’s doubtful that the FTC would look favorably on the situation, and the company would still be in trouble if the presence of log4j led to a data breach.

Where the FTC will have to exercise judgment and weigh the situation carefully is if a company has worked diligently to eliminate log4j, yet an investigation finds it’s still present.

Because infractions can carry serious punishments, it will be essential for the FTC to accurately determine whether its presence is due to the code hiding extraordinarily well or if the explanation is more due to nefarious intentions or laziness. A single disgruntled employee can infect a system without any of the rest of the company being aware.

Is Log4j Being Eliminated Fast Enough?

When discussing possible penalties and the FTC’s warnings to companies over this problematic code, an important question must be asked. Is log4j still a genuine problem?

The warning alarms have been sounding since the end of 2021, and businesses have had months to excise the code from their systems. It’s important to remember that companies have a lot of incentives to be log4j free.

With security vulnerabilities, trade secrets get stolen, financial data gets compromised, and ransomware shuts down entire computer networks. With that being said, it only takes one piece of log4j infected software in a critical system to create a gateway for hackers.

Where Are All of the Breaches?

One puzzling aspect of the log4j problem is that there seem to be few major breaches. Log4j vulnerabilities have led to some computers being hacked for cryptocurrency mining, but so far, there has been no widely publicized infiltration reported.

However, just because such hacks haven’t been reported, that doesn’t mean they haven’t happened. There are several explanations for why there haven’t been log4j data hacks making the news:

  • Companies got rid of infected software before it became a problem
  • The hacks have genuinely been low level and not serious
  • Log4j isn’t as big of a problem as everyone thought
  • The hacks are huge but not yet detected
  • Companies aren’t reporting the serious hacks

The first three in this list are, of course, the best-case scenarios. In explanation one, companies have been performing their due diligence in hunting down all pieces of software that run log4j code and have gotten rid of it. This analysis doesn’t mean there aren’t some businesses that still use the code, but by and large, it’s been dealt with.

In explanation two, hackers have only been able to exploit the vulnerability for low-level hacks, or at least hacks that haven’t caused widespread or serious damage. While co-opting computers to aid in mining Bitcoin is a problem, it’s not as serious of an issue as, say, stealing customer data from CNA Financial.

Explanation three is perhaps the best-case scenario. It’s possible the threat from log4j has been grossly overestimated. If businesses successfully eliminated log4j from their systems months ago, or are running log4j reliant software in safe ways, such as on computers not connected to a network, then the apocalyptic warnings won’t bear out.

However, explanations four and five are the frightening ones. In the case of explanation four, it’s not out of the question that hackers have managed to gain access to servers at some high-profile companies and gain control, but the companies themselves aren’t aware of it yet.

This oversight could be because the effects are so small that they haven’t been noticed or, more worryingly, the hackers haven’t implemented their final plan. A good example of this would be the Stuxnet worm that was discovered in an Iranian nuclear facility in 2010. The worm had been present and working as early as 2005.

Explanation five is also worrying because it means that there have been serious breaches, but the companies haven’t made this information public. While it would seem impossible that this could happen, it’s not out of the realm of possibility, particularly if a ransomware attack resulted in a quick payoff to the hackers.

What Are the FTC Penalties?

Unfortunately, there’s no blanket answer for a dollar amount per violation. This analysis is, again, where the FTC’s “reasonableness” judgments come into play.

The seriousness of the damage, the degree of effort the company made to eliminate log4j, and any attempts to cover up the breach all factor in. Let’s take the Equifax breach, for example, which was mentioned by the FTC in the January 4th, 2022 entry in their Tech@FTC blog.

According to the blog, there was a complaint that Equifax had failed to patch security vulnerabilities in their system, which led to 147 million consumers’ data being compromised.

This breach led to an investigation by the FTC and the Consumer Financial Protection Bureau, which ended with Equifax paying $700 Million in monetary relief and fines.

So while one may not find any specific lists of exact figures the FTC is putting on their log4j violation penalties, it’s best to eliminate log4j dependent software to avoid them.