Information security professionals have spent last month fought one of the most important cyber threats to the computer systems that control the critical infrastructure of the Americas. To put it in perspective, this software is so widely used that it would be like security officials discovering that every lock purchased through the commercial supply chain could be opened with a few keystrokes.

The threat stems from a recently discovered flaw in widely used software known as Apaches Log4J. The White House called this discovery national security issue days ago when he announced he was convening a CEO software company summit, signaling the severity of the threat and the continuing fallout.

As a result, it’s time for system builders to take a zero-trust approach. Zero trust has traditionally meant not trusting any connection assuming each connection carried malware. Now it is clear that there shouldn’t be any trust in all the software components in a system, even and especially if it is something that everyone uses.

Log4J is standard software that keeps a log of activity on a system. It is popular among software engineers who can incorporate open source technology into a wide variety of computer systems. Log4J is omnipresent in waiters, in cloud computing systems, and in many Game Where personal device systems. In short, it is everywhere.

The Log4J problem presents a huge challenge for security professionals. While the building blocks of an IT system are vulnerable, no amount of cyber best practices such as change passwords or use multi-factor authentication will prevent hackers from entering. They can simply pick the locks at will.

In addition to sounding the alarm bells in the White House, the Log4J threat has raised concern among information security officials and leading US technology companies, prompting continued efforts to mitigate what could be the most alarming cyber development since the discovery of the Solar Winds hack in December 2020.

On December 9, 2021, researchers found that by modifying certain lines of code in Log4J, hackers can gain access to almost any system, including those that control banks, transportation systems, the power grid, and others. critical infrastructure elements.

This discovery led to a urgent warning by the Department of Homeland Securitys Cyber ​​Security and Infrastructure Security Agency, which issued an emergency directive Dec. 17, the directive ominously warned that the exploitation of [Log4J] vulnerabilities allow an unauthenticated attacker to execute code remotely on a server which means that an attacker could access and possibly take over a system. The agency called on other federal agencies to correct the vulnerability and urged all private sector system operators to do the same.

In addition, the The Federal Trade Commission released one of its most striking responses on the vulnerability, warning companies that it intends to use its legal authority to prosecute companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4J, or similar known vulnerabilities in the future. The burdensome nature of the commissions’ reaction to the flaw was commensurate with the threat it posed to consumers and the nation’s overall digital security.

This problem already has important national security dimensions. Microsoft indicatedon December 14 that the Apache Log4J vulnerability was exploited by several threat actors, including China, Iran, North Korea, and Turkey. Cyber ​​society Principal also noted that Chinese and Iranian government hackers used the vulnerability to create anchors for other activities in a wishlist.

A zero-trust approach could have avoided foreign infiltration into critical systems, adding a layer of control to US digital security and, therefore, protecting US software from hostile state actors. Instead, the damage caused by this flaw remains unknown.

Indeed, recently Senator Gary Peters, Chairman of the Senate Homeland Security Committee, said he is concerned that we will probably never know the scope and effects of this widespread vulnerability, or the risk posed by critical infrastructure. Nonetheless, this threat requires urgent action on the part of all federal agencies and critical infrastructure operators. Security teams should immediately implement the directive on cybersecurity and infrastructure security agencies and quickly share information about the threats they detect from this loophole.

In the short term, security teams also need to catalog all key parts of their systems, including those that are open-source commercially or that anyone uses, in addition to and including Log4J. These components should be analyzed for faults, and if those faults cannot be resolved, they may need to be extracted and replaced with trusted components.

The long-term solution lies in a more sophisticated approach to building security in designing an approach system to identify and recommend trusted components that don’t have security holes.

At Paladin, where we’ve been investing in innovative cybertechnologies for more than 20 years, we know there are disruptive small companies that are developing capabilities to detect, diagnose and mitigate these design flaws in components. This is a growing field, but one that requires even more investment to grow faster and keep pace with demand. The government can issue guidelines, but private investors can issue arguably more valuable funding to spur innovation in this space.

Smaller disruptive cyber startups will be where hackers can search for vulnerabilities in existing components and technology solutions in the field to find those flaws long before they are built into the base of a computer system. . Cyber ​​innovators can also create niche tools to help system administrators know if they are targeted by a design flaw.

The innovation we see in this space is a significant boost to the zero trust approach. We must assume that no system is secure and we must invest and adapt additional technologies capable of identifying devastating security holes before the loophole is exploited and becomes a threat to national security.

Jeremy Bash is Managing Director of Beacon Global Strategies, a consulting firm, and a former chief of staff to the CIA and the Department of Defense under President Barack Obama. Michael Steed is Founder and Managing Partner of Paladin Capital Group, which invests in cybersecurity companies.

Image courtesy of Pacific Northwest National Laboratory