A security flaw in Java-based software called Log4j is sounding alarms across all federal agencies. The vulnerability in the software could cause major issues for government systems.
- Gordon Bitko, senior vice president of policy for public sector at ITI and former chief information officer at the FBI, said the Cybersecurity and Infrastructure Security Agency (CISA) “has responded quite quickly and admirably” by providing information about the vulnerability and directing agencies to install a patch by Dec. 24.
- Bitko explained that there is a newly discovered flaw in the open-source software Log4j, widely used at government agencies and commercial entities, that has existed for about a decade or more.
- While SolarWinds required sophisticated capability from a nation-state actor to insert the vulnerability, the Log4j issue was already there and spread naturally, said Bitko.