FTC threatens to take legal action against companies that don't patch Log4j

SECURITY

The U.S. Federal Trade Commission has threatened to take legal action against companies that have not patched the Apache Log4j security vulnerabilities, which first emerged on Dec. 13.

The Log4j vulnerabilities, including subsequent others, allow hackers to access affected systems. The exploits were targeted by not only run-of-the-mill criminal hackers but also state-sponsored hacking groups as well.

The U.S. government advising companies to patch vulnerabilities is not new. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency regularly issues security advice and mitigation warnings. But the FTC threat legal action is new.

The FTC said in a statement that it was warning companies to “remediate Log4j vulnerability.” That there are multiple Log4j vulnerabilities seems to have been missed by the FTC. The commission calls for companies to patch CVE-2021-44228, while seemingly ignoring CVE-2021-45046 and CVE-2021-44832, the other Log4j vulnerabilities.

“The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act,” the FTC said in a statement. ”It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

The choice of the two cited acts is interesting. The Federal Trade Commission Act, introduced by Woodrow Wilson in 1914, is meant to outlaw unfair methods of competition and unfair acts or practices that affect commerce. The FTC uses the act to protect consumers, but in this case, it’s seemingly blaming the victim.

The Gramm Leach Bliley Act, also known as the Financial Services Act of 1999, is an act that repealed previous laws prohibiting financial institutions from consolidating. The FTC does not clearly say but presumingly it’s citing the parts of the act that are meant to protect consumers and their privacy rights: “The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future.”

Not all companies are large with big cybersecurity teams that can handle hackers. Small businesses, which are victims, could be targeted as well. The FTC could target companies for doing nothing wrong other than being hacked on account of widespread vulnerabilities in a commonly used open-source software package used by millions of companies in potentially billions of devices.

But that said, some security experts are surprisingly over the moon about the threatened legal action.

“The FTC warning about potential legal repercussions for companies that fail to address the Log4j vulnerability is long overdue,” Amit Yoran, chairman and chief executive officer of cybersecurity company Tenable Inc., told SiliconANGLE. “Not addressing Log4j is worse than leaving your doors and windows unlocked and inviting an intruder in to raid your shelves, because it puts the data so many organizations collect on individuals at risk as well.”

Yoran noted that the Log4j issue is the most significant vulnerability in history. “Not addressing it proactively is the definition of negligence,” he said. “If the threat of government penalties shakes people out of their complacency, that’s a win for everyone. Now let’s get to it.”

J.J. Guy, co-founder and CEO of security asset management firm Sevco Security Inc., noted that one of the most challenging aspects of responding to the log4j vulnerability is simply identifying the devices in an organization where log4j is used.

“Since it is a cross-platform, widely used software library, there is incredible diversity in where and how it is deployed: It can be an application package installed by itself, bundled with another application package as just another file on disk or embedded in another application with no visible artifact,” Guy explained. “Even worse, it is used in everything from cloud-managed services to server applications and even fixed-function, embedded devices. That internet-connected toaster is very likely vulnerable to log4shell.”

Image: FTC