Patch Your Systems! Log4j Vulnerability Sparks a Warning From the FTC

Since first announced in December 2021, the critical Log4j vulnerability has stolen the attention of many cybersecurity professionals. The Federal Trade Commission (FTC) has taken notice too.

The FTC recently published a blog post advising companies to take immediate action to remediate the Log4j vulnerability. The post states that the FTC "intends to use its full legal authority to pursue companies that fail to take reasonable steps" to remediate the Log4j vulnerability or "similar known vulnerabilities in the future," and that such failures may violate the FTC Act.

Log4j is an open-source software library that is used on many computer systems and applications, including millions of consumer-facing websites, applications, and connected devices, as well as industrial control systems (ICS). The Log4j vulnerability, commonly known as "Log4Shell," is a remote code execution (RCE) vulnerability that can be used by an attacker to run malicious commands on a vulnerable system and take control of that system.

There have been widespread reports of attackers, including multiple ransomware gangs, exploiting Log4Shell. To help companies respond, the Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance on addressing Log4Shell.

The FTC's Log4j blog post raises several broader points about how it may be approaching data security issues:

• While the FTC has been increasingly active in data security enforcement, it is still rare for the FTC to issue guidance like this on a major topic in the data security field. The Commission may take a more significant role in shaping data security practices proactively—not just through enforcement.
• The blog post highlights what the FTC calls a "broader set of structural issues" related to open-source software like Log4j. As the blog post notes, countless sites, applications, and systems use numerous open-source software libraries for critical operations. Many of those libraries are maintained by volunteers, and the companies that use them may never evaluate the security of those libraries or have adequate resources and personnel for incident response and proactive maintenance. Look for the FTC to scrutinize more how companies evaluate and use open-source software for critical functions.
  
  • The FTC addressed the issue of companies' responsibilities for the security of externally developed software recently when it issued its new Standards for Safeguarding Customer Information (known as the "Safeguards Rule") under the Gramm-Leach-Bliley Act (GLBA). Under the new rule, covered Financial Institutions must adopt "procedures for evaluating, assessing, or testing the security of externally developed applications," presumably including open-source software.
• The FTC likely will continue to focus on companies' failure to timely adopt security patches as a ground for enforcement under the FTC Act. The blog post referenced the FTC's enforcement action against Equifax, in which the FTC alleged that a failure to patch a known vulnerability led to exposure of the data of 147 million consumers. Equifax agreed to pay $700 million to settle actions by the FTC as well as the Consumer Financial Protection Bureau, and all 50 states. A June 2021 memorandum from the White House to the private sector also highlighted the importance of timely patching.