FTC Says Companies Could Face Legal Action for Failing to Mitigate Log4j Vulnerabilities
In a blog post, the US Federal Trade Commission warns, “It is critical that companies and their vendors relying on Logj4 act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.” The article cites the Equifax case, in which the company failed to patch a known vulnerability, exposing personal information of 147 million people. Equifax ended up paying $700 million to settle various legal actions.
While some may pooh pooh the FTC’s cybersecurity related actions, it is telling that many attempts have been made by private industry to challenge their authority to do so. SANS gave the FTC a Difference Maker’s award in 2013 and the justifications for that award have held up over the years: “It seems like regardless of who is president or what the state of the economy is, the FTC stays focused on its mission of consumer protection and in particular, going after companies that don't protect their customers' information. The FTC doesn't seem to need new laws or more money, it just keeps fighting for its customers.”
The FTC doesn’t want history to repeat itself. While a company could accept the risk of not addressing Log4j vulnerabilities, the FTC wants them to know that both the Gramm Leach Bliley Act (GLBA) and Federal Trade Commission act have specific directions to mitigate known software vulnerabilities. Long story short: update Log4j wherever you’re using it, make sure you’ve deployed your vendor updates, use a properly configured WAF if you can, monitor activity, and document actions taken.
Organizations should not see this as a one-off vulnerability and invest in building a program to track assets, vulnerabilities, and patches. Vulnerability management is hard, it is a process, and there is no end state. Implementing lessons learned from Log4j, like those learned during the Struts2 vulnerability that affected Equifax, will be ideal for your organization when the next big vulnerability is inevitably disclosed.
On the Log4J Issue, I am not sure how the FTC enforcement will fully happen. There are going to be a fairly large number of systems in which the actual code doesn't exist, won't compile, and is mission critical. I would imagine that this sets a very bad precedent, overall, but it's not unexpected. We have been talking about regulation for years, and if the larger community does not regulate itself, someone else will. This is also compounded by the fact that Log4J may not even show up in the dependency chain directly but as a sub-dependency. We need to watch this carefully as this could start rolling down hill to the next “Exchange Vulnerability” that is not patched in time.
Read more in
FTC: FTC warns companies to remediate Log4j security vulnerability
The Register: You better have patched those Log4j holes or we'll see what a judge has to say – FTC
Threatpost: FTC to Go After Companies that Ignore Log4j
Bleeping Computer: FTC warns companies to secure consumer data from Log4J attacks
Cyberscoop: FTC warns of potential penalties for firms that fail to fix Log4j software flaws