The United States will issue an “emergency directive” requiring government agencies to resolve critical software bugs

The order from the US Cybersecurity and Infrastructure Security Agency gives federal agencies until December 23 to document Internet-facing installations of the software on their networks and report data back to CISA. It also requires agencies to compare the large public list of software products that use the Log4J vulnerability with the software running on agency networks.

It is one of the most urgent steps taken by the Biden administration to resolve the bug in so-called Log4J software, which US officials said this week could affect hundreds of millions of devices around the world.

CISA officials said this week that no federal agencies have been hacked using the vulnerability, but the emergency order is an attempt to secure it by collecting much more data on federal agencies̵[ads1]7; exposure to the problem.

Major technology companies from Amazon Web Services to IBM have run to address the vulnerability of their products and published guidance on how to fix the bug for their customers.

The order goes further than a previous CISA directive as it requires agencies to address instances of Log4J that are not only directly exposed to the internet, but can be deeper in agency networks.

“This vulnerability is one of the most serious I have seen in my entire career, if not the most serious,” CISA Director Jen Easterly said in a telephone conversation with industry leaders on Monday.

On Wednesday night, the US Patent and Trademark Office closed the night to remote access to its computer systems for 12 hours due to “serious and time-sensitive concerns” about the vulnerability.

Microsoft warned this week that hackers linked to China, Iran, North Korea and Turkey were exploiting the vulnerable software.

The Pentagon is taking “rapid action right now to identify and mitigate Log4J vulnerabilities by monitoring malicious cyber-activity and targeting potential exploitation,” said Press Secretary John Kirby on Friday.

The Pentagon, he added, continues to “work with the Cybersecurity and Infrastructure Security Agency, CISA, on a comprehensive response from the authorities.”

This story has been updated with further details on Friday.

CNN’s Michael Conte contributed to this report.

Source link

Back to top button