US issues 'emergency directive' ordering government agencies to address critical software flaw
By Sean Lyngaas, CNN
(CNN) -- US cybersecurity officials on Friday issued an "emergency directive" ordering all federal civilian agencies to quickly address a critical software flaw that is impacting big tech firms around the world.
The order from the US Cybersecurity and Infrastructure Security Agency gives federal agencies until December 23 to document internet-facing installations of the software on their networks and report data back to CISA. It also tasks agencies with comparing the vast public list of software products that use the Log4J vulnerability with the software running on agency networks.
It's one of the most urgent steps yet that the Biden administration has taken to address the flaw in so-called Log4J software, which US officials said this week could affect hundreds of millions of devices around the world.
CISA officials said this week that no federal agencies have been hacked using the vulnerability, but the emergency order is an effort to make sure of that by gathering much more data on federal agencies' exposure to the issue.
Big tech firms from Amazon Web Services to IBM have raced to address the vulnerability in their products and published guidance on how to fix the flaw to their customers.
The order goes further than a previous CISA directive as it requires agencies to address instances of Log4J that are not just directly exposed to the internet but could be deeper in agency networks.
"This vulnerability is one of the most serious that I've seen in my entire career, if not the most serious," CISA Director Jen Easterly said in a phone call with industry executives on Monday.
Overnight Wednesday, the US Patent and Trademark Office night shut down external access to its computer systems for 12 hours due to "serious and time-sensitive concern" around the vulnerability.
Microsoft warned this week that hackers linked with China, Iran, North Korea and Turkey are exploiting the vulnerable software.
The Pentagon is taking "rapid action right now to identify and mitigate the Log4J vulnerabilities by monitoring for malicious cyberactivity and directing mitigation against potential exploitation," press secretary John Kirby said Friday.
The Pentagon, he added, continues "to work with Cybersecurity and Infrastructure Security Agency, CISA, on a whole of government response."
This story has been updated with additional details Friday.
™ & © 2021 Cable News Network, Inc., a WarnerMedia Company. All rights reserved.