Why tech companies must come clean about the latest cybersecurity crisis

The disclosure of a software vulnerability in an open-source tool used by companies across the globe prompted apocalyptic warnings of damage to companies, consumers, and tech infrastructure. 

“The internet’s on fire right now,” Adam Meyers, a top executive at cybersecurity firm CrowdStrike, told The Associated Press. 

Charles Carmakal, the leader of cybersecurity firm Mandiant, suggested to Bloomberg that the issue is “probably the worst security vulnerability in at least the last 10 years—maybe longer.” 

LunaSec CEO Free Wortley, whose company hosts an open source data security platform, told Wired that the oversight is “a design failure of catastrophic proportions.”

In short, the problem stems from a previously undetected flaw in an open-source, Java-based tool called Log4j, which allows developers to record activity within a web application. Hackers able to exploit the tool could gain access to company servers to gain access to sensitive customer data, such as payment records or personal identifying information, that could be held for ransom. 

Security companies and vendors are rolling out a patch, but the solution “depends on thousands of companies putting the fix in place before it is exploited,” Bloomberg reported.

Though the vulnerability was first revealed Thursday, little has been publicized about the fallout. However, many of the biggest names in tech use Log4j, including Apple, Amazon, Twitter, and LinkedIn.

“In a best-case scenario, major brokerages, banks, and merchants will invest huge sums in overtime costs to pay large numbers of already overworked IT employees to mop up this mess during the holidays,” Ars Technica security editor Dan Goodin wrote Monday morning. 

“You don’t want to think about the worst-case scenario, other than to remember the 2017 breach of Equifax and the resulting compromise of 143 million U.S. consumers’ data that followed when that company failed to patch against a similarly devastating vulnerability.”

Companies and security analysts are, understandably, still assessing the situation. Experts warned this weekend that it will take at least several days to report on any potential damage.

If the fallout proves extensive, tech and e-commerce companies must move proactively and transparently. At a time of declining trust in Silicon Valley, delivering easily accessible and actionable information will prove vital to maintaining strong bonds with consumers.

Widespread breaches also should push Congress into action on requiring federal agencies, government contractors and companies critical to American infrastructure to provide information to the federal government when they are hacked. Supporters of the legislation argue the mandate would help the government and vital organizations better prepare for cyberattacks, while also giving lawmakers and bureaucrats a better sense of cybersecurity needs.

As it stands, the Senate, House, and the Information Technology Industry Council continue to bicker over the scope and timing of proposed reporting mandates, with no clear path toward enacting any laws.

The coming days and weeks will determine whether this weekend’s panic proves warranted. For now, the tech industry, customers, and Congress should be prepared for responding to the worst.

Want to send thoughts or suggestions for Data Sheet? Drop me a line here.

Jacob Carpenter

NEWSWORTHY

The Intel revival gains steam. Intel will announce plans this week to spend $7 billion on a new chip packaging factory in Malaysia, part of the company’s plans to take back market share after years of losing ground to domestic and Asian competitors, Bloomberg reported Monday. Malaysia’s primary investment promotion agency disclosed limited information about the plans, with more information expected to become public by Wednesday. Intel CEO Pat Gelsinger is embarking on a significant overhaul, aiming to re-establish Intel’s dominance over Taiwan Semiconductor Manufacturing, AMD, Nvidia, and others. Those efforts have come into sharper focus amid a global semiconductor shortage, putting added attention on a bill languishing in Congress that calls for propping up the domestic chip industry with $52 billion in federal subsidies.

Facebook takes ‘not my problem’ approach. The soon-to-be chief technology officer of Facebook parent Meta defended the company’s approach to misinformation on its platform Sunday on Axios on HBO, arguing that individuals should be responsible for better parsing what they see on social media. Andrew Bosworth, Meta’s vice president of augmented and virtual reality, expressed unease with Facebook taking a greater role in regulating speech online amid criticism that the platform fans disinformation and harmful content. “At some point the onus is, and should be in any meaningful democracy, on the individual," said Bosworth, who will become Meta’s CTO in early 2022. Bosworth’s comments suggest Meta won’t get as aggressive on removing content as some critics, legislators, and regulators want.

Brits spy another tech crackdown. The United Kingdom’s top antitrust regulator announced Monday an investigation of Microsoft’s planned acquisition of speech recognition company Nuance, its latest inquiry into deals between American companies. The Competition and Markets Authority said in a statement that it will review whether the $16 billion deal would “result in a substantial lessening of competition within any market or markets in the United Kingdom for goods or services.” The investigation comes one month after the CMA ordered Facebook to reverse its $400 million purchase of Giphy in 2020, a rare order that signaled greater appetite overseas for curbing large tech mergers. Microsoft’s acquisition of Nuance, a key player in the development of Siri for Apple, marked an investment in health care voice dictation and artificial intelligence.

A not-so-cryptic message on crypto. India Prime Minister Narendra Modi’s Twitter account came under attack Sunday from a hacker, who falsely tweeted that India had “officially adopted bitcoin as legal tender” and planned to distribute 500 Bitcoin to residents, TechCrunch reported. The security breach comes as Modi’s administration fights against the rise of cryptocurrency, aiming to keep it out of India. Modi boasts one of Twitter’s largest audiences, with 73.4 million followers. The identity of the hacker has not been disclosed.

FOOD FOR THOUGHT

An easily predicted outage? Some Amazon insiders were hardly surprised last week when hundreds of Amazon Web Services customers saw their online services crash for several hours. Insider, citing anonymous sources within the company, said the issue stemmed from an oft-troubled East Coast center of AWS, which serves as a major hub for e-commerce clients. Two internal projects to prevent widespread outages and build capacity are underway, though haven’t yet solved all its issues. Amazon officials said they are “very comfortable” with the region’s capacity and availability, disputing some claims in the Insider story.

From the article:

The problems on Tuesday originated from the US-East region in Northern Virginia, internally known as IAD. This location opened in 2006 just as Amazon Web Services launched. It has the largest concentration of AWS data centers in the world, but has become an "inside joke" among some employees for often needing fixes, one of the insiders said.

At least nine of the 17 largest outages in AWS history originated from IAD data centers, according to AWS Maniac, a blog that tracks AWS service disruptions. One major AWS customer told Insider that the IAD data centers are typically "a large failure point" for those who rely on it as their primary AWS region.

"Amazon tries really hard not to break IAD," one AWS employee told Insider, adding that despite Tuesday's outage lasting hours, it was "pretty run of the mill."

IN CASE YOU MISSED IT

Rivian nabs a coveted MotorTrend award for its debut EV pickup, putting pressure on Tesla, by Christiaan Hetzner

SenseTime postpones its Hong Kong IPO after Washington blocked U.S. investment in the facial recognition giant, by Yvonne Lau

Binance will close its Singapore trading platform after withdrawing its application to run an exchange in the country, by Chanyaporn Chanjaroen and Bloomberg

Now, even COVID-19 has an NFT, by Chris Morris

There’s lithium in them thar hills: startup and VW ink deal to turn Europe’s Rhine valley into global source of EV battery metal, by Christiaan Hetzner

Larry Ellison’s fortune soars $12 billion after Oracle shares jump 16%, by Scott Carpenter and Bloomberg

Instacart president Carolyn Everson announces departure after three months, by Maria Aspan

BEFORE YOU GO

A plea for Amazon workers. Part of Amazon’s massive success hinges on its tight, productivity-focused rules for employees on the job. But this weekend’s devastating tornadoes, which killed six people working at a southern Illinois Amazon warehouse, illustrates some of the potentially tragic unintended consequences of such restrictions. As Bloomberg noted Saturday night, Amazon historically has banned employees from carrying cell phones on the warehouse floor (the restriction loosened during the pandemic). As a result, workers might miss critical emergency notifications or weather warnings. In the future, Amazon should employ a better balance between information access and worker productivity.