The report released Thursday by the Cyber Safety Review Board said that while no major cyberattacks have been reported as a result of the Log4j flaw, it will "be exploited for years to come."
"Log4j is one of the most serious software vulnerabilities in history," said the board's chairman, Under Secretary of Homeland Security Rob Silvers, to reporters on Wednesday.
The Log4j flaw, which was publicly disclosed late last year, allows internet-based attackers to easily take control of everything from industrial control systems to web servers and consumer electronics. The first obvious signs of the flaw's exploitation appeared in Minecraft, Microsoft's hugely popular online game.
The discovery of the flaw prompted government officials to issue urgent warnings and massive efforts by cybersecurity professionals to patch vulnerable systems.
The board stated on Thursday that the exploitation of the Log4j bug occurred at lower levels than experts predicted. The board also stated that it was not aware of any "significant" Log4j attacks on critical infrastructure systems, but it should be noted that some cyberattacks go unreported.
Future attacks are likely, according to the board, in part because Log4j is frequently embedded with other software and can be difficult for organizations to detect running in their systems.
"This event is far from over," Silvers declared.
Log4j, written in the Java programming language, records computer user activity. It is extremely popular with commercial software developers and was developed and maintained by a small group of volunteers under the auspices of the open-source Apache Software Foundation.
On November 24, a security researcher at the Chinese tech giant Alibaba notified the foundation. A fix took two weeks to develop and release. According to Chinese media, the government punished Alibaba for failing to notify state officials about the flaw sooner.
The board stated on Thursday that it found "troubling elements" in the Chinese government's vulnerability disclosure policy, claiming that it could give Chinese state hackers an early look at computer flaws that they could use for nefarious purposes such as stealing trade secrets or spying on dissidents.
The Chinese government has long denied wrongdoing in cyberspace and has told the board that it encourages greater sharing of information about software vulnerabilities.
The board made several recommendations for mitigating the impact of the Log4j flaw as well as improving cybersecurity in general. This includes the suggestion that cybersecurity training be made a requirement for computer science degree and certification programs at universities and community colleges.
The Cyber Safety Review Board, which was mandated by an executive order signed by Biden last May, is modeled after the National Transportation Safety Board, which investigates plane crashes and other major accidents. The FBI, National Security Agency, and other government officials, as well as private-sector representatives, make up the board's 15 members. Some supporters of the new board chastised DHS for taking so long to set it up.
The board was directed by Biden's executive order to conduct its first review of the massive Russian cyber espionage campaign known as SolarWinds. Russian hackers were able to compromise several federal agencies, including accounts belonging to top DHS cybersecurity officials, though the full scope of the campaign remains unknown.
DHS and the White House, according to Silvers, agreed that reviewing the Log4j flaw was a better use of the new board's expertise and time.