Sign up for our daily briefing

Make your busy days simpler with the Axios AM and PM newsletters. Catch up on what's new and why it matters in just 5 minutes.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Catch up on the day's biggest business stories

Subscribe to the Axios Closer newsletter for insights into the day’s business news and trends and why they matter.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Sign up for Axios Pro Rata

Dive into the world of dealmakers across VC, PE and M&A with Axios Pro Rata. Delivered daily to your inbox by Dan Primack and Kia Kokalitcheva.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Sports news worthy of your time

Binge on the stats and stories that drive the sports world with the Axios Sports newsletter. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Tech news worthy of your time

Get our smart take on technology from the Valley and D.C. with Axios Login. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Get the inside stories

Get an insider's guide to the new White House with Axios Sneak Peek. Sign up for free.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Catch up on coronavirus stories and special reports, curated by Mike Allen everyday

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Denver news?

Get a daily digest of the most important stories affecting your hometown with Axios Denver

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Des Moines news?

Get a daily digest of the most important stories affecting your hometown with the Axios Des Moines newsletter.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Twin Cities news?

Get a daily digest of the most important stories affecting your hometown with Axios Twin Cities

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Tampa Bay news?

Get a daily digest of the most important stories affecting your hometown with the Axios Tampa Bay newsletter.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Charlotte news?

Get a daily digest of the most important stories affecting your hometown with Axios Charlotte

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Nashville news?

Get a daily digest of the most important stories affecting your hometown with the Axios Nashville newsletter.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Columbus news?

Get a daily digest of the most important stories affecting your hometown with the Axios Columbus newsletter.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Dallas news?

Get a daily digest of the most important stories affecting your hometown with the Axios Dallas newsletter.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Austin news?

Get a daily digest of the most important stories affecting your hometown with the Axios Austin newsletter.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Atlanta news?

Get a daily digest of the most important stories affecting your hometown with the Axios Atlanta newsletter.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Philadelphia news?

Get a daily digest of the most important stories affecting your hometown with the Axios Philadelphia newsletter.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top Chicago news?

Get a daily digest of the most important stories affecting your hometown with the Axios Chicago newsletter.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Sign up for Axios NW Arkansas

Stay up-to-date on the most important and interesting stories affecting NW Arkansas, authored by local reporters

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Want a daily digest of the top DC news?

Get a daily digest of the most important stories affecting your hometown with the Axios DC newsletter.

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Please enter a valid email.

Please enter a valid email.

Subscription failed
Thank you for subscribing!

Illustration: Annelise Capossela/Axios

The computing world is struggling this week to contain a significant vulnerability in Log4J, an extremely common piece of open-source code.

Why it matters: Experts say the flaw leaves hundreds of millions of systems vulnerable to attack, with the head of the U.S. government's cybersecurity agency calling it among the biggest threats she has seen in her career.

How it works: An attacker could use he flaw to force an affected system to accept commands from a malicious remote server. According to Sean Gallagher, senior threat researcher at Sophos, that could include commands to download and install all manner of code in vulnerable systems, including cryptocurrency miners or other malicious software.

  • Given the flawed code's prevalence, experts say that, for most large businesses and government agencies, it is not a question of whether they are affected, but rather how many different systems have been affected.

Catch-up quick: Log4J is an open-source library included in a range of software, services and hardware, such as networking gear from companies including Amazon, Broadcom and Cisco. It tracks what activities are taking place in the code, as well as keep tabs on various communications, requests and errors, according to Gallagher.

  • Like many pieces of open-source code, Log4J is maintained by a relatively small team but, thanks to its broad license, has been widely adopted by developers, Gallagher said.
  • As Bloomberg details, the flaw was discovered last month by workers at Alibaba, who reported it to the team at the nonprofit Apache Software Foundation, whose volunteers maintain Log4J. That set off a race to close the vulnerability and a patch was released earlier this month.

Between the lines: The key now is identifying and patching all the systems at risk. Complicating the task is the fact many governments, businesses and consumers probably are unaware if they own products using the code.

  • "Organizations often have no idea that these libraries are part of their applications, especially if they were developed by third parties who may or may not support them after deployment," Gallagher said.
  • The Cybersecurity and Infrastructure Security Agency (CISA) is working to develop a comprehensive list of all the products that include the affected code and encouraging security researchers to share details on any products they believe are infected.

The big picture: In a call with reporters on Tuesday, CISA deputy director Eric Goldstein said that the flaw is "extremely concerning" due to how widely Log4J is used, how easy it is to exploit and that it can allow information to be taken off of targeted systems.

  • So far the visible impact from the flaw has been modest, but experts don't expect that to stay the case.
  • “With the exception of cryptomining, there's a lull before the storm," Gallagher said. "We expect adversaries are likely grabbing as much access to whatever they can right now with the view to monetize and capitalize on it later."
  • That said, there have already been hundreds of thousands of individual attacks, with more expected, per CheckPoint.

Go deeper: CISA has more information on the flaw here, including known vulnerable products and mitigation guidance.

Go deeper

Updated Dec 9, 2021 - Axios Events

Watch: A conversation on data security in a hybrid world

On Thursday, December 9th, Axios Future correspondent Bryan Walsh explored the future of data security in a hybrid world and considered how to create a safer online ecosystem, featuring Rep. Ted Lieu (D-Calif.) and former Cybersecurity and Infrastructure Security Agency director Christopher Krebs.

Rep. Ted Lieu examined the weak links in government cybersecurity strategies, the presence of bipartisan agreement for stronger cybersecurity defense measures, and how to balance the benefits and threats posed by internet-connected smart devices in the home.

  • On increased government awareness of cybersecurity threats: “It’s pretty clear to me that we’re still way behind in terms of cybersecurity. I think the federal government is now much more aware of these threats. I’m pleased the Biden administration is taking it more seriously.”
  • On vulnerability disclosure requirements for federal vendors: “Something I understand about the federal government is we don’t really make stuff, we have private contractors make things. So when you have all these private contractors in the supply chain and when it comes to software and even hardware, if you don’t have vulnerability disclosures, those are weak links and people can go through these weak links and then attack the federal government systems.”

Christopher Krebs outlined how the pandemic’s accelerated digitization changed the nature of cybersecurity threats, the areas most vulnerable to a destructive cyberattack by an adversary, and how businesses should respond if they are faced with a ransomware attack.

  • On protecting critical infrastructure from disruptive cyberattacks: “That’s where the partnerships are important to ensure that the government is providing the appropriate support and guidance to those critical infrastructures, and at the same time evaluating where there may be some market failures and looking for opportunities for more regulatory steps. We’ve seen that with pipelines and railways and some of the other modalities of transportation.”
  • On how companies can improve their cybersecurity defense strategy: “I think what every organization needs to be doing right now, if they’ve had a prior ransomware event or not, is really think through what their strategy is...and look at what they can do right now. Multi-factor authentication, really hardcore identity management, segmentation across networks, backup recovery, make sure you have an incident response plan in place.”

Axios SVP of Product & Technology Melanie Colton hosted a View from the Top segment with ForgeRock CEO Fran Rosch, who conveyed how the increasing number of cyberattacks impacts companies and their consumers who largely operate online.

  • “Security continues to be a huge problem for companies. Fundamentally, we just think the internet is broken in a lot of ways from a security perspective. The usernames and passwords have now been around for over 60 years as the way that we identify and authenticate ourselves. It’s clearly broken as so many customers, so many consumers, use the same username and password as simple as possible across all their applications.”

Thank you ForgeRock for sponsoring this event.

Federal judge blocks Biden's vaccine mandate for federal workers

President Biden speaking from Eisenhower Executive Office Building on Jan. 21. Photo: Yuri Gripas/Abaca/Bloomberg via Getty Images

A federal judge in Texas blocked the Biden administration from enforcing its coronavirus vaccine mandate for federal workers on Friday, citing the outcome of last week's Supreme Court ruling that nullified the administration's vaccine-or-test requirement for large employers.

Why it matters: It's a blow to President Biden's efforts to increase the U.S.' vaccination rates, though much of the federal workforce has already been vaccinated against the virus.

Updated 3 hours ago - Politics & Policy

Omicron dashboard

Illustration: Brendan Lynch/Axios

  1. Health: Pfizer and Moderna boosters overwhelmingly prevent Omicron hospitalizations, CDC finds — Omicron pushes COVID deaths toward 2,000 per day — The pandemic-proof health care giant.
  2. Vaccines: The case for Operation Warp Speed 2.0 — Starbucks drops worker vaccine or test requirement after SCOTUS ruling — Kids' COVID vaccination rates are particularly low in rural America.
  3. Politics: Biden concedes U.S. should have done more testing — Arizona says it "will not be intimidated" by Biden on anti-mask school policies.
  4. World: American Airlines flight to London forced to turn around over mask dispute — WHO: COVID health emergency could end this year — Greece imposes vaccine mandate for people 60 and older — Austria approves COVID vaccine mandate for adults.
  5. Variant tracker