06 Feb 2026
Q&A: NIS2 in plain language. All your questions answered
There has been a lot of news about Log4J over the past week. The vulnerability in this tool deserves to be explained in plain language. So, what is going on in the world of cybersecurity?
Software is developed in different “languages”. One of these is Java. Not to be confused with JavaScript, which is slightly different. Log4j is a tool used to record messages from software programmed in Java.
This is useful because it makes it easier to detect and resolve problems. The problem with this tool is that it can be easily used to send commands to the system from outside.
Because the tool is located on a server and has access to it, you can use those commands to make the server do anything that its administrator could do. For example, you can steal data or install ransomware on the system.
When the vulnerability became known, criminals got wind of it and, as always happens, immediately set to work searching the internet for vulnerable systems to attack. A few things that are interesting about this situation:
This tool was originally developed by a few clever people who have been voluntarily maintaining it for years, together with a community that helps them. The code is public and anyone can contribute to it. We call this “open source”.
Because it was such a good tool, its use became widespread, but you could actually see it as a kind of hobby project that got out of hand. A lot of software and tools, and in fact the entire internet, originated in this way.
Software developers like to work with these kinds of handy tools because they make their work easier. The only problem is that organisations have very little control over them. Because they are often free or inexpensive, people sometimes don't even know they have the tool in-house.
And that is what makes this situation so exciting. Try to find out where your organisation or your suppliers are using that tool, and then you have to update faster than the speed of light because attacks are already underway.
To make matters worse, the new version turned out to contain yet another vulnerability, meaning that system administrators couldn't go to bed just yet, but had to do another round of updates.
It seems that this is the largest and most widespread vulnerability ever. Attacks on vulnerable systems are likely to continue for years to come.
It is also likely that this will not be the last time we say this. That is why it is so important that we learn from this. What I liked to see in this situation was the collaboration between the NCSC and security companies. This allowed information to be shared very quickly about affected software, ways to find out if you are vulnerable and/or have been attacked, and how to prevent the vulnerability. This prevented a lot of damage to organisations.
