Here is what the USPTO announced a few minutes ago about the massive system crash that started yesterday evening:
On Wednesday, December 15, 2021, at approximately 8:30 p.m. ET, the United States Patent and Trademark Office (USPTO) proactively and deliberately shut down all external access to systems in light of a serious and time-sensitive concern related to Log4j vulnerabilities. Although this preventative measure impacted those seeking to file documents, the USPTO needed to shut down the systems to perform necessary maintenance to safeguard not only our infrastructure, but also the security of our filers’ data. The USPTO created a path for filers to continue to submit applications via email during the outage. Around 8:30 a.m. ET on Thursday, December 16, maintenance was completed and all external systems were restored.
Several things can be said about this.
First, the USPTO announcement is not accurate about the start time of the crash. USPTO customers started seeing login problems at about 7PM Eastern Time.
Second, I will note that alert blog reader Chris called it! Chris posted a comment very early this morning that you can see here (scroll down a bit) correctly guessing that this would turn out to be USPTO’s explanation for the outage.
Third, yes we have all been reading about Log4j vulnerabilities and yes of course it is prudent to take whatever steps one needs to take to protect against those vulnerabilities. But this particular vulnerability was publicly disclosed on Thursday, December 9. Nowhere in the USPTO announcement is there any explanation as to why the corrective action was taken only six days later. Nor is there any explanation why the starting time selected for this work was during working hours (for USPTO customers) rather than at the normal time for such corrective actions which is shortly past midnight on whatever day the work is to be done.
Fourth, nor was there any forewarning provided to USPTO customers. None. This gives the appearance of panicked reaction to an emergency situation rather than prudently planned proactive action.
Fifth, the Patent Alert stated, “In the new normal of continuous cyber threats…”. If the USPTO Is aware that this is the new normal, why is it not better prepared to address cyber threats in a more rational manner? And why is it not better prepared with a contingency plan for it’s customers?
Time and again, the USPTO IT is a demonstration of buffoonery. It is wholly unacceptable for the USPTO to require that customers send confidential documents to hastily created email addresses having defective coding, when just moments before and after “the event,” those submissions required advance registration and two-factor authentication. And (for those clients lacking a deposit account) it is ridiculous for the USPTO to require that customers mail paper checks with certificates of mailing. I pity the poor customers that were working remotely or on travel. And (for those customers who could not accomplish this preposterous contingency method) it is deplorable for the USPTO to require petition submissions by customers for rectifying very bad situations that were created by the USPTO and its lack of both foresight and preparedness, and not because of anything that the customer could have done to avoid the very bad situations.
While these hasty “fixes” may seem satisfactory to the USPTO so that it can assert that there were in fact alternate routes of filing provided, clearly they are not based on any understanding or concern for the actual effects of those “fixes” on the customer side. If the USPTO is going to mandate fully electronic transactions, then a better job needs to be done by the USPTO to prevent avoidable disruptions, and to have a workable contingency plan in place IN ADVANCE that is already known to its customers.
At what point do customers get to collectively demand a remedy to this ongoing gross incompetence? At what point is the rulemaking process invoked to provide limited flexibility in these kinds of situations? Perhaps it is time to stop twisting the e-filing practices to meet the language of existing statutes and to instead update the statutes to relate to this century.
Perhaps they were being actively exploited and needed to shut down immediately to prevent further harm. If so, they may deserve kudos for managing it quickly and also doing the best they could to allow filers to meet their deadlines. Granted that I hope this is a learning experience, so if there is a live exploit that requires immediate shut down they will already have in place a functional alternative, but all-in-all this probably could have been much worse.