Cybersecurity

Lawmakers want answers on Juniper backdoors

security breach (Song_about_summer/Shutterstock.com) 

A group of lawmakers is seeking answers on a four-year-old probe into how unauthorized code creating an encryption backdoor ended up in Juniper Networks' cybersecurity software.

In a June 10 letter to CEO Rami Rahim, Sens. Ron Wyden (D-Ore.), Cory Booker (D-N.J.), Mike Lee (R-Utah) and 13 members of the House asked for an update on an investigation launched by Juniper after the National Security Agency code was discovered in late 2015.

"It has now been over four years since Juniper announced it was conducting an investigation, but your company has still not revealed what, if anything, it uncovered," the members wrote. "The American people—and the companies and U.S. government agencies that trusted Juniper's products with their sensitive data—still have no information about why Juniper quietly added an NSA-designed, likely backdoored encryption algorithm, or how, years later, the keys to that probable backdoor were changed by an unknown entity, likely to the detriment of U.S. national security."

While the unauthorized code was discovered in 2015, subsequent analysis by outside third-parties determined that those changes actually modified the keys to a pre-existing encryption algorithm developed by the NSA and first installed on Juniper's NetScreen firewalls between 2008 and 2009. That standard has been widely criticized by information security experts for creating potential backdoor and was eventually pulled from the National Institute of Standards and Technology's approved list of encryption standards following the Edward Snowden revelations in 2013.

It's not clear who modified the code in 2015, and some experts have worried the weaknesses in the NSA algorithm could have been exploited by a different group.

"To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional … then piggybacked on top of it to build a backdoor of their own," security expert Matthew Green wrote in 2015.

The members, which include House Homeland Security Committee Chair Bennie Thompson (D-Miss.), Judiciary Committee Chair Jerrold Nadler (D-N.Y.) and Administration Committee Chair Zoe Lofgren (D-Calif.), said Juniper's findings could provide "a valuable case study" about the dangers of weakening encryption at a time when Attorney General Bill Barr has expressed a desire to push legislation that would compel companies to build access into their products for law enforcement.

The letter asked Juniper executives to explain the results of its investigation and provide a copy of any reports developed, any findings on who altered the code in 2015, why the company initially failed to publicize their use of the NSA's encryption standard during the Federal Information Processing Standards certification process and why it made a number of technical changes that would seemingly make it easier for sophisticated hackers to exploit the potential backdoor. They also want to know what the company has done since then to prevent similar incidents in the future.

The lawmakers are seeking answers to their questions from Juniper by July 10.

FCW sought comment from the company on the letter for this story and will update with any reply.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


Featured

  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.