Lawmakers want answers on Juniper backdoors
- By Derek B. Johnson
- Jun 10, 2020
A group of lawmakers is seeking answers on a four-year-old probe into how unauthorized code creating an encryption backdoor ended up in Juniper Networks' cybersecurity software.
In a June 10 letter to CEO Rami Rahim, Sens. Ron Wyden (D-Ore.), Cory Booker (D-N.J.), Mike Lee (R-Utah) and 13 members of the House asked for an update on an investigation launched by Juniper after the National Security Agency code was discovered in late 2015.
"It has now been over four years since Juniper announced it was conducting an investigation, but your company has still not revealed what, if anything, it uncovered," the members wrote. "The American people—and the companies and U.S. government agencies that trusted Juniper's products with their sensitive data—still have no information about why Juniper quietly added an NSA-designed, likely backdoored encryption algorithm, or how, years later, the keys to that probable backdoor were changed by an unknown entity, likely to the detriment of U.S. national security."
While the unauthorized code was discovered in 2015, subsequent analysis by outside third-parties determined that those changes actually modified the keys to a pre-existing encryption algorithm developed by the NSA and first installed on Juniper's NetScreen firewalls between 2008 and 2009. That standard has been widely criticized by information security experts for creating potential backdoor and was eventually pulled from the National Institute of Standards and Technology's approved list of encryption standards following the Edward Snowden revelations in 2013.
It's not clear who modified the code in 2015, and some experts have worried the weaknesses in the NSA algorithm could have been exploited by a different group.
"To sum up, some hacker or group of hackers noticed an existing backdoor in the Juniper software, which may have been intentional or unintentional … then piggybacked on top of it to build a backdoor of their own," security expert Matthew Green wrote in 2015.
The members, which include House Homeland Security Committee Chair Bennie Thompson (D-Miss.), Judiciary Committee Chair Jerrold Nadler (D-N.Y.) and Administration Committee Chair Zoe Lofgren (D-Calif.), said Juniper's findings could provide "a valuable case study" about the dangers of weakening encryption at a time when Attorney General Bill Barr has expressed a desire to push legislation that would compel companies to build access into their products for law enforcement.
The letter asked Juniper executives to explain the results of its investigation and provide a copy of any reports developed, any findings on who altered the code in 2015, why the company initially failed to publicize their use of the NSA's encryption standard during the Federal Information Processing Standards certification process and why it made a number of technical changes that would seemingly make it easier for sophisticated hackers to exploit the potential backdoor. They also want to know what the company has done since then to prevent similar incidents in the future.
The lawmakers are seeking answers to their questions from Juniper by July 10.
FCW sought comment from the company on the letter for this story and will update with any reply.
Derek B. Johnson is a former senior staff writer at FCW.