U.S. Congressman Will Hurd, a Texas Republican and a member of the House Homeland Security Committee, wrote in today’s Wall Street Journal that the Juniper Networks breach demands more serious attention than it’s getting since encrypted communications of government agencies from the past three years could be exposed. Hurd, who is also chairman of the IT Subcommittee on Oversight and Government Reform, said the government has yet to determine which agencies are still using the software or if any have used the patch to fix the backdoor.
Juniper Networks announced on Dec. 17 that an unauthorized backdoor in its ScreenOS software allowed outsiders to monitor network traffic and potentially decrypt information or control firewalls. The company soon provided clients a patch to close the backdoor.
(A document shared by Edward Snowden indicated that the NSA actually knew about Juniper Networks’ vulnerabilities since 2011, Hacked reported.)
Extent Of Vulnerability Not Known
The government has not identified the agencies affected by the software, Hurd noted. Minus a full inventory of compromised systems, the government cannot know what adversaries could have stolen information. In addition, enemies could still be stealing sensitive information.
The Department of Homeland Security is trying to determine the extent to which federal agencies used ScreenOS.
The information should not be hard to determine, Hurd said. Banks that used the software for encryption had to share the extent of their use to the Securities and Exchange Commission shortly after the breach became known.
The House Committee on Oversight and Government Reform sent a letter to 24 agencies asking for an inventory of systems using the affected software and whether or not they have installed the patch. Heads of those agencies who fail to reply will have to explain why they could not produce the information.
The 2002 Federal Information Security Management Act requires government agencies to protect and monitor data.
Also read: Top secret document indicates NSA knew of Juniper vulnerabilities in 2011
Why Was It Used To Begin With?
Hurd further said the government must examine why it used this version of ScreenOS, last updated in 2011, in the first place. The product is considered a legacy system. The government had not updated to a newer, more secure system.
The U.S. Government Accountability Office reported last year the federal government spent more than $80 billion on IT procurement, of which 80% went to legacy systems. “This practice of not keeping up with the times renders our nation’s IT infrastructure less efficient and exponentially more vulnerable,” Hurd wrote.
Backdoors that bypass encryption, including those mandated by government, are “extremely dangerous,” Hurd noted. He said there is no way to create a backdoor that is invulnerable to such a breach and that encryption is essential to national security and the economy.
Images from Shutterstock and hurd.house.gov.