Congressman Will Hurd, R-Texas, has a seemingly simple request for U.S. government agencies: Tell us how many Juniper Networks ScreenOS devices you're using and give us a version history of the firmware on that networking equipment.
That query is pertinent because security experts suspect that Juniper's ScreenOS firmware - which runs its NetScreen firewalls and VPN devices - was backdoored by up to three different domestic and foreign intelligence agencies, beginning in 2008. Thus it's imperative that all organizations immediately install a related patch, which was released last month by Juniper (see Who Backdoored Juniper's Code?).
"How do we understand the vulnerabilities that created this problem and ensure this kind of thing doesn't happen in the future?"
The backdoors could have allowed attackers to remotely access devices by bypassing authentication checks, as well as decrypt VPN traffic. As a result, any organization that's been using NetScreen devices since 2008 has potentially been the victim of eavesdropping attacks, which may be ongoing.
Hurd, a former CIA employee, now heads the technology subcommittee for the House Committee on Oversight and Government Reform, which is asking the heads of 24 federal agencies three questions: Have you been using vulnerable devices? Are they patched yet? And what information might have gone missing?
"The federal government has yet to determine which agencies are using the affected software or if any agencies have used the patch to close the backdoor. Without a complete inventory of compromised systems, lawmakers are unable to determine what adversaries stole or could have stolen," Hurd says in a Jan. 27 Wall Street Journal op-ed titled "The Data Breach You Haven't Heard About" (see Juniper Devices Are Under Attack).
"This vital information should not be difficult to obtain," Hurd says. "After all, U.S. banks that use this software for encryption were forced to share the extent of their use to the Securities and Exchange Commission only hours after the compromise was disclosed. It is government agencies that are dragging their feet."
By law, U.S. agencies are theoretically already tracking this information and should be able to produce it quickly. But in practice, things are quite different, says Leon Kappelman, a professor of information systems at the College of Business at the University of North Texas.
"There are already laws in place regarding cybersecurity and enterprise architecture for federal agencies. They just don't follow them or do them properly - they merely have become part of the budgeting and paperwork exercises," he tells me. "Since there is just about no accountability anywhere in the U.S. federal government, no one seems to care - even after all the massive data breaches that we do know about and that do compromise national security, such as OPM [U.S. Office of Personnel Management]. Without accountability, there can be no security."
Probing Backdoors' Origins
Hurd has also promised that his committee will investigate the origin of the three backdoors in NetScreen, which include a weak random-number generator that dates from 2008. Security researcher Nicholas Weaver of the International Computer Science Institute suspects that was the work of the U.S. National Security Agency, while the subsequent two Juniper backdoors - from 2012 and 2014 - were likely placed by one or more foreign intelligence services (see Juniper Firmware: New Crypto Flaw Found).
The results of the House probe could theoretically lead to Congress crafting new, related policies for the U.S. intelligence community, Hurd contends (see Obama Stokes Crypto Debate).
"How do we understand the vulnerabilities that created this problem and ensure this kind of thing doesn't happen in the future?" Hurd asks in an interview with Reuters. "I don't think the government should be requesting anything that weakens the security of anything that is used by the federal government or American businesses."
Lawmakers' Cybersecurity Culpability
But the massive OPM breach, which exposed information about 22 million current and former government employees and contractors, as well as their families and friends, highlights a crucial point that Hurd neglects to mention: Congress hasn't historically been focused on ensuring, ahead of time, that government agencies are doing everything they can to help prevent data breaches.
After the fact, of course, many lawmakers decry such incidents. But for all the handwringing over the OPM breach that came to light last year, few lawmakers criticized themselves for having failed to review OPM's information security practices before the breach. Congress, however, long had access to the very same OPM Inspector General reports that they belatedly used to chastise now-former OPM Director Katherine Archuleta, who reportedly inherited the dysfunctional information security practices that she had been in the process of revamping.
Questions Lawmakers Should Be Asking
So here are the questions I'd like to see Hurd and other members of Congress asking - beyond just requesting a U.S. government agency NetScreen patch history:
- How did the backdoors get added to U.S. networking giant Juniper's products?
- How many other networking products used by the U.S. government have backdoors, and how are vendors responding?
- To what extent is the NSA responsible for any or all of these backdoors, and what is the projected loss of revenue due to a decline in sales as a result of heightened distrust of U.S. manufacturers from potential overseas customers?
- What can Congress do today to better speed government agencies' response tomorrow when we next face a similar crisis?
Of course opining is easy; fostering a cybersecurity-savvy Congress and White House administration is not. "I find they are often more interested in protecting the vendors that donate to their campaigns than actually doing anything that improves IT practices in the federal government," Kappelman contends (see Juniper Backdoor: How Are Vendors Responding?). "Of course, even if they did something, unless people are held accountable in the agencies, it's just for show and doesn't really lead to improvements in IT practices."