Lawmakers Demand Details on 2015 Juniper Data IncidentBipartisan Group Wants Company Findings on NetScreen Backdoor Investigation
A bipartisan group of U.S. Senators and House Representatives has sent a letter to Juniper Networks seeking a more detailed explanation into a 2015 incident when an NSA-created algorithm - that may have included a backdoor - appeared in a company product that would have allowed VPN traffic to be decrypted.
The letter, sent Wednesday and addressed to Juniper CEO Rami Rahim, notes that soon after the code was discovered in the company's NetScreen firewalls Juniper promised it would launch an internal investigation to discern how the code ended up inside its product. That report has yet to be released.
Juniper's software and networking gear is widely used by the federal government, as well as many private businesses and organizations
In writing to the company, lawmakers believe that after nearly five years, Juniper needs to better explain what happened and if the National Security Agency played a role in the incident.
"It has now been four years since Juniper announced it was conducting an investigation, but your company has still not revealed what, if anything, it uncovered," according to the letter.
A spokesperson for Juniper could not be immediately reached for comment on Thursday.
Congress Demands a Report
The letter is signed by Sens. Ron Wyden, D-Ore., Mike Lee, R-Utah, Cory Booker, D-N.J., and 13 members of the House of Representatives.
"The American people - and the companies and U.S. government agencies that trusted Juniper’s products with their sensitive data - still have no information about why Juniper quietly added an NSA-designed, likely-backdoored encryption algorithm, or how, years later, the keys to that probable backdoor were changed by an unknown entity, likely to the detriment of U.S. national security,” the letter states.
In addition to demanding a copy of the internal investigation's results, which the letter said must include naming who was responsible for the investigation and explaining its overall scope, the lawmakers made seven additional requests, most centered on the inclusion of the NSA-designed Dual_FC_DRBG algorithm standard in its software.
The letter claims the backdoor was added to Juniper's products sometime between 2008 and 2009, at about the same time the company placed the Dual_FC_DRBG algorithm in some of its products - and that its 2015 discovery was actually not that a backdoor had been installed, but the one put in place seven years earlier had been updated.
Additionally, elected officials want to know if the company discovered who placed the backdoor in the software and recommendations to ensure this will not happen again.
The Dual_FC_DRBG standard has a cloudy history. Security researchers claimed as far back as 2005 that the algorithm contained a backdoor. Despite these complaints, the National Institute of Science and Technology standardized the algorithm in 2006, but then withdrew that approval in 2013 after disclosures by Edward Snowden that the NSA, in fact, did put a backdoor in the algorithm.
The story grew more complicated in 2015 when Juniper Networks reported a data breach saying it had discovered "unauthorized code" in the firmware that runs the NetScreen firewalls. The code, which was somehow added to the firmware in 2012, would allow an attacker to remotely gain access to any vulnerable device as well as decrypt VPN traffic flowing across the device, potentially without leaving any trace (see: Who Backdoored Juniper's Code?).
At the time, Juniper CIO Bob Worrall said the code would enable a knowledgeable attacker to gain administrative access to NetScreen devices and allow them to decrypt VPN connections "without leaving a trace."
Question of Access
The backdoor in Juniper Networks' NetScreen firewalls touches upon recent attempts by U.S. Attorney General William Barr renewing a call for technology companies to include such access in their products in order to facilitate government surveillance, the letter states (see: Attorney General Barr Argues for Access to Encrypted Content).
"Juniper's experiences can provide a valuable case study about the dangers of backdoors, as well as, the apparent ease with which government backdoors can be covertly subverted by a sophisticated actor," the letter states.