One of the most powerful committees in Congress is investigating suspicious code found in the widely used products of a major network security company.
The House Oversight Committee sent letters to 24 federal departments and agencies on Jan. 21 asking them about their use of firewalls made by Sunnyvale, California-based Juniper Networks, which announced in December that it had found “unauthorized code” in the ScreenOS software that powers those firewalls.
The code, apparently present in ScreenOS since August 2012, exposed the firewalls to potential remote takeover by hackers.
The plot thickened when Juniper revealed that it used a pseudo-random-number generator called Dual Elliptic Curve to power the encryption in ScreenOS. Dual_EC became the subject of scandal when it was discovered that the National Security Agency had secretly inserted a vulnerability into the code before convincing the public and private sectors to adopt it.
The NSA‘s code allowed it to secretly predict Dual_EC’s supposedly random number generation, thus letting it descramble the encryption of any product using Dual_EC.
In an interview with Reuters on Thursday, Rep. Will Hurd (R-Texas), the chairman of the oversight committee’s information-technology subcommittee, said that he wanted to look at both the government’s use of the compromised firewalls and the process that led to Juniper using Dual_EC.
“I don’t think the government should be requesting anything that weakens the security of anything that is used by the federal government or American businesses,” he told Reuters, referring to the possibility that the NSA was responsible.
Shana Teehan, a Hurd spokeswoman, said that it was too early to predict the course of the committee’s work. “Next steps regarding this inquiry will be determined once we hear back from the agencies,” she said in an email.
A spokesman for House Oversight Committee Chairman Jason Chaffetz (R-Utah) did not respond to a request for comment.
Juniper continued using Dual_EC for years after researchers publicly revealed that the NSA had added a so-called “backdoor,” claiming that it relied on an additional piece of code that offset the problem. But earlier in January, a computer science professor found that Juniper added Dual_EC to its firewalls after the other piece of code. Why, researchers wondered, had Juniper bothered implementing an unnecessary algorithm that it knew was fundamentally flawed?
One possibility: That Juniper, like fellow security giant RSA, received money from the NSA to install Dual_EC, thus giving the spy agency a window into the activities of Juniper’s clients.
Hurd argued in a Jan. 26 Wall Street Journal op-ed that the Juniper saga had major implications for the ongoing debate over whether tech companies should add backdoors to their encryption to help government investigators read criminal and terrorist suspects’ communications.
“This incident shows that backdoors to bypass encryption—even those requested by law enforcement or mandated by lawmakers—are extremely dangerous,” Hurd wrote. “There is no way to create a backdoor that is not vulnerable to this kind of breach. Encryption is essential to our national security and economy; we should be focused on strengthening it not weakening it.”
Photo via ChrisDag/Flickr (CC BY 2.0)