The Data Breach You Haven’t Heard About
By WILL HURD - Jan. 26, 2016 7:15 p.m. ET
A security breach recently discovered at software developer Juniper Networks has U.S. officials worried that foreign hackers have been reading the encrypted communications of U.S. government agencies for the past three years. Yet compared with the uproar over the Office of Personnel Management breach, first disclosed last June, this recent breach has gone largely unnoticed.
On Dec. 17 the California-based Juniper Networks announced that an unauthorized backdoor had been placed in its ScreenOS software, and a breach was possible since 2013. This allowed an outside actor to monitor network traffic, potentially decrypt information, and even take control of firewalls. Days later the company provided its clients—which include various U.S. intelligence entities—with an “emergency security patch” to close the backdoor.
The federal government has yet to determine which agencies are using the affected software or if any agencies have used the patch to close the backdoor. Without a complete inventory of compromised systems, lawmakers are unable to determine what adversaries stole or could have stolen.
If government systems have yet to be fixed then adversaries could still be stealing sensitive information crucial to national security. The Department of Homeland Security is furiously working to determine the extent to which the federal government used ScreenOS. But Congress still doesn’t know the basic details of the breach.
Yet this vital information should not be difficult to obtain. After all, U.S. banks that use this software for encryption were forced to share the extent of their use to the Securities and Exchange Commission only hours after the compromise was disclosed. It is government agencies that are dragging their feet.
This is why I and my colleagues on the House Committee on Oversight and Government Reform recently wrote a letter to the heads of 24 federal agencies demanding an inventory of their systems running the affected software, and whether or not they have installed the patch. If they fail to respond they will be called before Congress to explain why they couldn’t produce this basic information—even though the 2002 Federal Information Security Management Act requires government bodies to monitor and protect the data they possess.
Once we learn which agencies were using the faulty software, finish patching all the systems and conduct a damage assessment, we need to examine why this older version of ScreenOS, last updated in 2011, was being used in the first place. This product is considered a legacy system that many users have replaced with better technology, yet the U.S. government hadn’t bothered to update to a newer, more-secure system.
Sadly, this isn’t surprising. Last year, according to the U.S. Government Accountability Office, the federal government spent over $80 billion on IT procurement and 80% of those funds were for legacy systems—outdated technology or software similar to ScreenOS. This practice of not keeping up with the times renders our nation’s IT infrastructure less efficient and exponentially more vulnerable.
Finally, this incident shows that backdoors to bypass encryption—even those requested by law enforcement or mandated by lawmakers—are extremely dangerous. There is no way to create a backdoor that is not vulnerable to this kind of breach. Encryption is essential to our national security and economy; we should be focused on strengthening it not weakening it.
Rep. Hurd, a Republican from Texas, sits on the House Homeland Security Committee and is chairman of the IT Subcommittee on Oversight and Government Reform.