Members of Congress are demanding the U.S. National Security Agency (NSA) reveal what it knows about the 2015 Juniper Networks supply-chain delivery breach. In a letter sent by U.S. Senator Ron Wyden and nine additional members of Congress, the lawmakers demand a full account of the NSA-designed encryption algorithm compromised in 2015.
Sparking the inquest is the massive SolarWinds supply-chain attack. In their letter sent last week to the NSA, lawmakers suggest the spy agency is lacking effective oversight of software supply-chains relied upon by the U.S. government and private industry.
“In 2015, Juniper revealed a security breach in which hackers modified the software the company delivered to its customers,” a Wyden statement read. “Researchers subsequently discovered that Juniper had been using an NSA-designed encryption algorithm, which experts had long argued contained a backdoor, and that the hackers modified the key to this backdoor.”
A chief bone of contention among lawmakers is the allegation that the NSA’s “Dual_EC_DRBG” algorithm – submitted to National Institute of Standards and Technology (NIST) – contained an encryption backdoor for the spy agency. The move, lawmakers suggest, concerns Congress because it appears to be a tacit endorsement of weak encryption.
“The American people have a right to know why NSA did not act after the Juniper hack to protect the government from the serious threat posed by supply chain hacks. A similar supply chain hack was used in the recent SolarWinds breach, in which several government agencies were compromised with malware snuck into the company’s software updates,” the members wrote.
Why Juniper Illustrates Dangers of Intentionally Weak Crypto
In 2016, Juniper removed the backdoored Dual_EC DRBG algorithm, impacting its ScreenOS operating system. NIST also withdrew the algorithm, citing security concern.
Juniper’s use of Dual_EC dates to 2008, at least a year after Dan Shumow and Neils Ferguson’s landmark presentation at the CRYPTO conference, which first cast suspicion on Dual_EC being backdoored by the NSA.
To many, Juniper’s move to remove Dual_EC (and also ANSI X9.31 PRNG) confirmed the widely held belief the vulnerabilities were tied to operations by the NSA described in the 2013 article published by the German publication Der Spiegel. That article described the existence of a catalog of hardware and software tools used by the NSA to infiltrate equipment manufactured by Juniper, Cisco and Huawei. The story was based on leaked 2013 document by former contractor Edward Snowden.
Calls for encryption backdoors date back to the 1990s and the so-called Crypto Wars. That’s when President Bill Clinton’s administration insisted that U.S. government have a way to break the encryption that was exported outside of the United States.
Juniper Lessons Not Learned, Repeated with SolarWinds Hack?
In the Jan. 28 letter to NSA chief Gen. Paul Nakasone, the group of Democratic lawmakers want the agency to provide a previously undisclosed report about “lessons learned” from the Juniper hack and detail what actions NSA took afterwards. The lawmakers gave NSA until Feb. 26 to respond.
In June, Wyden also co-signed a letter to Juniper CEO Rami Rahim seeking answers about the hack. Experts have long expressed concern that the weaknesses in the NSA algorithm could have been exploited by any number of hackers. Parallels between the SolarWinds and Juniper hacks are similar in that both involved federally managed computer systems and compromised software supply chains.
Further Reading:
- Mimecast Confirms SolarWinds Hack as List of Security Vendor Victims Snowball
- Malwarebytes Hit by SolarWinds Attackers
- SolarWinds Malware Arsenal Widens with Raindrop
- SolarWinds Hack Potentially Linked to Turla APT
- SolarWinds Hires Chris Krebs, Alex Stamos in Wake of Attack
- Microsoft Caught Up in SolarWinds Spy Effort, Joining Federal Agencies
- Sunburst’s C2 Secrets Reveal Second-Stage SolarWinds Victims
- Nuclear Weapons Agency Hacked in Widening Cyberattack
- The SolarWinds Perfect Storm: Default Password, Access Sales and More
- DHS Among Those Hit in Sophisticated Cyberattack by Foreign Adversaries
- FireEye Cyberattack Compromises Red-Team Security Tools
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!