Sens. Ron Wyden (D-Ore.), Mike Lee (R-Utah), Cory Booker (D-N.J.) and 13 members of the House of Representatives have asked Juniper Networks, a network and software company, “how an NSA-designed algorithm, which leading cybersecurity experts believe contains an encryption backdoor, appeared in its products, and how the key to this backdoor was later changed by unknown parties.” The Congressional members sent a letter to Juniper Networks about backdoors in NetScreen firewalls.
In 2015, Juniper Networks disclosed that it experienced a security breach, which led to unauthorized code being added to its NetScreen firewalls; the company allegedly sold these products between 2012 and 2015. This meant that the firewall’s backdoor could “be exploited by a sophisticated adversary to unmask the encryption used to protect data flowing over virtual private networks.” However, this change only modified existing code, meaning that a backdoor already existed on Juniper products. Cybersecurity experts discovered that Juniper secretly added a National Security Agency (NSA)-designed algorithm to its products as early as 2008. The encryption algorithm, Dual_EC_DRBG, has been criticized by cryptographers since 2005, who claim that it likely contains a backdoor. Despite the warnings, the government agency responsible for “issu[ing] U.S. government standards for encryption algorithms,” the National Institute of Standards and Technology (NIST), standardized this algorithm in 2006, but withdrew it in 2013 after disclosures by Edward Snowden. Juniper launched an internal investigation and the FBI also investigated.
The Congressional members note that “[i]t has now been over four years since Juniper announced it was conducting an investigation, but your company has still not revealed what, if anything, it uncovered. The American people – and the companies and U.S. government agencies that trusted Juniper’s products with their sensitive data – still have no information about why Juniper quietly added an NSA-designed, likely-backdoored encryption algorithm, or how, year later, the keys to that probable backdoor were changed by an unknown entity, likely to the detriment of U.S. national security.” Attorney General William Barr and other government officials have recently urged technology companies to “subvert the encryption in their products in order to facilitate government surveillance.” Wyden and the other members add that Juniper could be a valuable case study for the dangers of backdoors and “the apparent ease with which government backdoors can be covertly subverted by a sophisticated actor.”
The Members specifically asked Juniper Networks “Why did Juniper not disclose to NIST that its products used the Dual_EC_DRBG algorithm?”; Why Juniper “opted to use a different Q value [than specified by NIST], …how it was generated and by whom. If Juniper did not generate this Q value following the procedures described in NIST Special Publication 800-90, please explain why.”
Juniper has also been asked for the results and scope of its investigation in the wake of the discovery of unauthorized code.
The Senators and Representatives have set a deadline of July 10 for Juniper’s response.