The Treasury Department’s chief information officer came under fire on Wednesday over the government’s use of a vulnerable technology that some fear could have let foreign governments snoop on encrypted U.S. communications.
No data was stolen via the software flaw, Sanjeev Bhagowalia insisted during a House Oversight IT subcommittee hearing Wednesday. Further, he said, the department deployed 25 percent of the needed patches in a single day. The remaining patches were fixed in just over eight weeks.
But his testimony did not appear to satisfy some lawmakers, who still wanted to know exactly what government data may have been exposed and whether the agency has appropriately updated its software.
“How would you know if something was taken or not?” Rep. Will Hurd (R-Texas) pressed Bhagowalia.
He also demanded to know how much so-called legacy software the Treasury Department is using — software that is no longer updated or supported by the vendor.
“It’s a small percentage,” Bhagowalia said, but he did not name an exact figure.
The Oversight Committee is currently investigating the government’s use of the flawed software, made by Juniper Networks. Earlier this year, the committee sent out letters to 24 departments and agencies asking about the compromised software.
The inquiry comes after it was revealed in December that several government agencies had been using a security tool for years with an unauthorized backdoor planted in it.
Many immediately surmised that the nefarious code had been placed there by a foreign government with the hopes of infiltrating the entire U.S. government network.
One U.S. official described the situation to CNN as akin to "stealing a master key to get into any government building."
Others noted the backdoor may have been repurposed from a tool the National Security Agency (NSA) had initially created.
The flaw, which apparently existed for at least three years, was in a virtual private network software that is used to protect data.
Juniper released a patch within days of announcing the defect, calling it the “highest priority” update. The company also decided in early January to no longer rely on an NSA-approved encryption algorithm because of fears the NSA may have indirectly helped create the backdoor.
Bhagowalia downplayed the risk associated with the breach, although he insisted the agency was taking it seriously.
Forty of the 57 devices using the software were classified as “high risk” out of an “overabundance of caution,” Bhagowalia said — but only four were connected to the Internet, as opposed to Treasury’s internal network. One of those Internet-facing connections was with the Mint, he said.
But he described a number of layers of security, arguing they justified his confidence that the agency’s data was secure.