Lawmakers press for attribution on govt software security hole

Lawmakers press for attribution on govt software security hole
© Getty Images

Lawmakers want to know who is behind an unauthorized government backdoor found in software used by agencies including the Defense Department, the Department of Health and Human Services, the State Department and the Office of Personnel Management.

“I feel like in this case, of the Juniper ScreenOS hack, people have been reticent to do attribution, even general attribution,” Rep. Will Hurd (R-Texas) said during a House Oversight and Government Reform Subcommittee on Information Technology hearing Wednesday.

ADVERTISEMENT

Responding to questions from Hurd, Richard Barger, the chief intelligence officer at the security firm ThreatConnect, argued that hackers sophisticated enough to carry out the hack would likely be backed by a nation-state.

“I would think that a criminal or ideological group wouldn’t necessarily have the resources or the motivation to leverage that type of attack,” Barger said.

The committee is currently investigating the government’s use of the flawed software, made by Juniper Networks.

The inquiry comes after it was revealed in December that several government agencies had been using a vulnerable security tool for years with an unauthorized backdoor planted in it.

Many immediately surmised the nefarious code had been placed there by a foreign government with the hopes of infiltrating the entire U.S. government network.

One U.S. official described the situation to CNN as akin to "stealing a master key to get into any government building."

Observers believe the backdoor may have been repurposed from a tool the National Security Agency (NSA) had initially created in Juniper’s products.

The flaw, which apparently existed for at least three years, was in a virtual private network software used to protect data.

Juniper released a patch within days of announcing the defect, calling it the “highest priority” update. The company also decided in early January to no longer rely on an NSA-approved encryption algorithm because of fears the NSA may have indirectly helped create the backdoor.

But who hacked into the vulnerable software and manipulated the source code remains unknown.

Andy Ozment, assistant secretary for cybersecurity at the Department of Homeland Security, did not seem surprised that there had been no public disclosure of blame for the hack.

“The government has historically used attribution in relatively few cases. So I don’t view it as unusual that the government has not attributed in this particular incident,” he said Wednesday.