The coding hack in Juniper communications technology popular within the federal government is still a whodunit after two hours of congressional testimony.
We do not know where the unauthorized code found in the company's IT firewalls and virtual private networks came from. We do not know if bad guys squeezed through the security gaps before Juniper disclosed them in December 2015 -- or whether attackers broke in afterwards.
What is known is that the government still does not have its act together when a software emergency goes down.
Some agencies, including the Treasury Department, did not finish patching the Juniper ScreenOS product weaknesses until mid-February, the department's IT leader said on Wednesday. The lag could have provided hackers a two-month window of opportunity to potentially break open encrypted messages.
Of the 57 vulnerable devices at Treasury, four were connected to the Internet, including one at the gold-producing U.S. Mint, Treasury Chief Information Officer Sanjeev "Sonny" Bhagowalia told a House subcommittee.
The Obama administration officials said it does not appear that intruders tried to take advantage of the hacked Juniper code in the civilian government.
After scanning federal systems connected to the Internet, DHS did not identify any attempts to compromise civilian agencies using the security defects, Andy Ozment, Homeland Security Department assistant secretary for cybersecurity and communications, testified at the Oversight and Government Reform subcommittee hearing.
Bhagowalia said, "There was no information that we are aware of that has been taken, and we have looked at it very carefully."
Oversight and Government Reform IT Subcommittee Chairman Rep. Will Hurd, R-Texas, pointed out that if attackers were able to decrypt encrypted information, they would not have to remove the data.
The encryption formula in the affected Juniper software was intended to scramble plain text into illegible code but weaknesses in the math -- allegedly intentionally inserted by the National Security Agency, some experts have said – could have provided U.S. spies or adversaries a clear picture of communications.
The New York Times in 2013 reported documents exposed by ex-intelligence contractor Edward Snowden revealed NSA crafted some of the security errors in play during a decade-long effort to break encryption technologies.
On Tuesday, John Felker, director of the DHS 24-7 National Cybersecurity and Communications Integration Center, told Nextgov. “I don’t know this for a fact – but I’m told that there was potentially a backdoor built into some of that" Juniper technology, referring to unconfirmed reports. Felker added, "Some of that gear was in place for years." He did not specifically mention NSA.
Part of the delay in plugging the Juniper software holes stemmed from agencies running unsupported software.
Juniper in 2014 stopped delivering updates for some versions of the products that are now known to be plagued.
"I believe that at least a number of those were out of service and no longer supported," Ozment said.
Today, there are 39 critical IT vulnerabilities across the federal government that have been exposed to hackers for more than 30 days, he added.
"The majority of these are now legacy systems at small agencies that are struggling to manage their IT and to find the budget to replace these legacy system," Ozment said. "These have been the toughest nuts for us to crack."
Ozment said Obama's request for a $3 billion IT modernization fund would go a long way toward weaning the government off its reliance on Cobol, WordPerfect, Windows 98 and other relics of the DOS-age.
Committee Chairman Rep. Rep. Jason Chaffetz, R-Utah, said, not a chance.
"It's unbelievable how far behind we are, and yet, I don't think it's for a lack of funding," he said.
Since 2009, the federal government has "spent more than $525 billion on IT and it doesn’t work," he said. Now Obama "needs $528 billion in order to actually solve these problems? I have a hard time believing that we're just $3 billion away from solving this."