How Far Did the Juniper Hack Go? ‘Some of That Gear Was in Place for Years,’ DHS Official Says


The vulnerability concerns unauthorized code placed in the vendor's firewalls and virtual private networks that could have allowed hackers to read encrypted messages.

Within a month of the discovery of a potential spying hole in widely used Juniper networking tools, federal agencies identified which of their critical operations were affected. But the possibility remains that hackers tapped U.S. government communications before that scavenger hunt, a top Homeland Security Department official said Tuesday.

Tomorrow, a House Oversight and Government Reform subcommittee will probe the federal government's response to the Juniper hack. The vulnerability concerns unauthorized code placed in the vendor's firewalls and virtual private networks that could have allowed hackers to read right through supposedly encrypted messages.

Juniper disclosed the existence of the 3-year security threat Dec. 17. The U.S. government had spent about $13 million on Juniper products since 2012 by that time.

"I’m confident that that particular vulnerability has been addressed,” John Felker, director of the DHS 24-7 National Cybersecurity and Communications Integration Center, told Nextgov. “However – and I don’t know this for a fact – but I’m told that there was potentially a backdoor built into some of that" technology too, he said, referring to unconfirmed reports. Felker added, "Some of that gear was in place for years."

On April 7, Juniper released a planned update of certain ScreenOS products affected by the hack that replaced the "encryption methods used in prior versions."

The encryption formula at issue is intended to scramble plain text into illegible code but weaknesses in the math -- allegedly intentionally inserted by the National Security Agency – can provide U.S. spies a clear picture.  And anyone else, be it friend or foe, could take advantage of the encryption loophole too.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

To find out which federal activities might be at risk of espionage, DHS took a census poll of agency IT shops, Felker said.

 "Some people didn’t have the problem because they had different hardware," he said. "Some people did. We got a huge percentage of it squared away."

Part of Wednesday's House hearing will focus on what the committee describes as a vulnerability in Juniper software that may have impacted a large number of federal agencies.

Andy Ozment, DHS assistant secretary for cybersecurity and communications, is slated to testify, along with private security investigators from ThreatConnect and Mandiant Consulting. IT officials from the departments of Treasury and State also are scheduled to discuss their capability to detect and troubleshoot security defects.

In the aftermath of the Juniper revelations, the agencies DHS asked to take inventory were mainly ones that handle critical operations, Felker said.

Nextgov caught up with Felker after a cybersecurity symposium hosted by AFFIRM.

DHS worked with the agencies to reach a point whether they either patched the holes with new Juniper software or switched out the products, he said.

Homeland Security also coordinated with Juniper throughout the crisis, Felker said.

Felker and three other DHS individuals knew of the security glitch from the company "way before" the public, he said. Felker declined to say how much longer Juniper and DHS kept the security holes close to the vest.

The collaboration between the government and the private sector, in this instance, exemplifies the trust the cyber nerve center wants more of across all industries, he said.

"We did not share with anybody based upon their desire not to do so," Felker said. Once Juniper understood the scope and nature of the dangers, DHS and the vendor went open with it, he said.

It is still not publicly known who hacked Juniper's code.  

The New York Times in 2013 reported documents exposed by ex-intelligence contractor Edward Snowden revealed NSA crafted some of the security errors in play during a decade-long effort to break encryption technologies.

Nextgov has requested comment from Juniper.