House panel slams feds for slow patching in Juniper breach

Although Juniper Networks moved quickly to provide patches for vulnerabilities in it ScreenOS products last year, some agencies took almost two months to install the patches, according to the chairman of a House Oversight and Government Reform Committee subcommittee.

Rep. Will Hurd (R-Texas), chairman of the IT Subcommittee, took the CIO of one of those agencies to task during an April 20 hearing on federal cybersecurity. A month after the breach came to light, Hurd said, the committee sent letters to 24 federal agencies asking for an inventory of systems running the software and for an update on the software patches. 

"Of the 12 agencies affected, three -- including the Department of Treasury -- took longer than 50 days to fully install patches and mitigate the threat posed by this vulnerability," he said in his opening statement. "This is absolutely unacceptable."

Treasury CIO Sanjeev "Sonny" Bhagowalia defended his agency's response and said it had conducted a risk-based assessment and tackled the most public-facing or critical potential exposures first.

"Treasury fixed 25 percent of the patches in a day, 84 percent within a week, 86 percent within two weeks and 93 percent in seven weeks," he said. Although the remaining systems were not in particularly vulnerable positions, Bhagowalia said that in retrospect, his agency should have moved quickly even with those systems.

Hurd grilled Bhagowalia on the agency's use of aging versions of software that Juniper no longer supports. The Treasury CIO said his agency operates hundreds of systems and only a small percentage run unsupported software.

Hurd said better attribution of attacks -- including those perpetrated by stealthy, heavily resourced advanced persistent threat actors like the ones that apparently backed the Juniper hack -- could be a deterrent.

Richard Barger, chief intelligence officer at security provider ThreatConnect, agreed that attribution could be a deterrent and said he believed the Juniper hack was the work of a nation-state because of the resources it took to break into the software and remain hidden for months.

Andy Ozment, assistant secretary for cybersecurity and communications at the Department of Homeland Security, said the company acted forthrightly by issuing quick notifications and patches for the software. "They were the victim" of hackers, he added, but managed to get the word out.

Rep. Ted Lieu (D-Calif.) disagreed. "The federal government and the American people are the victims," he said. He added that Juniper had been invited to testify at the hearing but declined, a response he said is "disrespectful and insinuates they have something to hide."

Lawmakers also questioned Ozment about vulnerabilities in a common telephony protocol called Signaling System No. 7 (SS7), which was revealed in a recent CBS "60 Minutes" report. A reporter called Lieu on a commercial mobile phone, and researchers at Berlin-based Security Research Labs exploited the flaw to listen in on the conversation.

Ozment said laws passed in 2014 and 2015 to strengthen DHS' cybersecurity efforts and operations have helped the agency get a better handle on intrusion detection and mitigation. The agency's implementation of the Automated Indicator Sharing system that facilitates machine-to-machine sharing of cyberthreat indicators between the government and the private sector is growing, he added. Fourteen non-federal entities have connected to the system, and 82 more are in the process of connecting.

Furthermore, Ozment said DHS was aware of the SS7 vulnerability, but because it is not a regulatory agency, it could not take direct action with telecommunications carriers. He added, however, that DHS has asked companies to watch out for the vulnerability.