January 29, 2021

Wyden and Booker Question NSA Response Following Supply Chain Hacks of SolarWinds And Juniper Networks

Reps. Malinowski, Jayapal, Lieu, Lynch, Foster, DelBene, Clarke and Eshoo Join Letter Probing NSA’s Role in Juniper Encryption Backdoor, and Response to Supply Chain Hack

Washington, D.C. – U.S. Senator Ron Wyden, D-Ore., Sen. Cory Booker, D-N.J., and eight U.S. House members today asked the National Security Agency to explain the NSA’s actions to protect the government from supply chain attacks, like the recent SolarWinds hack, in which malicious code is snuck into commercial software used by the government.

The recent SolarWinds hack has brought attention to the vulnerability of the government to supply chain attacks. However, five years ago another vendor to the U.S. government – Juniper Networks – revealed it also inadvertently delivered software updates containing malicious code. 

In 2015, Juniper revealed a security breach in which hackers modified the software the company delivered to its customers. Researchers subsequently discovered that Juniper had been using an NSA-designed encryption algorithm, which experts had long argued contained a backdoor, and that the hackers modified the key to this backdoor.

However, despite promising a full investigation after it announced the breach, Juniper has never publicly accounted for the incident.

Reps. Tom Malinowski, D-N.J., Ted Lieu, D-Calif., Stephen Lynch, D-Mass., Bill Foster, D-Il., Suzan DelBene, D-Wash., Yvette Clarke, D-N.Y., and Anna Eshoo, D-Calif., co-signed the letter. 

“The American people have a right to know why NSA did not act after the Juniper hack to protect the government from the serious threat posed by supply chain hacks. A similar supply chain hack was used in the recent SolarWinds breach, in which several government agencies were compromised with malware snuck into the company’s software updates,” the members wrote in the letter

The full letter is available here.

The members asked the NSA to answer the following questions

  1. After Juniper’s 2015 public disclosure that it inadvertently delivered software updates and products to customers containing malicious code, what actions did NSA take to protect itself, the Department of Defense, and the U.S. government from future software supply chain hacks? For each action, please identify why it was not successful in preventing the compromise of numerous government agencies in 2020 by a malware-laden update delivered by SolarWinds.
  2. In the summer of 2018, during an unclassified briefing with Senator Wyden’s office, senior NSA officials revealed the existence of a “lessons learned” report on the Dual_EC_DRBG algorithm. Senator Wyden’s office has repeatedly requested this report, but NSA has yet to provide it. Please provide us with a copy of this report and any official historical reports that describe this algorithm, its development, and subsequent exploitation.
  3. At the time that NSA submitted Dual_EC_DRBG to NIST for certification, did NSA know the algorithm contained a backdoor?
  4. According to the NIST cryptographer’s postmortem, NSA informed NIST in 2005 that it selected the “Q” value that was published in the NIST Duel_EC_DRBG standard in a “secure, classified way.” Was this statement accurate? Please explain.
  5. Juniper has confirmed that it added support for Dual_EC_DRBG “at the request of a customer,” but refused to identify that customer, or even confirm whether that customer was a U.S. government agency. Did NSA request that Juniper include in its products the Dual_EC_DRBG algorithm, P and Q values which were different from those published by NIST, or another NSA-designed encryption standard named Extended Random?
  6. What statutory legal authority, if any, would permit NSA to introduce vulnerabilities into U.S. government approved algorithms certified by NIST and to keep those vulnerabilities hidden from NIST?
  7. Would efforts by NSA to introduce backdoors or other vulnerabilities into government standards require the approval of the NSA Director, an inter-agency consultation, including input from the Cybersecurity and Infrastructure Security Agency, the Department of Commerce, the Federal Trade Commission, and the Federal Communications Commission? Would they require notification to the Congressional intelligence committees or an order from the Foreign Intelligence Surveillance Court? If no, please explain why.