SolarWinds Hack – US Congress Puts Pressure on NSA Re: Encryption!

Share This Post

Members of the US Congress are demanding the US National Security Agency (NSA) reveal what it knows about the 2015 Juniper Networks supply-chain delivery breach.

In a letter sent by US Senator Ron Wyden & 9 additional members of Congress, the lawmakers demand a full account of the NSA-designed encryption algorithm compromised in 2015.

Effective Oversight

Triggering the inquiry is the massive SolarWinds supply-chain attack. In their letter sent last week to the NSA, lawmakers suggest the spy agency is lacking effective oversight of software supply-chains relied upon by the US Govt. & private industry.

“In 2015, Juniper revealed a security breach in which hackers modified the software the company delivered to its customers,” a Wyden statement read. “Researchers subsequently discovered that Juniper had been using an NSA-designed encryption algorithm, which experts had long argued contained a backdoor, & that the hackers modified the key to this backdoor.”

Algorithm

The major issue among US lawmakers is the allegation that the NSA’s “Dual_EC_DRBG” algorithm – submitted to the US National Institute of Standards & Technology (NIST) contained an encryption ‘backdoor ‘for the agency. This move, lawmakers suggested, concerns Congress because it appears to be a tacit endorsement of weak encryption.

“The American people have a right to know why NSA did not act after the Juniper hack to protect the government from the serious threat posed by supply chain hacks.

A similar supply chain hack was used in the recent SolarWinds breach, in which several govt. agencies were compromised with malware snuck into the company’s software updates,” the members wrote.

Intentionally Weak Crypto

In 2016, Juniper removed the backdoored Dual_EC DRBG algorithm, impacting its ScreenOS operating system. NIST also withdrew the algorithm, citing security concern.

Juniper’s use of Dual_EC dates to 2008, at least a year after Dan Shumow & Neils Ferguson’s landmark presentation at the CRYPTO conference, which 1st put suspicion on Dual_EC being backdoored by the NSA.

The move to remove Dual_EC (& also ANSI X9.31 PRNG) confirmed the widely held view that the vulnerabilities were tied to operations by the NSA described in the 2013 article published by the German publication Der Spiegel.

Edward Snowden

That article described the existence of a catalogue of hardware & software tools used by the NSA to infiltrate equipment manufactured by Juniper, Cisco & Huawei. The story was based on leaked 2013 document by infamous former contractor Edward Snowden.

Calls for encryption backdoors date back to the 1990s & the so-called ‘Crypto Wars.’ That is when President Bill Clinton’s administration insisted that US Govt. have a way to break the encryption that was exported outside of the US.

Lessons Not Learned, Repeated with SolarWinds?  

In the Jan. 28 letter to NSA Chief Gen. Paul Nakasone, the group of US Democratic lawmakers want the agency to provide a previously undisclosed report about “lessons learned” from the Juniper hack & detail what actions NSA took afterwards. The lawmakers gave NSA until Feb. 26 to respond.

In June, Wyden also co-signed a letter to Juniper CEO Rami Rahim seeking answers about the hack. Experts have long expressed concern that the weaknesses in the NSA algorithm could have been exploited by any number of hackers.

Parallels between the SolarWinds and Juniper hacks are similar in that both involved federally managed computer systems & compromised software supply chains.

Virtual Conference March 2021

 

More To Explore

Community Area

Books

Home Workouts

Recipe

spaghetti Bolognese
Days
Hours
Minutes
Seconds