The debate over whether encryption protects systems against hackers or makes it easier for terrorists to hide online has been on full display in Washington after last month’s discovery of a possible government-wide security flaw.
In the House, pro-encryption lawmakers have called for explanations, while on the other side of the Capitol, Senate leaders are drafting bipartisan legislation that would mandate the kind of “backdoor” that Juniper Networks found hidden inside government systems.
The House Committee on Oversight and Government Reform last week sent letters to 24 federal agencies asking about the use of the affected encryption technology.
Juniper announced Dec. 17 it had uncovered “unauthorized code that could allow a knowledgeable attacker to gain administrative access” to certain devices and “decrypt VPN [virtual private network] connections.”
Various federal entities and private companies have used the operating system, called ScreenOS, for the last three years, leading administration officials to surmise the flaw was implanted by a foreign government – possibly China or Russia.
Documents leaked by National Security Agency whistleblower Edward Snowden indicate NSA may have known about a version of the flaw in the software’s random number generator in a prior release in 2011, however officials said the backdoor was not planted intentionally by any U.S. agency.
Juniper released a patch for the vulnerability days after the announcement in December and earlier this month replaced the NSA-approved random number generator with code from another product line over concerns NSA intentionally left or exploited the flaw, indirectly leaving it for others to find.
The FBI is investigating the vulnerability for any evidence of use by hackers to access classified information, but indicated the findings could take time to determine because of the technology’s broad deployment across federal networks.
The letter from the committee instructs agencies including the Defense, Energy, Treasury, Interior, Labor and State departments, Office of Personnel Management, Consumer Financial Protection Bureau, Nuclear Regulatory Commission, NASA, Securities and Exchange Commission, Department of Transportation and more to report their various offices’ use of the technology and if they were aware of the vulnerability by Feb. 4.
It was signed by multiple House proponents of strong encryption technology including Utah Republican and Oversight Chairman Jason Chaffetz, Texas Republican Reps. Will Hurd and Blake Farenthhold, and California Democratic Rep. Ted Lieu.
Last summer Chaffetz slammed agency heads at the Office of Personnel Management for failing to encrypt personal information on over 20 million past and present federal employees and contractors swept up in cyber theft purportedly by China.
“There’s a reason the world’s largest technology companies are increasingly developing stronger and more frequently used encryption technologies,” Chaffetz said during a hearing last year. “It’s not because they’re anti-law enforcement. On the contrary, it’s because sophisticated cyberhacks are nearly daily events.”
During the same hearing in April Lieu, who has a bachelor’s in computer science from Stanford, called backdoors “technologically stupid,” while Hurd, who holds his own computer science degree from Texas A&M, previously worked for CIA, helped build cybersecurity firm FusionX and chairs the Subcommittee on Information Technology, expressed skepticism at law enforcement agencies’ request for congressionally mandated backdoors.
“I believe we can find a way to protect the privacy of law-abiding citizens and ensure that law enforcement have the tools they need to catch the bad guys,” Hurd said. “As technology continues to evolve and encryption capabilities become a part of everyday life for all Americans, this debate will only grow larger.”
Hurd accurately predicted the debate that’s now dividing Congress, where lawmakers in both the House and Senate are drafting legislation in response to revelations that Islamic State-inspired attackers who left 130 dead in Paris last November used encrypted platforms to plan their attacks — something FBI Director James Comey and others across law enforcement and intelligence agencies have spent the last year warning would happen.
Senate by Intelligence Committee Chairman Richard Burr and Ranking Democratic Sen. Dianne Feinstein are planning to propose one such bill to “pierce” encryption.
“Here’s the problem,” Feinstein said last week. “If the Internet goes totally dark, and there are apps that people can use to communicate to plot, to plan, to threaten, to do all of that, you’ve got a real problem.”
On the House side Homeland Security Chairman Mike McCaul, R-Texas, is proposing a commission to compel tech companies to sit down at the table with law enforcement and intelligence agencies to develop a solution — an idea recently supported by the libertarian advocacy group FreedomWorks.
Assistant Attorney General Leslie Caldwell told the State of the Net Internet Policy Conference in Washington Monday agencies are aggressively pursuing talks with Silicon Valley on a solution.
“From gang activity to child abductions to national security, threats, the ability to access electronic evidence in a timely manner is often essential to successfully conducting lawful investigations and preventing harm to potential victims,” Caldwell said standing in for Attorney General Loretta Lynch and echoing statements the AG made last week.
Caldwell echoed recent congressional testimony by Comey discussing law enforcement’s inability to access encrypted communications sent between an attempted mass shooter and a known terrorist suspect overseas last year, and added the department is “committed to seeking and obtaining judicial authorization for electronic evidence collection in all appropriate circumstances.”
Follow Giuseppe on Twitter