The chairman of the House Oversight and Government Reform IT Subcommittee took the federal government to task Wednesday over its lackadaisical response to the backdoor discovered in Juniper Network’s widely used security software last month.
Freshman Rep. Will Hurd, R-Texas, wrote in an op-ed in the Wall Street Journal that the government dragged its feet in notifying lawmakers on how it’s responded to the vulnerability discovered in Juniper’s ScreenOS software, despite the fact that the information should be easy to obtain.
“Without a complete inventory of compromised systems, lawmakers are unable to determine what adversaries stole or could have stolen,” Hurd wrote.
In December, the company discovered the backdoor that would allow sophisticated hackers to control the firewall of un-patched Juniper products and decrypt network traffic. The company’s products are used by a number of government agencies, including the departments of Defense, Justice and Treasury.
The FBI and Department of Homeland Security have been working to determine if there has been any damage done to government systems and whether they’ve been patched, but Hurd said agencies have been short on details.
The op-ed comes as members of the oversight committee issued a letter (like this one) to 24 agencies last week demanding agencies list their inventory of Juniper products and whether they’ve been patched.
“If they fail to respond they will be called before Congress to explain why they couldn’t produce this basic information — even though the 2002 Federal Information Security Management Act requires government bodies to monitor and protect the data they possess,” Hurd wrote.
The incident shines a light on two areas where the government uses technology, Hurd writes. He called for agencies to move away from legacy software — which ScreenOS can be considered as — and refrain from calls to insert backdoors into encryption for the sake of law enforcement investigations.
Read the full op-ed on the Wall Street Journal (paywall).