Lawmakers on a House Oversight subcommittee criticized a Treasury Department official Wednesday over the slow roll-out of patches to a flaw discovered in encryption software used by the government last December — a fix it took the department more than eight weeks to adopt.
Texas Republican Will Hurd demanded to know why it took Treasury Department Chief Information Officer Sanjeev Bhagowalia’s department two months to update virtual private network software developed by Juniper Networks after the company discovered an unauthorized backdoor last year.
“Of the 12 agencies affected, three, including the Department of Treasury, took longer than 50 days to fully install patches and mitigate the threat posed by this vulnerability,” Hurd, chairman of the Information Technology Subcommittee, said during a committee hearing Wednesday. “This is absolutely unacceptable.”
Bhagowalia said the department implemented 25 percent of the most critical patches in one day, another 84 percent within a week and the rest within just over eight. The CIO explained while 40 of the 57 devices using the software were classified as high risk, only two of them at the U.S. Mint and Bureau of Engraving and Printing were connected to the Internet.
“Within a couple of hours after the vulnerability was announced by the equipment manufacturer, the Treasury SOC [security operations center] alerted bureau-level SOC counterparts to the vulnerability and to the mitigation instructions provided by the vendor,” Bhagowalia said in his testimony. “Thanks to the quick action of the Treasury SOC and the bureaus’ SOCs, remediation was already under way by the time government-wide alerts to patch vulnerable appliances were issued.”
He added no data was comprised or stolen via the vulnerability, present in the software for the last three years — and some speculate — intentionally planted by a foreign government. He conceded the department should have been more proactive in patching all vulnerable systems.
“How would you know if something was taken or not?” Hurd said.
The Texas Republican pressed Bhagowalia on why the department was still using so called “legacy” systems no longer supported with updates by the manufacturer — an issue highlighted government-wide since the massive breach discovered last year at the U.S. Office of Personnel Management.
Bhagowalia said such systems only make up a “small percentage” of those within the department.
In December Juniper announced it had uncovered “unauthorized code that could allow a knowledgeable attacker to gain administrative access” to certain devices and “decrypt VPN [virtual private network] connections.”
Numerous government agencies and private companies have used the operating system, called ScreenOS, for the last three years. One government official likened the vulnerability to “stealing a master key to get into any government building.”
Documents leaked by National Security Agency whistleblower Edward Snowden indicate NSA may have known about a version of the flaw in the software’s random number generator in a prior release in 2011, however officials said the backdoor was not planted intentionally by any U.S. agency.
Juniper released a patch for the vulnerability days after the announcement in December and earlier this month replaced the NSA-approved random number generator with code from another product line over concerns NSA intentionally left or exploited the flaw, indirectly leaving it for others to find.
The FBI launched an investigation into the vulnerability for any evidence of use by hackers to access classified information, but said the findings could take time to determine because of the technology’s broad deployment across federal networks.
The House Committee on Oversight and Government Reform sent letters to 24 federal agencies in January asking about the use of the affected encryption technology.
ThreatConnect CIO Richard Barger, another witness at Wednesday’s hearing, agreed the hack was likely the work of a nation state due to the technical prowess needed to keep it hidden for so long.
While a representative for the Department of Homeland Security sympathized with Juniper as the “victim” in the hack and praised the company’s response, California Democrat Rep. Ted Lieu, who holds a degree in computer science from Standford, criticized the company for declining to show up for the hearing.
“Juniper is not the victim in this case,” Lieu said. “The U.S. government and the American people are.”
“I find it disrespectful that they did not come here to testify,” he added. “It insinuates they have something to hide.”