SAN FRANCISCO (Reuters) – A group of U.S. lawmakers preparing to fight a legislative attack on encrypted communications is trying to establish what happened when encryption was subverted at a Silicon Valley maker of networking gear.
FILE PHOTO: U.S. Senator Ron Wyden (D-OR) speaks during a Senate Finance Committee hearing on the role of unemployment insurance during the coronavirus disease (COVID-19) pandemic on Capitol Hill in Washington, U.S., June 9, 2020. REUTERS/Leah Millis/Pool
Democrat Ron Wyden, who sits on the Senate Intelligence Committee, said the 2015 incident at Sunnyvale-based Juniper Networks could shed light on the risks of compromised encryption before an expected hearing on the proposed legislation.
The EARN IT Act could penalize companies that offer security that law enforcement can’t easily penetrate.
“Attorney General (William) Barr is demanding that companies like Facebook weaken their encryption to allow the Department of Justice to monitor users’ conversations,” Wyden told Reuters.
“Congress and the American people must understand the serious national security risks associated with weakening the encryption that protects Americans’ personal data, as well as government and corporate systems.”
In a letter to Juniper Chief Executive Rami Rahim sent late Tuesday, Wyden, Republican Senator Mike Lee of the Judiciary Committee, and the chairmen of the House Judiciary and Homeland Security committees asked what had happened to an investigation Juniper announced after it found “unauthorized code” inside its widely used NetScreen security software in 2015.
Soon after, reseachers discovered the code in question had changed one part of a security mechanism secretly designed by the National Security Agency and widely believed to contain a back door for spying, known as Dual Elliptic Curve.
Juniper included the NSA technology before its exposure in the wake of Edward Snowden’s leaks about the agency’s method. Some time later, insiders or outside hackers switched the key here to the back door, giving access to user traffic.
The FBI launched an investigatihere that was never publicly resolved.
Juniper did not respond to a request for comment on the letter or the status of its investigation.
Many questions remain, including why the company adopted the technology, what U.S. spies were able to glean through it, and how many U.S. government and commercial customers were monitored in the second round of espionage.
“Juniper’s experiences can provide a valuable case study about the dangers of back doors, as well as the apparent ease with which government back doors can be covertly subverted by a sophisticated actor,” the elected officials wrote to Juniper.
Reporting by Joseph Menn; Editing by Greg Mitchell and Lincoln Feast.