A private-sector security flaw that could have resulted in the theft of classified government data illustrates why backdoors for encryption are “dangerous,” a lawmaker from Texas wrote on Tuesday.
“This incident shows that backdoors to bypass encryption — even those requested by law enforcement or mandated by lawmakers — are extremely dangerous,” Republican Rep. Will Hurd wrote in a column for the Wall Street Journal.
Hurd was referring to last month’s announcement from California-based Juniper Networks that an unauthorized backdoor had been placed in software that it provides to the federal government, and that a breach had been possible since 2013. Hurd noted that federal agencies have yet to disclose certain technical information about the case to the House Oversight Committee.
The National Security Agency routinely hacks private companies in order to create backdoor mechanisms in encryption products that allow the agency to maintain access, which makes the NSA a suspect in the case. However, the flaw that was created could also have allowed foreign governments to bypass the encryption, a scenario that concerns lawmakers.
On Jan. 21, the Oversight Committee sent a letter asking the heads of 24 federal agencies to disclose details surrounding their usage of Juniper’s software. The company has offered a patch to fix the problem, but it isn’t clear whether all of the affected agencies have installed the patch.
Related Story: http://www.washingtonexaminer.com/article/2574351
“This vital information should not be difficult to obtain,” Hurd wrote in his column. “If they fail to respond they will be called before Congress to explain why they couldn’t produce this basic information.”
Hurd also pointed out that the software in question, which is also used by several intelligence agencies, is considered a “legacy” system, and cited a Government Accountability Office report that found agencies have wasted significant resources on these systems.
“The federal government spent over $80 billion on IT procurement [in 2015] and 80 percent of those funds were for legacy systems,” Hurd said. “This practice of not keeping up with the times renders our nation’s IT infrastructure less efficient and exponentially more vulnerable.”
Hurd concluded by emphasizing the need to strengthen, rather than weaken, encryption abilities.
Related Story: http://www.washingtonexaminer.com/article/2581122
“There is no way to create a backdoor that is not vulnerable to this kind of breach,” Hurd adds. “Encryption is essential to our national security and economy; we should be focused on strengthening it, not weakening it.”
