Foreign cyber spies could be stealing “crucial” national security information because of a little-discussed software flaw, Rep. Will Hurd (R-Texas) said in a Wall Street Journal op-ed.
Hurd is part of a House Oversight Committee investigation into which agencies use the vulnerable software. It was revealed in December that numerous government agencies employed a security tool that had an unauthorized backdoor planted in it.
{mosads}“The federal government has yet to determine which agencies are using the affected software or if any agencies have used the patch to close the backdoor,” said Hurd, who chairs the Oversight Committee’s Subcommittee on Information Technology. “Without a complete inventory of compromised systems, lawmakers are unable to determine what adversaries stole or could have stolen.”
The defect, which stretched back at least three years, was in a software used to protect data, sparking fears that a foreign government was using the backdoor to intercept sensitive communications.
The company behind the vulnerable software, Juniper Networks, released a patch within days of announcing the defect. But there is no record of whether agencies appropriately updated the software, known as ScreenOS.
“If government systems have yet to be fixed then adversaries could still be stealing sensitive information crucial to national security,” Hurd said. “The Department of Homeland Security is furiously working to determine the extent to which the federal government used ScreenOS. But Congress still doesn’t know the basic details of the breach.”
When it comes to breach reporting, the government should be held to a similar standard as regulated private sector companies, Hurd added.
“U.S. banks that use this software for encryption were forced to share the extent of their use to the Securities and Exchange Commission only hours after the compromise was disclosed,” he said. “It is government agencies that are dragging their feet.”
Hurd also noted that the government shouldn’t have been using the outdated version of ScreenOS in the first place. The software was last updated in 2011.
“This product is considered a legacy system that many users have replaced with better technology, yet the U.S. government hadn’t bothered to update to a newer, more-secure system,” Hurd said.
The committee has given agencies until Feb. 4 to respond to the inquiries.