Congress on Juniper patches: What took so long?
Lawmakers pressed the CIO of the Treasury Department hard Wednesday on why it took the agency eight weeks to patch all of its systems that were using Juniper Networks’ software — found to be vulnerable to cyber attacks.
Members of the House Committee on Oversight and Government Reform’s IT subcommittee pushed Treasury CIO Sonny Bhagowalia to explain his strategy for mitigating the threat related to Juniper’s products in the wake of the company’s December discovery of a back door in its NetScreen product.
The California-based company discovered the back door would allow sophisticated hackers to control the firewall of un-patched Juniper products and decrypt network traffic. The company’s products are used by a number of government agencies, including the departments of Defense, Justice and Treasury.
Bhagowalia told the subcommittee that Treasury moved into a plan of action hours after learning of the vulnerability, patching highly critical systems within a day, and 84 percent of systems using Juniper within a week. However, due to the remaining systems having a low-risk profile, Treasury did not fully completely patching systems using Juniper products for two months.
This timeline came under criticism from Rep. Will Hurd, R-Texas, the subcommittee’s chairman.
“This is absolutely unacceptable,” Hurd said in his opening remarks. “The inability of federal agencies to maintain a comprehensive view and inventory of their information systems and respond to Congress in a timely manner cannot be the status quo.”
[Read more: Congress demands info on Juniper back door]
Vulnerabilities in the State Department Consular Consolidated Database were also examined, following a recent ABC News report stating that experts found security gaps that could have allowed hackers to doctor visa applications or pilfer sensitive data like photographs, fingerprints and social security numbers.
Rep. Gerry Connolly, D-Virginia, told State Department CIO Steven Taylor that more needs to be done to close those holes given the hundreds of thousands of data points that system holds.
“If I were up to no good, I would look for low-hanging vulnerable fruit,” Connolly said. “The subcommittee has found lots of that.”
The two scenarios were held up as examples of how the federal government needs to shore up its mitigation protocols. Andy Ozment, director of the Department of Homeland Security’s National Protection and Programs Directorate, said while agencies are responsible for their own cybersecurity risk, DHS programs like Einstein and Continuous Diagnostics and Monitoring are helping the government close the gaps.
Yet even as CDM’s first phase comes close to being implemented across the federal civilian government, Ozment said systems that lack patches or security support still give him cause for worry/
“I think this is a major problem,” Ozment said in response to a question from Rep. Blake Fahrenthold, R-Texas. “I will tell you we scan agencies externally and we look for critical vulnerabilities. An unsupported device is a critical vulnerability. Some of our most challenging discoveries in that process is finding unsupported devices at smaller agencies.”
As far as Juniper’s role in the vulnerability’s discovery, Ozment said the company should be viewed as a victim, doing “a very responsible job” in working with DHS to get the word out.
“I salute them for working to make their customers safe,” he said.
Rep. Ted Lieu, D-Calif., took the opposite stance given that Juniper was invited to hearing the declined, leading him to believe “it insinuates they have something to hide.”
“[Juniper] aren’t the victims, the U.S. government and the American people are,” Lieu said. “We need to view this in a whole different lens. When products are made to try to protect the government and they fail, the companies are not the victims.”