All week, the security world has been puzzling over a newly discovered backdoor into Juniper's VPN software. The software isn't popular, but it's often used for high-security corporate work, making it exactly the kind of software intelligence agencies are eager to break. Different clues point to China, the UK, or America's NSA, which is closely linked with the random-number generator used in the backdoor — but so far, no one has found a firm link to any of the agencies.
Now, The Intercept has provided one more reason to think the NSA was involved. According to new documents from the Snowden files, the NSA was aware of exploits in the same Juniper products as early as 2011. It can't be exactly the same backdoor, since much of the code in question didn't ship until the following year, but it's likely to have at least foreshadowed the newly discovered bug. If the NSA had reported its exploit to Juniper at the time, the resulting patch might well have closed down the entire backdoor right then.
Even if the backdoor was planted by China, the NSA is still responsible
As The Intercept is careful to note, that's not evidence that the NSA planted the newly discovered backdoor — but they knew how to exploit some version of it and they weren't shy about sharing that knowledge. That leaves us with two possibilities. In one, the NSA went on to plant the backdoor and kept it open for the next three years. That's bad — but the other possibility, that the backdoor was planted by a foreign power like China or a free agent, is even worse.
In that scenario, the NSA created the conditions through which the backdoor could exist — developing Dual_EC_DRBG's backdoor properties and shepherding it through NIST certification, ensuring it was available to any developer who wanted to drop it in. And once the NSA discovered that power could be used to compromise a crucial piece of security software, the agency did nothing to stop it. That's not active collusion with a foreign power, but the end result is the same. The US and China both gain the ability to compromise a secure channel, and neither one moves to close off the other's access.
It's not active collusion with a foreign power, but the end result is the same
That kind of collusion is a risk no matter who planted the backdoor in the first place. China can stumble onto our backdoors just as well as we can stumble onto theirs. In this specific case, the case comes down to a single number, known to researchers as Q, which works as a kind of skeleton key for defeating that style of encryption. In theory, only the power that planted the bug should know the value of Q — but once Q exists, the possibility of a compromise is impossible to entirely dismiss.
Of course, it's not the NSA's job to fix VPN systems, and many have already pointed out that, according to the mission of the organization, the NSA did nothing wrong. The agency was tasked with gathering signals intelligence, and it did so. NSA agents compromise software, just like CIA employees sometimes lie to people. We can't call it a failure of judgment or even an error. The organization did what it was built to do, exactly according to its founding charter.
But that logic is a blank check, the cost of which is becoming intolerable. We can't assess the full damage of the Juniper backdoor — we likely never will — but we've seen the damage security flaws can wreak in other circumstances. The NSA wasn't tasked with protecting against Sony Pictures or Target or even the catastrophic breach that leaked sensitive data on 14 million federal workers this summer. (Since the Office of Personnel Management is a civilian agency, that task fell to Homeland Security.) Those attacks were outside the scope of NSA, so when the question arose of whether to report the backdoor, that possibility didn't factor in. The NSA found great value in keeping the Juniper backdoor open, and it absorbed none of the cost.
When we talk about cyberwar, we usually think in terms of nations: NATO or the Five Eyes in one corner, facing off against China, Russia or Iran. But what we know about the Juniper backdoor defies that way of thinking. Instead of one nation against another, we've seen an international cadre of government-funded organizations colluding to punch a hole in software and keep it open, no matter who used it. On the other side, we've seen a small group of security researchers fighting to locate the backdoor and close it: academics in America, private security companies from California, London and Amsterdam. The battle lines are clear, but they're not where you might expect them to be. Instead of the US against China, we're seeing bugs against patches, boots against faces. Whether the NSA planted Juniper's backdoor or not, it's on the wrong side of that line.