A group of three U.S. senators and 13 members of the U.S. House of Representatives have sent a letter to Juniper Networks Inc. seeking to discover the outcome of an investigation by the company into encryption backdoors found in its ScreenOS operating system for firewalls in 2015.

Led by Democrat Ron Wyden, who sits on the Senate Intelligence Committee, the letter has been sent in relation to a investigation into a proposed law called the EARN IT Act that would penalize companies offering security that law enforcement can’t easily penetrate. In more simple terms, the legislation, if passed, would require companies to offer a backdoor into encrypted systems for law enforcement.

“Attorney General (William) Barr is demanding that companies like Facebook weaken their encryption to allow the Department of Justice to monitor users’ conversations,” Wyden told Reuters today. “Congress and the American people must understand the serious national security risks associated with weakening the encryption that protects Americans’ personal data, as well as government and corporate systems.”

The Juniper cases came to light in December 2015, when the company said it had found “spying” code implanted into certain versions of ScreenOS, the operating system for its NetScreen firewall and VPN products. That code was said to allow unauthorized remote administrative access to the device over SSH or telnet that could lead to a complete compromise of the affected system.

From the moment Juniper went public with the details, the finger was pointed at state-sponsored actors. Less than a week after the details were disclosed, security researchers claimed that the backdoors had been put there by the U.S. National Security Agency.

In a further twist, it was later alleged that the compromised code, known as a Dual Elliptic Curve Deterministic Random Bit Generator, was known to contain a backdoor designed by the NSA but Juniper had used the code since 2008 despite being aware of the security risks.

“It has now been over four years since Juniper announced it was conducting an investigation, but your company has still not revealed what, if anything, it uncovered,” the letter to Juniper states. “The American people — and the companies and U.S. government agencies that trusted Juniper’s products with their sensitive data — still have no information about why Juniper quietly added an NSA-designed, likely-backdoored encryption algorithm, or how, years later, the keys to that probable backdoor were changed by an unknown entity, likely to the detriment of U.S. national security.”

Juniper is not alone in failing to release the findings of an investigation. The U.S. Federal Bureau of Investigation also launched its own investigation into the Juniper backdoor case but published no findings.

Concern about the EARN IT Act crosses party lines. The letter to Juniper was also signed by Republican Senator Mike Lee of the Judiciary Committee along with the chairmen of the House Judiciary and Homeland Security committees.

“Juniper’s experiences can provide a valuable case study about the dangers of back doors, as well as the apparent ease with which government back doors can be covertly subverted by a sophisticated actor,” the letter added.

Photo: Grendelkhan/Wikimedia Commons