Qtungresz at the (flatten ?tates

Washington, $611: 20515
June 10, 2020

Rami Rahim

Chief Executive Of?cer
Juniper Networks

1133 Innovation Way
Sunnyvale, CA 94089

Dear Mr. Rahim,

We write to seek information about Juniper Networks? investigation of several likely backdoors
in its NetScreen line of ?rewalls.

In December of 201 5, Juniper announced that it had discovered unauthorized code in the
software it distributed to customers between 2012 and 2015 for its NetScreen ?rewalls. Soon
after Juniper revealed this security breach, cybersecurity researchers determined that the code
was likely an backdoor that could be exploited by a sophisticated adversary to
unmask the used to protect data ?owing over virtual private networks.

Alarmingly, the suspicious code that Juniper discovered in 2015 did not create the backdoor it
apparently modi?ed one that was seemingly already there. Subsequent analysis by an
international team of leading experts determined that, in fact, a backdoor had likely been added
to Juniper?s products as far back as 2008. According to the researchers, the unauthorized code
Juniper discovered in 2015 merely changed the keys to this pre-existing backdoor.

The researchers determined that sometime between 2008 and 2009, Juniper quietly added a
National Security Agency (NSA) designed algorithm to its products. This 
algorithm, known as had, since 2005, been the subject of criticism by
independent who argued that it probably contained a backdoor. In spite of these
warnings, the National Institute of Standards and Technology (N IST), which issues US.
government standards for algorithms, standardized in 2006.
However, after Edward Snowden?s disclosures in 2013, NIST withdrew the algorithm. In a post-
mortem published in 2014, a senior NIST con?rmed that NSA had in fact created
that he had been told that NSA did not want to answer questions about
possible backdoors, and that, in retrospect, it ?should not have been included? in the of?cial
NIST standard.

Soon after Juniper revealed in 2015 that it discovered unauthorized code in its products, Juniper
announced that it was conducting an investigation into the matter. According to media reports at
the time, the Federal Bureau of Investigation also launched an investigation. It has now been
over four years since Juniper announced it was conducting an investigation, but your company
has still not revealed what, if anything, it uncovered. The American people and the companies
and US. government agencies that trusted Juniper?s products with their sensitive data still

have no information about why Juniper quietly added an NSA-designed, likely-backdoored
algorithm, or how, years later, the keys to that probable backdoor were changed by an
unknown entity, likely to the detriment of U.S. national security.

Over the past year, Attorney General William Barr and other senior government of?cials have
renewed their call for technology companies to subvert the in their products in order
to facilitate government surveillance. Juniper?s experiences can provide a valuable case study
about the dangers of backdoors, as well as the apparent ease with which government backdoors
can be covertly subverted by a sophisticated actor. To that end, we would appreciate answers to
the following questions by July 10, 2020:

1.

In August of 2009, Juniper obtained joint certification from the U.S. and Canadian
governments, certifying that Juniper?s Netscreen products running ScreenOS satis?ed the
Federal Information Processing Standards (FIPS) for modules. Despite the
fact that was then a FIPS-certified algorithm, Juniper did not disclose
the inclusion of in its FIPS application, although Juniper disclosed the
use of several other FIPS?certi?ed algorithms. Why did Juniper not disclose to NIST that
its products used the algorithm?
Rather than using the value for the algorithm specified in the NIST
standard, Juniper used a different value when it originally added to
its products, sometime between 2008?2009. Please explain why Juniper opted to use a
different value, how it was generated and by whom. If Juniper did not generate this 
value following the procedures described in NIST Special Publication 800-90, please
explain why.
What were the results of Juniper?s investigation following its 2015 discovery of
unauthorized code?

a. Who was responsible for conducting the investigation?

b. What was the scope of the investigation?

0. If a written report was produced, please provide us with a copy.
Did the investigation examine Juniper?s decision to add and retain support for the
algorithm in Juniper?s ScreenOS software, long after 
experts publicly raised serious questions regarding a potential backdoor in
If not, why not?

. According to the research team that studied the Juniper backdoors, at or around the same

time that Juniper added support in ScreenOS for the algorithm, Juniper
also increased the Internet Key Exchange nonce size from 20 bytes to 32 bytes. The
research team argues that this change would make it easier for a sophisticated adversary
to exploit backdoors in Did uniper?s investigation look into the
decision to increase the size of the nonce? If yes, what did Juniper discover? If not, why
not?

Please identify the Juniper employees who approved the changes to ScreenOS described
in questions 4 and 5.

Did uniper?s investigation uncover any information relating to the source of the
unauthorized code revealed by Juniper in December 2015, and in particular, the code that
altered the value in the algorithm?

8. Did the results of the investigation include any recommendations to prevent future
security incidents? If yes, has Juniper implemented all of the recommendations?

Thank you for your attention to this important matter. If you have any questions about this
request, please contact Chris Soghoian in Senator Wyden?s of?ce.

Sincerely,
Ron Michael S. Lee Cory A. Booker

United States Senator United States Senator United States Senator



Jerrold Nadler
Chairman
Committee on the Judiciary

3242705122,

Ted W. Lieu
Member of Congress



Pramila ayapal
Member of Congress

Gaga

Anna G. Eshoo
Member of Congress

/20 

R0 Khanna
Member of Congress

MW
Bennie G. Thompson

Chairman
Committee on Homeland Security

54%

Zoe Lofgren
Member of Congress

a? .
(an 

Tom Malinowski
Member of Congress

Bill Foster
Member of Congress



Suzan K. DelBene
Member of Congress

Cr an.

 

Kathleen M. Rice Yvette D. Clarke
Member of Congress Member of Congress

. eff? ?n ?gm-'3 
i 

Cedric L. Richmond
Member of Congress