Cybersecurity

Senators want DHS to look into government use of foreign VPNs

global security (welcomia/Shutterstock.com)

Two senators have asked the Department of Homeland Security to look into the possibility of banning federal employees from using browsers and virtual private networks created by foreign companies on government devices, arguing that they could contain malware or spyware.

Sens. Ron Wyden (D-Ore.) and Marco Rubio (R-Fla.) wrote a Feb. 7 letter to Cybersecurity and Infrastructure Security Agency Director Christopher Krebs "concerning the growth of mobile applications that could expose U.S. government employees' web browsing data to third parties, heightening the risk of data interception."

In particular, the pair expressed concern about VPNs "made by companies in foreign countries that do not share American interests or values."

"Because these foreign apps transmit users' web-browsing data to servers located in or controlled by countries that have an interest in targeting U.S. government employees, their use raises the risk that user data will be surveilled by those foreign governments," Wyden and Rubio wrote.

Where a company sends or stores customer data has become an increasingly relevant question for U.S. cybersecurity officials as they weigh the risks posed to federal networks by commercial products. One of the major reasons cited in DHS' 2017 Binding Operational Directive banning Kaspersky Lab antivirus products from government systems and networks was the fact that the servers powering the company's cloud network -- which stored customer files and data for malware analysis -- were located in Moscow, where officials believe Russian domestic law would compel the company to cooperate with Russian intelligence agencies.

Kaspersky Lab founder Eugene Kaspersky has adamantly denied that his company works with the Russian government, and last year the company announced it was opening up a new data center in Zurich, Switzerland, to address customer concerns over data storage.

Wyden and Rubio's letter mentioned three mobile web browsers that use their own servers to facilitate VPN use for customers: Dolphin, Yandex and Opera. Dolphin was founded by a Chinese startup, and in 2011 it was discovered that the company's browser was sending customer URL data in plain text to a remote server it owns. Yandex was created by a Russian corporation of the same name and has headquarters in Moscow. Citizen Lab flagged similar concerns over another popular Chinese browser, Baidu, in 2016.

Wyden and Rubio asked Krebs to conduct a threat assessment to determine the national security risk of letting government employees use these browsers and take further action to purge their use.

"If you determine that these services pose a threat to U.S. national security, we further request that you issue a Binding Operational Directive prohibiting their use on federal government smartphones and computers," the pair wrote.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected