Cybersecurity

Senators want DHS to look into government use of foreign VPNs

global security (welcomia/Shutterstock.com)

Two senators have asked the Department of Homeland Security to look into the possibility of banning federal employees from using browsers and virtual private networks created by foreign companies on government devices, arguing that they could contain malware or spyware.

Sens. Ron Wyden (D-Ore.) and Marco Rubio (R-Fla.) wrote a Feb. 7 letter to Cybersecurity and Infrastructure Security Agency Director Christopher Krebs "concerning the growth of mobile applications that could expose U.S. government employees' web browsing data to third parties, heightening the risk of data interception."

In particular, the pair expressed concern about VPNs "made by companies in foreign countries that do not share American interests or values."

"Because these foreign apps transmit users' web-browsing data to servers located in or controlled by countries that have an interest in targeting U.S. government employees, their use raises the risk that user data will be surveilled by those foreign governments," Wyden and Rubio wrote.

Where a company sends or stores customer data has become an increasingly relevant question for U.S. cybersecurity officials as they weigh the risks posed to federal networks by commercial products. One of the major reasons cited in DHS' 2017 Binding Operational Directive banning Kaspersky Lab antivirus products from government systems and networks was the fact that the servers powering the company's cloud network -- which stored customer files and data for malware analysis -- were located in Moscow, where officials believe Russian domestic law would compel the company to cooperate with Russian intelligence agencies.

Kaspersky Lab founder Eugene Kaspersky has adamantly denied that his company works with the Russian government, and last year the company announced it was opening up a new data center in Zurich, Switzerland, to address customer concerns over data storage.

Wyden and Rubio's letter mentioned three mobile web browsers that use their own servers to facilitate VPN use for customers: Dolphin, Yandex and Opera. Dolphin was founded by a Chinese startup, and in 2011 it was discovered that the company's browser was sending customer URL data in plain text to a remote server it owns. Yandex was created by a Russian corporation of the same name and has headquarters in Moscow. Citizen Lab flagged similar concerns over another popular Chinese browser, Baidu, in 2016.

Wyden and Rubio asked Krebs to conduct a threat assessment to determine the national security risk of letting government employees use these browsers and take further action to purge their use.

"If you determine that these services pose a threat to U.S. national security, we further request that you issue a Binding Operational Directive prohibiting their use on federal government smartphones and computers," the pair wrote.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.

Featured

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/Shutterstock.com)

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected