Senators want DHS to look into government use of foreign VPNs

Sens. Ron Wyden and Marco Rubio have asked the Cybersecurity and Infrastructure Security Agency to consider banning federal employees from using apps created by foreign companies, which they claim could contain spyware.

global security (welcomia/Shutterstock.com)

Two senators have asked the Department of Homeland Security to look into the possibility of banning federal employees from using browsers and virtual private networks created by foreign companies on government devices, arguing that they could contain malware or spyware.

Sens. Ron Wyden (D-Ore.) and Marco Rubio (R-Fla.) wrote a Feb. 7 letter to Cybersecurity and Infrastructure Security Agency Director Christopher Krebs "concerning the growth of mobile applications that could expose U.S. government employees' web browsing data to third parties, heightening the risk of data interception."

In particular, the pair expressed concern about VPNs "made by companies in foreign countries that do not share American interests or values."

"Because these foreign apps transmit users' web-browsing data to servers located in or controlled by countries that have an interest in targeting U.S. government employees, their use raises the risk that user data will be surveilled by those foreign governments," Wyden and Rubio wrote.

Where a company sends or stores customer data has become an increasingly relevant question for U.S. cybersecurity officials as they weigh the risks posed to federal networks by commercial products. One of the major reasons cited in DHS' 2017 Binding Operational Directive banning Kaspersky Lab antivirus products from government systems and networks was the fact that the servers powering the company's cloud network -- which stored customer files and data for malware analysis -- were located in Moscow, where officials believe Russian domestic law would compel the company to cooperate with Russian intelligence agencies.

Kaspersky Lab founder Eugene Kaspersky has adamantly denied that his company works with the Russian government, and last year the company announced it was opening up a new data center in Zurich, Switzerland, to address customer concerns over data storage.

Wyden and Rubio's letter mentioned three mobile web browsers that use their own servers to facilitate VPN use for customers: Dolphin, Yandex and Opera. Dolphin was founded by a Chinese startup, and in 2011 it was discovered that the company's browser was sending customer URL data in plain text to a remote server it owns. Yandex was created by a Russian corporation of the same name and has headquarters in Moscow. Citizen Lab flagged similar concerns over another popular Chinese browser, Baidu, in 2016.

Wyden and Rubio asked Krebs to conduct a threat assessment to determine the national security risk of letting government employees use these browsers and take further action to purge their use.

"If you determine that these services pose a threat to U.S. national security, we further request that you issue a Binding Operational Directive prohibiting their use on federal government smartphones and computers," the pair wrote.