A pair of senators is asking the nation’s top cybersecurity official to investigate the use by federal government employees of VPN services operated by companies in foreign countries. The lawmakers say the practice could pose a nation security risk as it opens workers up to potential foreign surveillance.
The letter is from Sens. Ron Wyden (D-Ore.) and Marco Rubio (R-Fla.) and it asks Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency, to look at the potential threats of federal government employees running their traffic through foreign-based VPNs. Wyden and Rubio said that VPNs and data-compression apps have become more popular in recent years, especially on mobile devices. And government agencies typically don’t have control over or insight into the apps that workers use on those personal devices.
“Millions of consumers have downloaded these apps, some of which are made by foreign companies in countries that do not share American interests or values. Because these foreign apps transmit users’ web-browsing data to servers located in, or controlled by countries that have an interest in targeting U.S. government employees, their use raises the risk that user data will be surveilled by foreign governments. The compromise of that data could harm U.S. national security,” the senators wrote.
There are a slew of private VPN providers offering services to both enterprises and individuals, and it’s sometimes difficult to determine where a given provider is located, or more importantly, where their servers are located. Private VPNs work by routing customer traffic through their own servers before delivering it to the destination, and in their letter, Wyden and Rubio say that this setup is a serious concern for Americans using services based overseas.
"We further request that you issue a Binding Operational Directive prohibiting their use on federal government smartphones and computers."
“We are particularly concerned about the potential threat posed by foreign-made apps that are affiliated with countries of national security concern an urge you to examine the national security risk they pose,” the senators wrote.
“In recent years, mobile data-saving and Virtual Private Network (VPN) appas have become popular, as consumers have grown increasingly interested in securing their internet connection and protecting their privacy. For example, mobile browsers like Dolphin, Yandex, and Opera use their own servers as an intermediary for user traffic, compressing web pages before delivering them to the user to provide data-saving functionality. Similarly, VPN providers route all user traffic through their own servers, nominally to mitigate privacy concerns.”
Wyden Rubio asked Krebs to conduct a threat assessment of the risks to national security of U.S. government employees using VPN services, data proxies, and other services that are based outside the U.S.
“If you determine that these services pose a threat to U.S. national security, we further request that you issue a Binding Operational Directive prohibiting their use on federal government smartphones and computers,” the letter says.
Binding Operational Directives are statements that CISA can issue to require federal agencies to take specific actions. The agency (and its predecessor at the Department of Homeland Security) issues them on rare occasions, and usually in regard to a specific vulnerability or threat. For example, in 2015 DHS issued a directive in response to the Heartbleed bug, and just last month CISA issued an Emergency Directive about DNS tampering attacks on government infrastructure during the government shutdown.