lolloj - Fotolia
Senators want potential VPN threat investigated by DHS
Two senators called on the Department of Homeland Security to investigate the possibility that VPNs are allowing valuable information to be routed to foreign adversaries.
The U.S. government has been suspicious of technology products manufactured by foreign corporations, and the latest products to be the target of suspicion are virtual private networks.
Two senators -- Ron Wyden (D-Ore.) and Marco Rubio (R-Fla.) -- wrote a letter to the Department of Homeland Security (DHS) voicing concern about the potential VPN threat to both consumers and government agencies. Wyden and Rubio asked Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency (CISA) under the DHS, to perform a VPN threat assessment to determine potential risks to the U.S. government.
"Millions of consumers have downloaded these apps, some of which are made by foreign companies in countries that do not share American interests or values," the senators wrote in the letter. "Because these foreign apps transmit users' web-browsing data to servers located in or controlled by countries that have an interest in targeting U.S. government employees, their use raises the risk that user data will be surveilled by those foreign governments. The compromise of that data could harm U.S. national security."
Wyden and Rubio mentioned that the government has already been wary of threats from China and Russia, which led to the ban of all Kaspersky Labs products being used in federal agencies as well as recommendations to avoid products from "Chinese telecommunications companies."
While the letter was more focused on a potential VPN threat from China or Russia, Justin Jett, director of audit and compliance for cybersecurity vendor Plixer, said any investigation "should be fairly broad and should look at the privacy and data practices of VPN apps created by any foreign company.
"While China and Russia may pose security threats, other countries could equally be risky, if they don't grant access to agencies that need to determine if data or intelligence has been compromised," Jett said. "Many European countries, for example, limit access that the government has and may allow for data sent via the VPN to be deleted, which means there would be no trail of network conversations between the government devices and the VPN."
Jett added that the issue of law enforcement attempting to gain access to VPN data -- like efforts to access encrypted devices -- might be another concern.
"We've seen some examples where law enforcement has requested access to encrypted data from large organizations for ongoing investigations. I'd expect that law enforcement will continue to ask for ways to access data from U.S. companies that provide VPN services," Jett said. "In some cases, though, the VPN service may provide a simple forwarding service that doesn't keep logs of the traffic. This means that if subpoenaed by law enforcement, the company would provide almost no data except confirmation that an individual uses the app."
Fears about possible VPN threats are not new, especially when it comes to mobile VPN apps. Previous research found VPN apps on Android operating systems have issues ranging from not encrypting traffic to leaking data or including malware.