Two U.S. senators are taking bipartisan aim at foreign-owned virtual private networks (VPNs), which they say are often headquartered “in countries that do not share American interests or values” – specifically, China and Russia.
Sens. Ron Wyden (D-Ore.) and Marco Rubio (R-Fla.) have signed a joint letter to Christopher Krebs, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA). They’re urging an investigation into whether such VPNs present a risk to homeland security – the concern is that the services are logging web browsing data and sending it directly to Chinese and Russian intelligence.
“Because these foreign apps transmit users’ web browsing data to servers located in or controlled by countries that have an interest in targeting US government employees, their use raises the risk that user data will be surveilled by those foreign governments,” according to the letter.
Justin Jett, director of Audit and Compliance for Plixer, noted that mobile VPNs are of particular concern.
“Because apps installed on mobile devices often install ‘profiles’ that include root certificates, the apps could be written to man-in-the-middle HTTPS traffic by using TLS decryption,” he explained via email. “This happens when the app does the HTTPS handshake instead of the user’s browser. When this happens, the user’s entire interaction, including login details, is visible to the app’s developers.”
If the answer to the risk question proves to be “yes,” the senators are requesting that CISA, a recently setup division of Department of Homeland Security, issue a ban on the use of these VPNs for federal government smartphones and computers.
“In light of these concerns we urge you to conduct a threat assessment on the national security risks associated with the continued use by US government employees of VPNs, mobile data proxies and other similar apps that are vulnerable to foreign government surveillance,” the letter concluded.
Distrusting foreign services that have access to American data is not a new theme. Chinese telecom giants like Huawei and ZTE for instance have been blacklisted from bidding on major federal contracts, over fears their presence within US infrastructure could enable Beijing’s espionage efforts.
Similarly, the Department of Energy (DoE) said at the beginning of February that it will ban foreign talent-recruitment programs that are sponsored by China, Russia, Iran and North Korea, among others. It will now ask all “personnel, contracted scientists and future grant recipients” to disclose and sever ties to programs in “sensitive” countries. The DoE oversees 17 national laboratories that conduct research in sensitive fields like nuclear physics.
This posting was updated on Feb. 12 at 1:22 p.m. to reflect a copy-editing error: Rubio represents Florida, not Texas.
Interested in learning more about data privacy trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.