US Senators ask DHS to look into US government workers using foreign VPNs

Senators alarmed that US government workers may be sending sensitive traffic to China or Russia.

Two US senators have asked the Department of Homeland Security (DHS) to look into the possible dangers of US government workers using VPN apps that are owned by foreign companies and which redirect sensitive government-related traffic through servers located in other countries --namely China and Russia.

Their request comes after heightened fears on Washington's side that foreign governments are spying on US citizens and government workers using commercial products.

In 2017, the DHS banned Kaspersky Labs software on government systems amid fears that Russian intelligence had been using it to steal top secret documents.

The US government is also currently engaged in a determined battle to ban Huawei and ZTE products for similar fears that China may be using the hardware vendor's equipment to spy on Americans.

"If U.S. intelligence experts believe Beijing and Moscow are leveraging Chinese and Russian-made technology to surveil Americans, surely DHS should also be concerned about Americans sending their web browsing data directly to China and Russia," said Senator Ron Wyden (D-OR) and Marco Rubio (R-FL) in a letter [1, 2] sent to Christopher Krebs, Director of the DHS' newly founded Cybersecurity and Infrastructure Security Agency (CISA).

The two would like the DHS to issue an emergency directive and ban the use of foreign VPN apps if intelligence experts deem them a national security risk.

An emergency binding directive is a mechanism through which the DHS banned the use of Kaspersky software on government systems in September 2017.

This is also the legal mechanism through which the DHS has alerted all government agencies to audit DNS records for government websites in the wake of a series of DNS hijacking attacks from Iranian hackers.

The DHS may have a pretty easy job at assessing the national security risk of VPN applications. A study conducted by Simon Migliano, Head of Research at Metric Labs, a company that runs the Top10VPN portal, found that roughly 60 percent of the top free mobile VPN apps returned by Google Play Store and Apple Play Store searches are from developers based in China or with Chinese ownership.

The study was not cited in the senators' letter, but the letter was sent after several major US tech news outlets covered the report over the past few weeks.

Besides VPN apps, data proxies and any similar apps that redirect traffic through foreign servers should be investigated, the senators suggested.

Related coverage: