Top DHS cyber official says foreign VPNs are a threat to data security
The head of the Department of Homeland Security's cybersecurity division described a popular class of anonymizing tools known as VPNs — particularly ones made in authoritarian countries — as a potential threat to data security and national security in a letter to Sen. Ron Wyden (D-Ore.) that was shared with Cyberscoop.
Why it matters: The services disguise the internet address and browsing habits of their clients from websites and eavesdroppers, but the VPNs themselves are potentially aware of every move a client makes online and every password they enter, making less-scrupulous VPNs an ideal espionage tool.
The backdrop: There have long been concerns about how difficult it is to identify fraudulent VPNs. A simple Google search turns up dozens of potential VPN services, and researchers have discovered several free VPN services that manipulate user traffic for advertising purposes or even sell user bandwidth.
- There has not been similar research into the national security risks of VPNs.
Details: Christopher Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), sent the letter to Wyden, on May 22.
- Wyden had asked about the dangers of VPNs in February.
- Krebs noted that India had recently accused a number of popular Chinese apps of all types of being used in surveillance operations — and that any VPN app made in Russia would be legally bound to share customer data with the Russian government.
- He declared that the risk to government systems was low to moderate, noting that the number of federal employees using vulnerable networks are unknown and quite possibly very low.