Top DHS cyber official says foreign VPNs are a threat to data security

The head of the Department of Homeland Security's cybersecurity division described a popular class of anonymizing tools known as VPNs — particularly ones made in authoritarian countries — as a potential threat to data security and national security in a letter to Sen. Ron Wyden (D-Ore.) that was shared with Cyberscoop.

Why it matters: The services disguise the internet address and browsing habits of their clients from websites and eavesdroppers, but the VPNs themselves are potentially aware of every move a client makes online and every password they enter, making less-scrupulous VPNs an ideal espionage tool.

The backdrop: There have long been concerns about how difficult it is to identify fraudulent VPNs. A simple Google search turns up dozens of potential VPN services, and researchers have discovered several free VPN services that manipulate user traffic for advertising purposes or even sell user bandwidth.

• There has not been similar research into the national security risks of VPNs.

Details: Christopher Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), sent the letter to Wyden, on May 22.

• Wyden had asked about the dangers of VPNs in February.
• Krebs noted that India had recently accused a number of popular Chinese apps of all types of being used in surveillance operations — and that any VPN app made in Russia would be legally bound to share customer data with the Russian government.
• He declared that the risk to government systems was low to moderate, noting that the number of federal employees using vulnerable networks are unknown and quite possibly very low.

Go deeper: The most important mobile app you've never heard of