US Senators Ask DHS To Look Into US Government Workers Using Foreign VPNs

Two US senators have asked the Department of Homeland Security (DHS) to look into the possible dangers of US government workers using VPN apps that are owned by foreign companies and which redirect sensitive government-related traffic through servers located in other countries -- namely China and Russia. From a report: "If U.S. intelligence experts believe Beijing and Moscow are leveraging Chinese and Russian-made technology to surveil Americans, surely DHS should also be concerned about Americans sending their web browsing data directly to China and Russia," said Senator Ron Wyden (D-OR) and Marco Rubio (R-FL) in a letter sent to Christopher Krebs, Director of the DHS' newly founded Cybersecurity and Infrastructure Security Agency (CISA). The two would like the DHS to issue an emergency directive and ban the use of foreign VPN apps if intelligence experts deem them a national security risk.

We Amelican VPN we Plomise!

As if a VPN located anywhere even in the US is rated for any clearance.

Just block them?

[hawguy]

I don't see why some congressional oversight is needed -- just block VPN apps on government owned laptops. If employees are using the apps on their personal devices, they should not have sensitive government data on those devices.

Re:Just block them?

[drinkypoo]

If employees are using the apps on their personal devices, they should not have sensitive government data on those devices.

Sensitive data should never be on personal devices, period. If users need sensitive data on portable devices, those devices should be provided by the employer, and no personal data (or use) should be permitted on those devices. There are zero exceptions. If that means users need to carry two devices, so be it. What are they getting paid for, anyway?

Re:Just block them?

[chill]

Putting this in context, the article cites a study about VPN Apps on the Apple Store and Google Play Store. We're not talking gov't issued laptops, but rather BYOD cell phones.

BYOD is a security nightmare.

Re:catching up to private business practices

[Austerity+Empowers]

At my corporation I sure as hell am not allowed to use third-party VPN or traffic anonymizer services.

Allowed? No. But in companies with strict firewalls and web proxies, many people who have the know-how to do it, are doing it. I have never used a VPN, I always have been able to create an SSH tunnel to a server I own, one way or another. But given the popularity of VPNs for bypassing other forms of spying and eavesdropping, it's not a surprising this ends up being the more popular way of doing the same thing... just not a good idea whether you work for the government or the corporate world. Plenty of shady Chinese companies are looking for the opportunity to steal trade secrets, don't open the door for them.

If your companies forces web proxies, or lets your bosses spy on your browsing habits, or has some other ridiculous oppression over their network, expect it to happen.

SSL over HTTP/HTTPS for the win

[bobstreo]

I needed to ssh into a server for testing. Company policy blocked ssh outgoing.

If you get desperate enough, you can probably do it over DNS.

Re:SSL over HTTP/HTTPS for the win

[_merlin]

At one place I worked they blocked certain HTTP headers with a (not so) transparent proxy. It was so annoying that we took to tunnelling data over ICMP echo requests to work around it.

Re:Everyone should use VPN 24/7

[sjames]

Not all VPN services are friendly. Make sure you're not jumping out of the frying pan into the fire.

Re:"Almost nobody" needs a VPN? GO FUCK YOURSELF

[jtara]

VPN's being inexpensive has no bearing on the motivations of the end users

1. Learn to read and parse English.
2. Wash your mouth out with soap.

I never said anything about the motivations of the ends users. "their" clearly refers to the VPN services. I question to motivations of the services that give services away for free. How are they making money?