Assessing the risk of foreign-made VPNs, browsers
- By Derek B. Johnson
- Feb 11, 2019
Two senators want to know the national security risks of allowing federal employees to use some foreign-made browsers and virtual private networks on government smartphone and computers.
In a Feb. 7 letter to Cybersecurity and Infrastructure Security Agency Director Christopher Krebs, Sens. Ron Wyden (D-Ore.) and Marco Rubio (R-Fla.) said they were concerned about "the growth of mobile applications that could expose U.S. government employees' web browsing data to third parties, heightening the risk of data interception."
Further, the senators said, "these foreign apps transmit users' web-browsing data to servers located in or controlled by countries that have an interest in targeting U.S. government employees, their use raises the risk that user data will be surveilled by those foreign governments."
In particular, the pair expressed concern about VPNs "made by companies in foreign countries that do not share American interests or values."
Wyden and Rubio's letter mentioned three mobile web browsers that use their own servers to facilitate VPN use for customers: Dolphin, Yandex and Opera. Dolphin was founded by a Chinese startup, and in 2011 it was discovered that the company's browser was sending customer URL data in plain text to a remote server it owns. Yandex was created by a Russian corporation of the same name and has headquarters in Moscow. Citizen Lab flagged similar concerns over another popular Chinese browser, Baidu, in 2016.
Wyden and Rubio asked Krebs to conduct a threat assessment to determine the national security risk of letting government employees use these browsers and take further action to purge their use.
"If you determine that these services pose a threat to U.S. national security, we further request that you issue a Binding Operational Directive prohibiting their use on federal government smartphones and computers," the pair wrote.
Where a company sends or stores customer data has become an increasingly relevant question for U.S. cybersecurity officials as they weigh the risks posed to federal networks by commercial products. One of the major reasons cited in DHS' 2017 Binding Operational Directive banning Kaspersky Lab antivirus products from government systems and networks was the fact that the servers powering the company's cloud network -- which stored customer files and data for malware analysis -- were located in Moscow, where officials believe Russian domestic law would compel the company to cooperate with Russian intelligence agencies.
Kaspersky Lab founder Eugene Kaspersky has adamantly denied that his company works with the Russian government, and last year the company announced it was opening up a new data center in Zurich, Switzerland, to address customer concerns over data storage.
This article was first posted on FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.