US government workers may be placing America's national security at risk as there is no official policy banning them from running their smartphones' personal and official internet traffic through untrustworthy foreign-hosted VPN services.
A letter [PDF] from Homeland Security's Cybersecurity and Infrastructure Security Agency director Chris Krebs to Senator Ron Wyden (D-OR) concedes that Uncle Sam does not have rules in place to prevent federal employees from routing their work-issued cellphones' data through VPNs in Russia, China, and so on.
As a result, Krebs says, there is a "low to moderate" risk that some US government communications could be intercepted by an overseas VPN service and handed over to a hostile government in, oh, say, Russia or China.
"The vulnerabilities are the ability of users to download untrusted VPN services and the lack of policy across organizations restricting their download," Krebs told Wyden. "No overarching US government policy or whitelist restricts users from downloading a foreign VPN application on government-operated mobile devices. Policy restrictions vary across departments and agencies."
There's NordVPN odd about this, right? Infosec types concerned over strange app trafficREAD MORE
The letter was a response from Krebs to an earlier inquiry from Wyden about VPN use in government agencies, and the risks associated with workers opting to link up their office-issued devices with unvetted VPN providers for any use.
In a statement to The Register today, the senator said the Dept of Homeland Security's response justified his suspicions. "DHS has confirmed my fears: that using Chinese or Russian VPN services is essentially just taking your private data, wrapping it in a bow and then sending it directly to foreign spies in Beijing or Moscow," Wyden said of the letter. "US government employees should not be using these apps, and I hope that DHS will take steps to prohibit their use on government-issued smartphones.”
This has long been the knock on VPN services, which simply reroute your traffic through someone else's box. Should a VPN operator be less than trustworthy, users' unencrypted traffic may be snooped on. Generally speaking, we advise readers to avoid free VPN services, and if at all possible, set up your own using OpenVPN, Algo, or Outline. Bear in mind, you are trusting whoever is hosting your personal VPN server that they will not spy on your unencrypted internet traffic, too.
That US government employees are still able to use foreign VPNs is also something of a glaring blind spot in the White House's crusade against eavesdropping from foreign IT vendors. That campaign has included outright bans on products from Huawei and Kaspersky, citing the exact risks Krebs and Wyden outline. Don't be surprised to see bills drafted soon calling for restrictions on VPN use. ®