Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency and 2019 Wash100 Award recipient, confirmed that other countries like Russia and China could use virtual private network apps to spy on the U.S. He said in a letter issued on May 22 that some nation-state actors are trying to leverage VPN services for malicious purposes.
“If a U.S. government employee downloaded a foreign VPN application originating from an adversary nation, foreign exploitation of that data would be somewhat or highly likely,” Krebs said. “This exploitation could lead to loss of data integrity and confidentiality of communications transmitted over the application.” He noted hackers may gain access to phone contacts, user history, photographs and geolocation.
Krebs made the remarks in a letter to Sen. Ron Wyden, D-Ore., who had asked the Department of Homeland Security to analyze potential threats of foreign-owned VPN applications. However, the letter did not detail evidence of cyber espionage that used VPN apps. Krebs noted DHS considers spying risk from VPN as a “low to moderate impact.”