When VPNs Fail

Department of Defense Turns to Better Secure Remote Access Solution
VPN Fail


Most remote work within the U.S. Department of Defense happens over a virtual private network (VPN) connection. So why, then, does the Joint Service Provider (JSP) have an enterprise-wide license for a next-generation secure remote access technology?

The venerable VPN has been the secure remote access mechanism of choice for enterprise, government and the military since the early 2000s. It’s a legacy technology that works by encrypting data for its journey through the Internet. An algorithm or cipher determines how the encryption and decryption process takes place. Every protocol has its strengths and weaknesses based on the type of cryptographic algorithm used: symmetric, asymmetric, and hashing.

VPN issues plague the U.S. Department of Defense

In January 2020, the Department of Homeland Security issued a National Cyber Awareness System Alert1 regarding the vulnerability of over 14,000 VPN servers worldwide—the same vulnerability that allowed hackers to infiltrate and ransom Travelex systems around the world .2

The technology has been having its share of issues outside of a military context as well. As one example, more than 10 VPN clients available on the Google Play store were found to have serious security flaws, potentially threatening the security of more than 120 million users. 3

But both instances took place before the coronavirus crisis drove millions of government, military and civilian employees to work from home. Since then, VPNs across every sector of the economy have been getting bogged down. The reason for this is that VPNs have become chokepoints: when employees connect with a VPN, the data is encrypted for its journey across the public internet to a centralized VPN gateway at the office, where the data is unencrypted. The VPN gateway was never engineered to handle such a high volume of traffic.

In mid-March 2020, an Army Corps of Engineers employee said a management directive stipulated that only a third of the agency’s workforce could work remotely at any given time because of VPN availability 4. Another technical issue is that legacy military applications have trouble working with VPN. ConWrite, for example, is a contract writing automation software suite developed by the U.S. Air Force in 1997. Its purpose is to create high-quality contracts that include all the terms and conditions required by federal law, and it’s the only way that contractors can formalize their working relationship with the Air Force. However, VPN encryption scrambles the data, rendering it useless for remote work.

Moving data: an imperfect solution

The biggest problem with VPN, however, is its basic premise: moving data. When you move data, you inevitably heighten risk. Ostensibly secure, VPN functionality requires data and files to leave the network perimeter and travel to less secure computers or devices. If such devices (government-furnished equipment (GFE) in a military/government context) are lost or stolen, you have a potential problem because of the sensitive data they contain. Not only that, but VPN is not a technology that has multi-factor authentication built in, so the validation of user identity is an added risk.

By some estimates, it costs the U.S. military upwards of $45,000 to resolve the theft or loss of GFE containing personal identifiable information. With all of this in mind, it’s no wonder that the DoD is turning to better secure remote access solutions.

Trust Mobikey

The license for Route1 MobiKEY that supports JSP’s entire command, for example, gives users access to their full desktop. The only solution on the market that initiates a remote session from inside the network perimeter, MobiKEY does not involve data transfer: data stays within the network. Since users remote-in to their desktops, laptops or virtualized machines back at the office, they can do so on any device, be it government-furnished or personal. And because MobiKEY uses PKI-based technology for identity and access management, integrating with CAC or PIV cards, there is no issue with positive user identification.

In mid-March 2020, the U.S. Navy listed MobiKEY as the number one recommended option for personnel to use for remote work, in combination with Navy Marine Corps Intranet (NMCI) Desktop Virtualization.

The license for Route1 MobiKEY that supports JSP’s entire command, for example, gives users access to their full desktop. The only solution on the market that initiates a remote session from inside the network perimeter, MobiKEY does not involve data transfer: data stays within the network. Since users remote-in to their desktops, laptops or virtualized machines back at the office, they can do so on any device, be it government-furnished or personal. And because MobiKEY uses PKI-based technology for identity and access management, integrating with CAC or PIV cards, there is no issue with positive user identification.

Route1 has full ATOs and RMFs with the U.S. Department of Defense including the Pentagon’s Joint Service Provider,the U.S. Marine Corps, the U.S. Navy, and other federal government organizations.

Five Military Crests

1CISA Cyber Infrastructure Alert (AA20-010A),January 2020

2Air Travel Cyber-Attacks: New York Airport Hit, Travelex Exchange Held To Ransom, Forbes, January 2020

3Vulnerabilities In Top Free Android VPN Apps Risk Over 120 Million Users, LatestHackingNews.com, March 2020

4Vulnerabilities In Top Free Android VPN Apps Risk Over 120 Million Users, Government Executive, March 2020

5Navy, DoD Networks Strained Under Telework Demand; Leaders Ask ‘Limit use of REPLY TO ALL’, USNI News, March 2020