Home / Technology / US Agencies Warn: Critical VPN Software is a 'Mess'
US Agencies Warn: Critical VPN Software is a 'Mess'
20 Feb
Summary
- Chinese spies exploited Ivanti VPN flaws, compromising US agencies.
- Private equity's influence is questioned in cybersecurity compromises.
- Agencies lost faith in Ivanti's ability to secure its products.
In early 2024, a rare emergency order was issued for US civilian federal agencies to immediately disconnect Ivanti's Connect Secure virtual private network (VPN) software. Chinese spies had successfully hacked the code, infiltrating nearly two dozen organizations. The scope of the breach was extensive, affecting clients like the US Air Force, Navy, Department of State, and numerous corporations and banks.
This incident underscored concerns about private equity's increasing influence in the cybersecurity market. Ivanti, a private equity-owned company, faced scrutiny as cost-cutting measures were linked to compromised product quality. This led to a significant loss of confidence among US officials regarding Ivanti's capacity to maintain security.
Consequently, US national security officials issued a stark warning: "You should not be using it." This directive came after cybersecurity agencies discovered the threat had infiltrated their own sensitive databases via the same Connect Secure software, indicating that even implemented fixes had failed.
The breaches, alongside others targeting Ivanti software, prompted government officials and private-sector executives to reassess their approach to evaluating cybersecurity software, with some now factoring private equity ownership into their risk assessments.
