DHS audit finds several flaws in Coast Guard’s biometric system
The Department of Homeland Security’s Office of Inspector General recently audited the US Coast Guard’s (USCG) biometric system, in which it encountered several issues that may be affecting the timely and accurate identification of suspected terrorists, felons and other individuals of interest, according to a report by HS Today.
Federal law requires the USCG — which is tasked with protecting the country’s maritime borders – to implement a program that identifies any unknown individuals in the maritime environment.
To fulfill this requirement, the USCG operates Biometrics at Sea Systems (BASS) on 23 of its warcrafts to acquire biometric data from anyone trying to illegally enter the country.
Once collected, the agency sends the biometric data to DHS’s Automated Biometric Identification System (IDENT), a centralized database storing biometric and biographic information used for efforts relating to national security, law enforcement, immigration and border management.
The BASS system is comprised of a portable handheld device to scan fingerprints (which was upgraded in 2012 from a 2-print fingerprint to a 10-print fingerprint capability), a laptop, and an encrypted hard drive.
After reviewing the USCG’s biometric identification system, the Inspector General discovered that USCG did not regularly update IDENT with biometrics.
The Coast Guard did not keep an independent count of the number of biometrics it sent to IDENT, and as a result, it was unsure as to how many biometrics are currently stored in IDENT.
The National Institute of Standards and Technology (NIST) said the USCG must regularly update IDENT with new biometrics in order to maintain the “integrity, accuracy and completeness of data.”
USCG said they failed to implement a regular reconciliation process because they did not know who owned the biometric data sent from the warcrafts. However, once the DHS OIG’s audit was completed it became clear that USCG owned the data.
“Consequently, USCG and other law enforcement agencies are hampered in their ability to properly identify whether intercepted persons are known or suspected terrorists, aggravated felons or individuals previously ordered to be deported or already deported from the United States,” said the IG.
Other significant problems found in the audit include failure to update all security plans when USCG updated from the 2-fingerprint to the 10-fingerprint system, failure to have the right documentation in place for the BASS Interface Control Agreement and System Security Plan, and enabling application programmers to share passwords.
The IG determined “USCG could not provide assurance that it 1) identified and considered all threats and vulnerabilities, 2) identified the greatest risk, and 3) made appropriate decisions regarding which risks to accept and which to mitigate through security controls.”
The DHS’s Inspector General made several recommendations to USCG based on the audit, including maintaining a BASS aggregate control log to verify biometric transactions from the 23 warcrafts, updating biometrics with IDENT, updating security documents, eliminating the use of common passwords, and ensuring it adheres to the changing management policies.