ICE mobile comms devices were left unsecured and vulnerable, DHS IG says
US Immigration and Customs Enforcement (ICE) failed to effectively manage and secure its personnel and contractors’ smart phones, tablets, and other mobile communications devices or the infrastructure supporting the devices, putting the devices “at a higher risk of cyberattacks,” according to a new Department of Homeland Security (DHS) Inspector General (IG) audit.
Equally concerning was the IG’s discovery that a limited number of ICE employees used their government-issued mobile devices outside the US in violation of policy to access foreign data connections. “We also found that ICE did not monitor or block unauthorized foreign connections of mobile devices,” the IG’s audit says, pointing out that “one of the devices used internationally without prior authorization had connected to an unsecure Wi-Fi network that may have routed communications to a country that poses a high-level cybersecurity threat.”
The IG’s audit found that roughly 3,300 ICE employees had traveled outside the United States during fiscal year 2023, but that “ICE did not ensure their devices were adequately protected for use outside the U.S. Specifically, ICE did not ensure devices used during overseas travel had the most recent operating system. ICE also did not disable non-essential capabilities or remove unnecessary applications for these devices.”
ICE further failed to “mitigate vulnerabilities” from third-party applications that were installed on the devices. The IG found that ICE had “allowed employees and contractors to download risky applications onto” their mobile devices.
The IG’s audit was performed to determine the extent to which ICE manages and secures its mobile devices. As part of the audit, the IG issued a separate management alert that identified risks posed by ICE’s management of user-installed mobile applications and issued five recommendations to the ICE Chief Information Officer to address the risks. The IG also issued a recommendation to the DHS Chief Information Security Officer to determine whether similar issues exist for other DHS components and to take immediate action as appropriate.
According to the IG, ICE maintains an inventory of approximately 21,000 mobile devices that provide telecommunications capabilities, connectivity to ICE information systems, and work-related applications. “For example,” the IG said, “one ICE-owned application allows ICE personnel to capture and search for the biometric information of people they encounter in real time.”
ICE currently has more than 20,000 law enforcement and support personnel in more than 300 offices across the United States and more than 90 offices in over 50 countries around the world.
“Specifically,” the IG stated, “ICE did not implement security settings required to protect its mobile devices and did not mitigate vulnerabilities from applications installed on these devices. In addition, ICE did not use its Mobile Device Management software and other threat defense tools to fully manage and secure some mobile devices and did not address vulnerabilities within the Mobile Device Management software and the servers supporting it. Further, ICE did not implement increased monitoring and protection for devices used outside the United States.”
DHS’s IG found that “these management and security concerns occurred primarily because ICE did not establish or implement sufficient security policies and processes,” and because “ICE personnel were unaware of some security requirements and relied on unclear or contradictory guidance. As a result, ICE mobile devices and the sensitive information they contain may be at a higher risk of unauthorized access and more susceptible to cyberattacks.”
ICE’s Office of the Chief Information Officer (OCIO) oversees the security of ICE’s information system infrastructure, and uses Mobile Threat Defense (MTD), a software application that is supposed to monitor all mobile device activity and to detect improper settings, malicious software, cyberattacks, and other vulnerabilities on mobile devices.
The MTD is part of ICE’s Mobile Device Management (MDM) system, which the IG said “is an essential tool for securing and managing mobile devices. However, if the technology is improperly used or not properly protected, hackers could exploit it to illegally access ICE’s network or devices. Accordingly, ICE OCIO designated the system supporting the MDM (including hardware, firmware, and software) as a high value asset for which unauthorized access, use, disclosure, disruption, modification, or destruction could cause a significant impact to national security interests.”
In 2019, DHS required its component agencies to apply the Defense Information Systems Agency’s Security Technical Implementation Guides (STIGs) when establishing mobile device security settings. DHS also requires components to complete a security authorization process to measure and mitigate mobile device risks.
However, the IG determined that “ICE did not always apply DISA STIGs when establishing mobile device security settings,” noting that it reviewed 454 security settings on ICE’s mobile devices to determine if the settings were set as required, and that of the 45 settings reviewed, 33 (73 percent) did not meet DISA STIG guidance, which meant that the devices were not prevented from being able to transfer “sensitive information to other devices, move sensitive information to a less secure part of the device, or allow built-in virtual assistant tools to transmit recorded information to third-party servers.”
The DHS Inspector General stated that “this occurred because ICE OCIO officials were initially unaware of DHS’ requirement to use DISA STIGs as guidance or were unaware that DISA STIG guidance was available for the types of mobile devices ICE uses. Although, according to ICE officials, the component implemented compensating controls that reduced associated risks, ICE did not complete the proper security authorization process, which would have included assessing whether the security settings on its mobile devices met requirements and implementing best practices to acceptably reduce risk.”
The IG also found that one of two custom mobile device applications that were developed to support ICE’s mission, one “contained three critical and five high-risk vulnerabilities” that ICE “was unaware” until the IG shared its testing results to ICE.
Regarding third-party applications, DHS’s IG found that ICE allowed and “outdated and overly permissive personal use policy [that] enabled nearly unlimited personal use of the ICE-issued mobile devices. Further, ICE did not sufficiently manage, monitor, or assess most user-installed applications for potential impacts on device or data security because ICE considered them to be personal applications.”
Making matters worse, the IG’s probe further determined that ICE “did not always perform required steps to reduce risks associated with the disposal, loss, or theft of” the devices.
The DHS Inspector General documented that “ICE did not effectively implement controls over disposed-of, lost, or stolen ICE-issued mobile devices” and “did not maintain documentation stating that it sanitized all mobile devices before disposal,” and that “the documentation that was available was not always completed properly. In addition, ICE did not ensure incidents of lost or stolen mobile devices were properly addressed.”
The IG said, “ICE could not provide evidence that it had sanitized all disposed-of mobile devices before the devices left ICE custody,” and had disposed of 20,810 mobile devices between October 2021 and July 2023.
DHS’s IG made eight recommendations to improve ICE’s mobile device security which ICE and DHS leadership concurred with. Three of the recommendations remain open and unresolved.
Article Topics
biometrics | cybersecurity | data protection | DHS | ICE | mobile app | smartphones
Comments