ICE’s ‘outdated and overly permissive’ device policy left the agency vulnerable, watchdog warns

Personnel and contractors at U.S. Immigration and Customs Enforcement kept apps on their mobile devices that threatened security at the agency, including apps from companies banned on government systems and others associated with American adversaries, third-party virtual private networks and outdated messaging applications, according to an audit conducted by the Department of Homeland Security’s Inspector General this spring. 

Device management issues at the agency make it more vulnerable to “potential espionage, leaks and attacks from viruses,” the new oversight report reads.

Now, ICE is updating its personal use policies for agency-issued mobile devices, blocking mobile apps from companies prohibited by the government, patching or removing vulnerable messaging apps and more, according to the report.

The watchdog cited “ICE’s outdated and overly permissive personal use policy, which enables nearly unlimited personal use of ICE-issued mobile devices” as the reason for the problems.

ICE also didn’t do enough to manage or monitor user-installed apps, the report states, and the watchdog found that the controls associated with user-installed apps at ICE — including secure software containers, mobile threat defense software and mobile device management tech designed to enforce security policies — weren’t sufficient.

Although some details are redacted from the report, such as how many devices and how many apps were involved, the report does state that some mobile devices housed apps banned from government systems because of spying and national security risks. 

Other apps posed a risk to government data because of the parent companies that manage the software, which “may be compelled to provide data to foreign governments,” the report states. 

That concern echoes those about the high-profile government ban of Chinese company-owned social media app, TikTok. The Office of Management and Budget issued guidance directing agencies to remove TikTok from all government devices in February after lawmakers directed it to do so in the 2023 funding bill. 

The watchdog included several recommendations, all of which ICE has implemented.

Over the summer, ICE blocked VPN apps and those from banned or known to be nefarious companies, according to the report. It also directed employees to remove non-mission-related apps from their devices, and has been conducting forensics on known devices with banned apps. It hasn’t found evidence of “nefarious activity,” the report states. 

In a response included in the report, Jim Crumpacker, the director of the GAO-OIG Liaison Office at DHS, said that ICE uses a “layered approach to mobile device security” including mobile device management software to control what devices can and can’t do; a secure “container” to house and protect ICE data; a mobile application management solution for apps outside that container; and a mobile threat defense capability to continuously monitor third-party apps. 

The agency had already been working on updates prior to receiving a draft copy of the report this fall, Crumpacker wrote, including patching or removing vulnerable messaging apps and working to update its policies on mobile device use, which date to 2014. ICE is also enhancing its monitoring capabilities and looking into whether an “allowlist” capability would be useful, where only mobile apps that are reviewed and vetted can be installed.

Crumpacker also pushed back on parts of the report, including the assertion that ICE’s current controls aren’t sufficient, noting that “the agency’s robust and multi-tiered defense strategy significantly reduces the risk to agency operations and data” and that the agency has “complete visibility into the behavior of all devices applications.” 

DHS said it’s also concerned about “inaccuracies” around how many phones have the mobile threat defense capability or are excepted from that or other requirements altogether. The watchdog also included non-ICE owned devices in the report — ICE manages some mobile devices for other DHS agencies — that are outside of ICE’s control, Crumpacker wrote.