recommended reading

IG finds unauthorized e-readers, thumb drives, GPS on Homeland Security networks

AP file photo

Homeland Security Department employees are logging on to DHS networks with their unapproved Global Positioning System units, e-readers and other electronics and failing to regularly encrypt sensitive data on government-issued Android devices, according to the department’s inspector general.

The mobile federal workforce’s increasing dependence on commercial portable electronics, including tablets and Apple gadgets, may be compromising Homeland Security data, Frank W. Deffer, DHS assistant IG for information technology audits, concluded in an audit released this week.

The evaluation, which ran from September 2011 through March, also found that several department components do not consider thumb drives to be a sensitive asset and, consequently, do not keep track of them.

Homeland Security “components must develop policies and procedures to govern the use and improve the accountability of portable devices,” Deffer wrote in the report. “DHS must implement security controls to safeguard the portable devices and the sensitive information stored on and processed by these devices.”

At Immigration and Customs Enforcement, the inspector general discovered at least one of the following unapproved devices connecting to Homeland Security’s unclassified network: Amazon’s Kindle e-book reader, Apple’s iPod, Nike’s Sportwatch GPS unit, digital picture frame and various thumb drive brands. At the DHS Management Directorate, employees were inserting unsanctioned iPods, mass media storage devices and external hard drives. At the Transportation Security Administration, the inspection uncovered one or more Garmin Nuvi GPS units, iPods and thumb drives. At the Coast Guard, network scans turned up at least one unauthorized iPod, Garmin Nuvi GPS unit and HTC Android phone USB device.

Most of these risky connections occurred between 2010 and 2012.

In a response included with the report, department officials told auditors they have no way of stopping personnel from hooking up devices to their workstations. They attempt to block the electronics from the network by distributing only government-procured devices and by educating employees not to use such devices on government computers.

Separately, Deffer scolded Customs and Border Protection, TSA, and Citizenship and Immigration Services for not classifying thumb drives as a sensitive asset worth inventorying. Agency officials, during the audit, explained they did not categorize the devices as such because of their cost and size. “Since their USB thumb drives are encrypted and inexpensive, they did not think that it would be necessary to inventory these devices,” the report states.

Also, USCIS officials decided tracking the tools would be inefficient. “If USB thumb drives are lost or stolen, according to USCIS officials, the property custodians would have to prepare paperwork, get it signed, and add it to the asset management system to fully record the loss,” the audit states.

Deffer responded that “DHS guidance defines sensitive personal property, regardless of dollar value, as devices that have data storage capability, are inherently portable, can easily be converted to private use, or have a high potential for theft.”

Homeland Security officials have since agreed to resolve the matter by requiring thumb drives to be recorded as sensitive personal property in the asset management system.

In addition, the evaluation determined that, on approved electronics, Homeland Security is not encoding government information or applying proper security settings: “The DHS components we reviewed are not consistently using encryption to protect sensitive data stored on and processed by portable devices,” including Android and iOS electronics, Deffer wrote, specifically citing ICE. In addition, “DHS has not developed detailed configuration settings for Android- and iOS-based portable devices.”

At ICE, apparently anyone can access information saved inside an Android or iOS device because logins are not required. “The lack of authentication and password enforcement may allow unauthorized individuals to gain access to DHS data stored on the local device,” Deffer wrote.

DHS Chief Information Officer Richard Spires, in a June 1 letter responding to a draft report, wrote, “currently, Android and iOS devices are being piloted for possible formal implementation,” and added “if ICE decides to formally implement either device, it will be required to comply with the appropriate DHS guidance on authentication requirements for the device selected.”

The inspector general noted that built-in device accessories, such as cameras, GPS and Bluetooth, can improve a department-issued device’s functionality, but also expose sensitive government data to breaches.

Department officials said some of these features are required on their smartphones for work purposes. Bluetooth, for example, is necessary “to allow mobile hands-free calling to reduce the dangers of text messaging while driving,” while “a built-in camera can reduce the amount of equipment that inspectors and investigators have to carry when conducting official business,” the audit stated.

Cost also is a factor in the department’s decision to use the supporting electronics. “Wi-Fi connectivity is needed to reduce the cost of cellular use to transmit data,” the report stated.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.