recommended reading

IG finds unauthorized e-readers, thumb drives, GPS on Homeland Security networks

AP file photo

Homeland Security Department employees are logging on to DHS networks with their unapproved Global Positioning System units, e-readers and other electronics and failing to regularly encrypt sensitive data on government-issued Android devices, according to the department’s inspector general.

The mobile federal workforce’s increasing dependence on commercial portable electronics, including tablets and Apple gadgets, may be compromising Homeland Security data, Frank W. Deffer, DHS assistant IG for information technology audits, concluded in an audit released this week.

The evaluation, which ran from September 2011 through March, also found that several department components do not consider thumb drives to be a sensitive asset and, consequently, do not keep track of them.

Homeland Security “components must develop policies and procedures to govern the use and improve the accountability of portable devices,” Deffer wrote in the report. “DHS must implement security controls to safeguard the portable devices and the sensitive information stored on and processed by these devices.”

At Immigration and Customs Enforcement, the inspector general discovered at least one of the following unapproved devices connecting to Homeland Security’s unclassified network: Amazon’s Kindle e-book reader, Apple’s iPod, Nike’s Sportwatch GPS unit, digital picture frame and various thumb drive brands. At the DHS Management Directorate, employees were inserting unsanctioned iPods, mass media storage devices and external hard drives. At the Transportation Security Administration, the inspection uncovered one or more Garmin Nuvi GPS units, iPods and thumb drives. At the Coast Guard, network scans turned up at least one unauthorized iPod, Garmin Nuvi GPS unit and HTC Android phone USB device.

Most of these risky connections occurred between 2010 and 2012.

In a response included with the report, department officials told auditors they have no way of stopping personnel from hooking up devices to their workstations. They attempt to block the electronics from the network by distributing only government-procured devices and by educating employees not to use such devices on government computers.

Separately, Deffer scolded Customs and Border Protection, TSA, and Citizenship and Immigration Services for not classifying thumb drives as a sensitive asset worth inventorying. Agency officials, during the audit, explained they did not categorize the devices as such because of their cost and size. “Since their USB thumb drives are encrypted and inexpensive, they did not think that it would be necessary to inventory these devices,” the report states.

Also, USCIS officials decided tracking the tools would be inefficient. “If USB thumb drives are lost or stolen, according to USCIS officials, the property custodians would have to prepare paperwork, get it signed, and add it to the asset management system to fully record the loss,” the audit states.

Deffer responded that “DHS guidance defines sensitive personal property, regardless of dollar value, as devices that have data storage capability, are inherently portable, can easily be converted to private use, or have a high potential for theft.”

Homeland Security officials have since agreed to resolve the matter by requiring thumb drives to be recorded as sensitive personal property in the asset management system.

In addition, the evaluation determined that, on approved electronics, Homeland Security is not encoding government information or applying proper security settings: “The DHS components we reviewed are not consistently using encryption to protect sensitive data stored on and processed by portable devices,” including Android and iOS electronics, Deffer wrote, specifically citing ICE. In addition, “DHS has not developed detailed configuration settings for Android- and iOS-based portable devices.”

At ICE, apparently anyone can access information saved inside an Android or iOS device because logins are not required. “The lack of authentication and password enforcement may allow unauthorized individuals to gain access to DHS data stored on the local device,” Deffer wrote.

DHS Chief Information Officer Richard Spires, in a June 1 letter responding to a draft report, wrote, “currently, Android and iOS devices are being piloted for possible formal implementation,” and added “if ICE decides to formally implement either device, it will be required to comply with the appropriate DHS guidance on authentication requirements for the device selected.”

The inspector general noted that built-in device accessories, such as cameras, GPS and Bluetooth, can improve a department-issued device’s functionality, but also expose sensitive government data to breaches.

Department officials said some of these features are required on their smartphones for work purposes. Bluetooth, for example, is necessary “to allow mobile hands-free calling to reduce the dangers of text messaging while driving,” while “a built-in camera can reduce the amount of equipment that inspectors and investigators have to carry when conducting official business,” the audit stated.

Cost also is a factor in the department’s decision to use the supporting electronics. “Wi-Fi connectivity is needed to reduce the cost of cellular use to transmit data,” the report stated.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.