Coast Guard's Fingerprint System Used to Nab Terrorist Suspects is Flawed, OIG Says

Jon Bilous/

Featured eBooks

Digital First
Cloud Smarter
Cybersecurity & the Road Ahead

Personnel on Coast Guard ships use handheld devices to collect intercepted persons' fingerprints and images of their faces, as part of the Biometrics at Sea System.

The Coast Guard needs to improve the digital fingerprinting system used to determine if persons attempting to illegally enter the country are also suspected terrorists, felons or deportees, according to a report from the Department of Homeland Security's Office of the Inspector General.  

Personnel on 23 Coast Guard ships use handheld devices to collect intercepted persons' fingerprints and images of their faces, as part of the Biometrics at Sea System, or BASS. The Coast Guard then sends those scans to DHS' automated identification system, called IDENT, which searches its biometric database for a match. When there isn't a match, IDENT enrolls the new entry in its database. 

But BASS has several operational flaws, according to the OIG.

For one, the Coast Guard has not reconciled discrepancies between the number of biometric entries sent to IDENT, and the number actually stored in IDENT. 

In one instance, an official from DHS' Office of Biometric Identity Management reported that IDENT contained more than 4,600 BASS transactions between October 2006 and May 2012. Another report from the Coast Guard, however, stated that transactions were more than 5,100.

Coast Guard officials attributed the discrepancy to a system error, but did not provide evidence as to why the error occurred, according to the report. 

Not reconciling this discrepancy might "impede future identification of suspected terrorists, aggravated felons or other individuals of interest," the report said. 

The Coast Guard also didn't adequately update security plans -- blueprints for security management and controls -- when it transitioned BASS from two-fingerprint scans to 10-fingerprint ones, the report said. Fifteen months after the migration, which began in 2013, the Coast Guard still hadn't updated security plans to reflect the new 10-fingerprint system. 

The report also found that 13 system development and support employees were sharing one password to access administrator accounts, which would let them change security settings, install hardware and software, and access all files.

With just one password, the report said, Coast Guard management couldn't hold individuals accountable for activity within an account, meaning a disgruntled employee could easily make unauthorized changes without being identified. 

According to the report, the Coast Guard concurred with OIG's recommendations that it should update security documents, eliminate use of common passwords and ensure personnel adhere to change management policy. OIG also proposed to establish a BASS aggregate control log to verify the number of biometric entries sent to and received by IDENT. 

Neither DHS nor the Coast Guard responded to Nextgov's request for additional comment. 

(Image via Jon Bilous/