CBP Cybersecurity Failures Left Travelers' Personal Info at Risk, IG Says

Customs and Border Protection placed the personally identifiable information of travelers at risk by failing to ensure its Mobile Passport Control applications were protected from cybersecurity threats, according to the Homeland Security Department’s internal watchdog. 

According to a recent DHS Office of Inspector General audit, the organization charged with border control did not scan its apps for vulnerabilities, did not detect vulnerabilities identified in scans, did not complete security and privacy compliance reviews, and did not manage its system configuration adequately. 

“Unless CBP addresses these cybersecurity vulnerabilities, MPC apps and servers will remain vulnerable, placing travelers’ PII at risk of exploitation,” the audit reads. More than 10 million travelers used the unsecured MPC apps between July 2017 and December 2019, according to the audit. 

CBP introduced its third-party-developed MPC apps in order to speed up the inspection process at ports of entry. The apps—there were three in use until last month—transmit PII upon arrival at participating ports.   

Despite requirements, CBP failed to scan 134 of 148 app version updates to detect vulnerabilities released between 2016 and 2019. That’s a 91% failure rate, according to the audit. 

“This occurred because CBP did not track version updates and instead relied on app developers to send ad-hoc notifications informing CBP of newly released app version updates,” the audit reads. “Moreover, when we conducted the same scans available to CBP, using DHS’ Office of the Chief Information Officer, for the six apps available for traveler use on May 13, 2020, and on November 5, 2020, we identified cybersecurity vulnerabilities.”

The agency also missed a total of seven high-risk vulnerabilities identified in a 2019 scan. On top of that CBP failed to complete 59%—or 38 of 64—annual compliance reviews and didn’t complete any of the required internal access log, privacy evaluation or internal audit reviews from 2016 to 2019. Auditors concluded the reason behind these deficiencies comes down to lack of specific schedules for completing reviews, methods for tracking completed reviews, and central storage for review documentation.

And OIG found CBP hadn’t implemented all the necessary Defense Information Systems Agency Security Technical Implementation Guide configuration settings across all its servers supporting the MPC apps. 

CBP agreed with the auditors’ eight recommendations, which call for:

• Making sure CBP scans all app update versions prior to release by developers. 
• Codifying processes around scanning, define roles and responsibilities to ensure scans happen, and ensure specialists review all scan results for vulnerabilities. 
• Defining processes for conducting required security and privacy compliance reviews on a specific timeline, for tracking completed reviews, and for centrally storing review documentation.
• Ensuring developers share all the information needed to perform the Requirements Traceability Matrix questionnaire, which is one of the security compliance reviews. 
• Creating a way to review access logs, define the periodic review time frame, and complete the required reviews during a defined time frame. 
• Completing a required privacy evaluation review. 
• Updating policy to include a process for conducting internal audits as well as completing those internal audits. 
• Fully implementing DISA STIGs, or request waivers to be exempt from some of the requirements, or fully document any exceptions made for deviating from the requirements.