The department does not consistently encrypt sensitive data stored on mobile devices.
Homeland Security Department employees are logging on to DHS networks with their unapproved Global Positioning System units, e-readers and other electronics and failing to regularly encrypt sensitive data on government-issued Android devices, according to the department’s inspector general.
The mobile federal workforce’s increasing dependence on commercial portable electronics, including tablets and Apple gadgets, may be compromising Homeland Security data, Frank W. Deffer, DHS assistant IG for information technology audits, concluded in an audit released this week.
The evaluation, which ran from September 2011 through March, also found that several department components do not consider thumb drives to be a sensitive asset and, consequently, do not keep track of them.
Homeland Security “components must develop policies and procedures to govern the use and improve the accountability of portable devices,” Deffer wrote in the report. “DHS must implement security controls to safeguard the portable devices and the sensitive information stored on and processed by these devices.”
At Immigration and Customs Enforcement, the inspector general discovered at least one of the following unapproved devices connecting to Homeland Security’s unclassified network: Amazon’s Kindle e-book reader, Apple’s iPod, Nike’s Sportwatch GPS unit, digital picture frame and various thumb drive brands. At the DHS Management Directorate, employees were inserting unsanctioned iPods, mass media storage devices and external hard drives. At the Transportation Security Administration, the inspection uncovered one or more Garmin Nuvi GPS units, iPods and thumb drives. At the Coast Guard, network scans turned up at least one unauthorized iPod, Garmin Nuvi GPS unit and HTC Android phone USB device.
Most of these risky connections occurred between 2010 and 2012.
In a response included with the report, department officials told auditors they have no way of stopping personnel from hooking up devices to their workstations. They attempt to block the electronics from the network by distributing only government-procured devices and by educating employees not to use such devices on government computers.
Separately, Deffer scolded Customs and Border Protection, TSA, and Citizenship and Immigration Services for not classifying thumb drives as a sensitive asset worth inventorying. Agency officials, during the audit, explained they did not categorize the devices as such because of their cost and size. “Since their USB thumb drives are encrypted and inexpensive, they did not think that it would be necessary to inventory these devices,” the report states.
Also, USCIS officials decided tracking the tools would be inefficient. “If USB thumb drives are lost or stolen, according to USCIS officials, the property custodians would have to prepare paperwork, get it signed, and add it to the asset management system to fully record the loss,” the audit states.
Deffer responded that “DHS guidance defines sensitive personal property, regardless of dollar value, as devices that have data storage capability, are inherently portable, can easily be converted to private use, or have a high potential for theft.”
Homeland Security officials have since agreed to resolve the matter by requiring thumb drives to be recorded as sensitive personal property in the asset management system.
In addition, the evaluation determined that, on approved electronics, Homeland Security is not encoding government information or applying proper security settings: “The DHS components we reviewed are not consistently using encryption to protect sensitive data stored on and processed by portable devices,” including Android and iOS electronics, Deffer wrote, specifically citing ICE. In addition, “DHS has not developed detailed configuration settings for Android- and iOS-based portable devices.”
At ICE, apparently anyone can access information saved inside an Android or iOS device because logins are not required. “The lack of authentication and password enforcement may allow unauthorized individuals to gain access to DHS data stored on the local device,” Deffer wrote.
DHS Chief Information Officer Richard Spires, in a June 1 letter responding to a draft report, wrote, “currently, Android and iOS devices are being piloted for possible formal implementation,” and added “if ICE decides to formally implement either device, it will be required to comply with the appropriate DHS guidance on authentication requirements for the device selected.”
The inspector general noted that built-in device accessories, such as cameras, GPS and Bluetooth, can improve a department-issued device’s functionality, but also expose sensitive government data to breaches.
Department officials said some of these features are required on their smartphones for work purposes. Bluetooth, for example, is necessary “to allow mobile hands-free calling to reduce the dangers of text messaging while driving,” while “a built-in camera can reduce the amount of equipment that inspectors and investigators have to carry when conducting official business,” the audit stated.
Cost also is a factor in the department’s decision to use the supporting electronics. “Wi-Fi connectivity is needed to reduce the cost of cellular use to transmit data,” the report stated.