IG finds unauthorized e-readers, thumb drives, GPS on Homeland Security networks

AP file photo

The department does not consistently encrypt sensitive data stored on mobile devices.

Homeland Security Department employees are logging on to DHS networks with their unapproved Global Positioning System units, e-readers and other electronics and failing to regularly encrypt sensitive data on government-issued Android devices, according to the department’s inspector general.

The mobile federal workforce’s increasing dependence on commercial portable electronics, including tablets and Apple gadgets, may be compromising Homeland Security data, Frank W. Deffer, DHS assistant IG for information technology audits, concluded in an audit released this week.

The evaluation, which ran from September 2011 through March, also found that several department components do not consider thumb drives to be a sensitive asset and, consequently, do not keep track of them.

Homeland Security “components must develop policies and procedures to govern the use and improve the accountability of portable devices,” Deffer wrote in the report. “DHS must implement security controls to safeguard the portable devices and the sensitive information stored on and processed by these devices.”

At Immigration and Customs Enforcement, the inspector general discovered at least one of the following unapproved devices connecting to Homeland Security’s unclassified network: Amazon’s Kindle e-book reader, Apple’s iPod, Nike’s Sportwatch GPS unit, digital picture frame and various thumb drive brands. At the DHS Management Directorate, employees were inserting unsanctioned iPods, mass media storage devices and external hard drives. At the Transportation Security Administration, the inspection uncovered one or more Garmin Nuvi GPS units, iPods and thumb drives. At the Coast Guard, network scans turned up at least one unauthorized iPod, Garmin Nuvi GPS unit and HTC Android phone USB device.

Most of these risky connections occurred between 2010 and 2012.

In a response included with the report, department officials told auditors they have no way of stopping personnel from hooking up devices to their workstations. They attempt to block the electronics from the network by distributing only government-procured devices and by educating employees not to use such devices on government computers.

Separately, Deffer scolded Customs and Border Protection, TSA, and Citizenship and Immigration Services for not classifying thumb drives as a sensitive asset worth inventorying. Agency officials, during the audit, explained they did not categorize the devices as such because of their cost and size. “Since their USB thumb drives are encrypted and inexpensive, they did not think that it would be necessary to inventory these devices,” the report states.

Also, USCIS officials decided tracking the tools would be inefficient. “If USB thumb drives are lost or stolen, according to USCIS officials, the property custodians would have to prepare paperwork, get it signed, and add it to the asset management system to fully record the loss,” the audit states.

Deffer responded that “DHS guidance defines sensitive personal property, regardless of dollar value, as devices that have data storage capability, are inherently portable, can easily be converted to private use, or have a high potential for theft.”

Homeland Security officials have since agreed to resolve the matter by requiring thumb drives to be recorded as sensitive personal property in the asset management system.

In addition, the evaluation determined that, on approved electronics, Homeland Security is not encoding government information or applying proper security settings: “The DHS components we reviewed are not consistently using encryption to protect sensitive data stored on and processed by portable devices,” including Android and iOS electronics, Deffer wrote, specifically citing ICE. In addition, “DHS has not developed detailed configuration settings for Android- and iOS-based portable devices.”

At ICE, apparently anyone can access information saved inside an Android or iOS device because logins are not required. “The lack of authentication and password enforcement may allow unauthorized individuals to gain access to DHS data stored on the local device,” Deffer wrote.

DHS Chief Information Officer Richard Spires, in a June 1 letter responding to a draft report, wrote, “currently, Android and iOS devices are being piloted for possible formal implementation,” and added “if ICE decides to formally implement either device, it will be required to comply with the appropriate DHS guidance on authentication requirements for the device selected.”

The inspector general noted that built-in device accessories, such as cameras, GPS and Bluetooth, can improve a department-issued device’s functionality, but also expose sensitive government data to breaches.

Department officials said some of these features are required on their smartphones for work purposes. Bluetooth, for example, is necessary “to allow mobile hands-free calling to reduce the dangers of text messaging while driving,” while “a built-in camera can reduce the amount of equipment that inspectors and investigators have to carry when conducting official business,” the audit stated.

Cost also is a factor in the department’s decision to use the supporting electronics. “Wi-Fi connectivity is needed to reduce the cost of cellular use to transmit data,” the report stated.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.