IG: Program to automate immigration processing is vulnerable to insider threats

Watchdog says USCIS officials have not indicated how they will correct shortcomings.

A Homeland Security Department inspector general this week released a report that found a struggling $2.4 billion project to computerize immigration paperwork lacks a strategy for protecting the system against insider threats.

The Transformation program, which is supposed to digitize the current paper-based systems for processing visas and other authorization documents, is running about a decade behind schedule and four times its original $536 million budget estimate. The large reengineering effort is aimed at improving customer service, automating workflow, detecting fraud and addressing national security issues.

Frank Deffer, assistant IG for information technology audits, listed the project and its vulnerability to insider threats as among the "most prevalent, high impact areas of concern" in his review of measures U.S. Citizenship and Immigration Services is taking to guard IT systems and data against dangers that employees and contractors pose. Most USCIS personnel mentioned Transformation during on-site interviews the auditors conducted.

The IG report underscores the importance of preventing tampering so that residency papers are not granted to potential terrorists. Its release coincides with a thwarted bomb plot in Texas allegedly perpetrated by a Saudi Arabian citizen who was legally in the United States on a student visa.

"Insiders at USCIS have perpetrated fraud in the past," the audit stated. "USCIS insiders are capable of granting legal residency or citizenship status to someone who poses a national security risk to the United States."

House Judiciary Chairman Lamar Smith, R-Texas, on Thursday said the incident in his home state represents a failure of the immigration system to screen applicants.

Based on a "review of the requirements for fraud detection and national security issues, it appears there are no requirements to address insider threats" to Transformation, Deffer wrote. The report describes the project specifications as detailed and comprehensive but silent on the issue of obstructing malicious insiders. Fraud detection in program documents refers to deception committed by applicants and petitioners -- not federal personnel.

The IG recommended the agency develop system requirements that minimize the risk of insider threats. As of Jan. 20, USCIS officials had not informed the inspector general of steps the agency will take to address the identified security weaknesses.

In brief remarks submitted to the inspector general, USCIS deputy director said the agency agrees with the report's findings and recommendations and believes they will be very helpful in its efforts to strengthen controls. IG officials responded, "USCIS did not provide information on how it intends to address our recommendations. Therefore we consider our recommendations unresolved and open pending our review of USCIS' corrective action plans."

Agency spokesman Chris Bentley on Friday said USCIS is dedicated to ensuring employees follow pre-established rules and procedures for conduct and the handling of sensitive data. "The USCIS Office of Privacy, Office of Security and Integrity, and Office of Information Technology continue to work to educate our employees about insider threats to ensure our workforce recognizes and reports improper behavior and the mishandling or misuse of data," he said.