DHS drone data left vulnerable, audit finds

While the Department of Homeland Security has looked to step up its use of drones to patrol the U.S.-Mexico border, lax security policies have left the collected data vulnerable to hackers and insider threats, a new audit finds.

IT systems used by the Customs and Border Protection to share drone-gathered data are “at increased risk of compromise by trusted insiders and external sources” because of security shortcomings, a DHS inspector general report states.

“Continuous monitoring to facilitate effective security incident handling, reporting, and remediation was lacking, while system maintenance and oversight of contractor personnel were inconsistent,” the report says.

The IG investigation comes as DHS has sought more advanced drone technology to surveil border areas. In July 2016, for example, the department asked industry for proposals for small and easily deployable commercial drones. And in missions along the Texas-Mexico border over three years, a Predator B drone helped CBP personnel seize more than five tons of marijuana, the CPB said in February.

The intelligence, surveillance, and reconnaissance (ISR) systems examined by the IG consist of eight “interconnected software utilities and computer subsystems” that share drone data, such as images and videos, with analysts and CBP officials. Officials in charge of the program failed to carry out important cybersecurity oversight of that networking equipment, the audit found. An appendix to the report lists more than 20 “unauthorized removable media devices,” such as flash and hard drives, that have been used to access ISR systems.

The flawed cybersecurity practices came down to leadership, or lack thereof, the watchdog concluded, as there was not the staff, guidance, training and expertise needed to effectively run the ISR systems.

On the other hand, the IG found that the CBP’s management of software patches for the ISR systems was “generally effective” albeit still in need of improvement. “[W]e identified one unique critical vulnerability and seven unique high-risk vulnerabilities on Windows 7 workstations” included in the ISR systems, the watchdog said.

The audit also raises important privacy issues. After the IG expressed concern that the CBP had not done a privacy assessment of the drone-supporting ISR systems, CBP officials carried out an assessment and found that the systems did not contain personally identifiable information. Nonetheless, CBP officials had been unaware that they were required to do a privacy assessment all while drone-flight data continued to stream into ISR systems.

In responding to the draft IG report, Henry Moak, a CBP official, emphasized some privacy and security safeguards that the program has in place.

“It is important to note that ISR systems surveillance and reconnaissance data is not associated with any individual unless the data is linked to an investigation as a result of a law enforcement event,” Moak wrote.  Data stored in the ISR systems is encrypted and files left idle for five years are automatically deleted, he said.

The CBP said it was taking several steps to boost the ISR systems’ cybersecurity, including swifter software patching. In response to the IG’s staffing concerns, CBP said it had filled “three key IT positions and … allocated sufficient budget and staff resources” to the program.