Would it surprise you that a government agency collecting data via drones, data such as images and videos, failed to consider privacy implications of that data? Probably not, but apparently U.S. Customs and Border Protection (CBP) officials were shocked to know it was required.
According to an audit by the Office of Inspector General (OIG), CBP officials didn’t bother to do a privacy threshold analysis because they “were unaware of the requirement to do so.”
But hey, why stop at a single, albeit huge, privacy fail when you can fail at security, too? That’s right, when it comes to CBP’s drone surveillance program, the OIG detected failures in IT security controls, as well as failures that put CBP’s unmanned aircraft systems and operations at risk. In fact, the audit resulted in 10 recommendations to improve CBP’s unmanned aircraft systems program.
NEW! CBP’s Unmanned Aircraft Systems & Ops at-Risk. @CBP failure to implement adequate #security controls according to #Federal & @DHSgov policy could result in potential loss of confidentiality & integrity FMI: https://t.co/xGVg4GY9Pe
— DHSOIG (@DHSOIG) September 25, 2018
Not only did it not occur to CBP to perform a privacy assessment for the Intelligence, Surveillance, and Reconnaissance (ISR) Systems used in the unmanned aircraft systems (UAS) program, but the agency also failed to include ISR systems in CBP’s IT inventory. That meant the system was deployed without any CBP Privacy Office oversight. By not assessing the privacy of the surveillance systems, the CBP was unable to determine if the images and video collected and transmitted from the drones needed safeguards as are required by privacy laws, regulations and even Department of Homeland Security (DHS) policy.
“Various CBP officials” claimed they lacked awareness of privacy requirements before deploying drone surveillance systems. At one point, the OIG was told there was no need for a privacy analysis because the surveillance system did not collect and store personally identifiable information (PII). The next person in charge claimed no one told him a privacy assessment was required. The OIG noted that a contractor was in charge “given difficulties hiring a government employee.”
Drone system never added to CBP’s IT inventory
CBP apparently failed to establish organizational ownership of the ISR Systems, which means there is “little to no assigned responsibility and accountability for the system’s management as a whole.” Air and Marine Operations have “ownership of the ISR Systems,” but no single entity was ever deemed the responsible party for funding and maintenance.
With the drone surveillance systems never being added to CBP’s IT inventory and, therefore, receiving no privacy oversight, officials for the privacy department were able declare the privacy fail was a joint failure of the Air and Marine Operations and CBP’s Office of Information.
Air and Marine Operations officials “could not state with certainty whether or not ISR Systems contained privacy information necessitating privacy safeguards. Without proper privacy protections, any sensitive privacy information in existence could be lost, stolen, or compromised.”
As for the large lump of security fails, the OIG wrote:
Moreover, CBP did not implement the information security controls needed to safeguard ISR Systems. For example, ISR Systems did not have authorization to operate, including a continuity of operations plan. Continuous monitoring to facilitate effective security incident handling, reporting, and remediation was lacking, while system maintenance and oversight of contractor personnel were inconsistent. Additionally, CBP did not implement adequate controls to limit physical access to the ground control station housing ISR Systems data.
These information security deficiencies occurred because CBP did not establish an effective program structure, including the leadership, expertise, staff, training, and guidance needed to manage ISR Systems effectively. As a result, ISR Systems and mission operations were at increased risk of compromise by trusted insiders and external sources.
The OIG goes on to explain there was no valid authorization to operate the ISR Systems. At one point, there was a draft of a system security plan, but that was never finalized. Little surprise, then, to learn there was also no security assessment report, no final risk assessment, and no continuity of operations plan.
Vulnerabilities discovered in ISR Systems
With no system security plan and risk assessment, the OIG had no baseline to test the system for compliance with NIST’s array of system security controls. Nevertheless, the OIG noted that patch management could be improved, as they identified a remote code execution critical vulnerability, as well as seven high-risk vulnerabilities on Windows 7 workstations and one high-risk vulnerability on Windows Server 2008.
Additionally, OIG found 24 removable media devices on the system – 22 of which were not authorized, government-issued devices. The unauthorized devices were capable of removing data like videos and images captures by the UAS.
The report goes on and on with face-palm problems found while auditing the surveillance information systems – problems such as system events not being monitored and the use of obsolete software. The OIG also found inadequate management of personnel responsible for ISR systems, including contractor oversight, and inadequate physical access controls, which are deemed to be the first line of defense against intruders hoping to gain unauthorized access.
In all, the OIG came up with 10 recommendations for CBP regarding this surveillance system.