US customs workers put their country at risk when they were found to have installed a bunch of personal apps on their work phones, an official rebuke has said.
An audit carried out by the US Department of Homeland Security Office of the Inspector General between April and August 2023 found that Immigration and Customs Enforcement (ICE)-managed devices had presented a serious security risk to the US government.
The result? No fewer than six recommendations were provided by the Inspector General in a management alert addressed to ICE’s Deputy Director.
Government put at risk by its own employees
According to the letter, “thousands” of applications had been installed on ICE devices by employees, contractors, and other agency workers, including “applications from companies banned from US Government information systems.”
The public version of the letter leaves some sections redacted, including the Inspector General’s mention of applications associated with two unknown entities. Given the US government’s recent approach to some Chinese firms, it’s possible that the two unknowns could be associated with spyware or malware – we can only speculate, though.
As well as banned apps and others associated with potentially malicious companies, countries, or developers, US ICE workers had also gone on to install third-party file-sharing applications (we all know the effects of the recent MOVEit breach), third-party VPNs, and third-party messaging apps, some of which with known vulnerabilities.
Ultimately, the Immigration and Customs Enforcement department was found to be at fault for “not sufficiently manag[ing], monitor[ing], or assess[ing] mobile applications.”
The first five recommendations directed at the ICE Chief Information Officer include: removing prohibited applications; assessing any breaches of sensitive information; introducing a process to assess and reduce such risks; introducing a policy to ensure that third-party applications on affected devices are up-to-date; and bringing the ICE and Department of Homeland Security (DHS) policies into better alignment.
The sixth suggestion is that the DHS Chief Information Security Officer investigates whether similar issues exist for other DHS agencies.
While some of the recommendations have already been acted upon, the report clearly signals the need for government agencies across the globe to keep their own policies up-to-date amid growing cybersecurity threats.
