The Office of Inspector General (OIG) has found that U.S. Customs and Border Protection (CBP) did not always protect traveler data from cybersecurity risks, despite a responsibility to do so.
CBP’s Mobile Passport Control (MPC) app, used by more than 10 million travelers from July 2017 through December 2019, contained the travelers’ personally identifiable information (PII) used to expedite them through CBP’s inspection process. Third-party developers create, maintain, and operate the MPC apps, which transmit travelers’ PII upon arrival at participating ports of entry. From fiscal years 2016 through 2019, CBP expended on average $639,0003 each year for MPC, funded through its Trusted Traveler Program enrollment fees.
Although required to scan MPC app version updates to detect vulnerabilities, OIG found that CBP did not scan 134 of the 148 (91 percent) updates released from 2016 through 2019. This occurred because CBP officials relied on version updates from app developers but were not always notified when updates occurred. Additionally, CBP did not always identify vulnerabilities detected in scan results because CBP guidance does not require a review of all results.
During its audit, OIG requested that the Department of Homeland Security’s Office of the Chief Information Officer scan the six app versions available for traveler use on May 13, 2020, and on November 5, 2020. According to OIG’s July 15 report, these scans detected cybersecurity vulnerabilities. The May 13, 2020 scans revealed two app versions contained six high-risk vulnerabilities. For example, one of the apps contained a vulnerability that set incorrect default permissions, which allowed information to read and write to external storage locations unknown to the traveler. The other app contained a vulnerability specific to the storage of sensitive information as “cleartext” — unencrypted information that attackers can potentially read. In the second round of scans on November 5, 2020, an updated version of the same app identified on May 13, 2020, as having two vulnerabilities contained the same two vulnerabilities.
OIG’s audit also found that CBP failed to complete seven security and privacy compliance reviews of MPC apps, as required by the MPC Privacy Impact Assessment, because CBP did not establish a schedule for the reviews or track and centrally store review documentation. In addition, according to OIG, CBP did not obtain the information needed for the reviews, had competing priorities, and did not ensure app developers created a required process CBP needed to perform a mandatory internal audit.
Finally, although required by Department of Homeland Security policy, OIG found that CBP did not implement specific hardware and software configuration settings on MPC servers to protect them from vulnerabilities because CBP incorrectly believed it could phase in the settings.
It comes as no surprise that OIG has thrown a host of recommendations at CBP, with which it has agreed. CBP stated that it recognizes the need to improve and intends to form a dedicated oversight team in fiscal year 2022 that will monitor and ensure all MPC applications comply with policy and regulations, including policies related to the protection of PII.
To specifically address the recommendations, CBP will take the following actions:
- CBP Office of Field Operations (OFO) will update the MPC Business Requirements to reflect the Enterprise Services, Office of Information Technology (OIT)policies regarding the scanning of applications and subsequent approval process governing the vendor’s version release.
- CBP OFO and Enterprise Services OIT will collaborate to codify and define organizational roles and responsibilities necessary to ensure cybersecurity scans are completed by Enterprise Services OIT, as required by its policy. A signed memorandum will formalize each stakeholders’ (OFO/OIT/Vendors) responsibilities, policies and timelines associated with the scans. This information will be added to the MPC Business Requirements.
- CBP OFO and Enterprise Services OIT will collaborate on the development of its internal processes to: conduct the required security and privacy compliance reviews on schedule; track progress; and store documentation. OFO will also support OIT’s stakeholder engagement to facilitate the receipt of relevant security and privacy documentation.
- CBP OFO will support Enterprise Services OIT by facilitating requests for vendors to supply OIT with all information necessary to complete, review the Requirements Traceability Matrix (RTM) questionnaires, and update the RTM templates. OFO will draft templates for stakeholders’ engagement. Business sponsors and vendor profiles will be created to identify the proper points of contact, addresses, and related information.
- CBP Enterprise Services OIT will work with the current vendors to identify a process for reviewing logs on a regular basis.
- CBP Privacy and Diversity Office will conduct a Privacy Evaluation of the MPC program’s current operations, with a focus on how data is collected, used, and shared between the agency and application development partners. The review will include an assessment of the program’s established Privacy Compliance documentation, program policies, and operating procedures that support the use of this technology.
- CBP OFO will collaborate with the Privacy and Diversity Office and Enterprise Services OIT to update internal documents that describe an internal process to perform the required audits. In addition, OFO will assign personnel to support Enterprise Services OIT’s dedicated audit team and will provide documentation of this process.
- CBP Enterprise Services OIT will work to implement the Defense Information Security Agency’s Security Technical Implementation Guide control categories for the servers supporting the MPC program.
The MPC program was originally launched in 2014, and CBP announced its new app earlier this year as part of agency efforts to introduce new technologies to create a more secure traveler experience. The new MPC app was specifically created to better safeguard travelers’ privacy. It was piloted at Dulles International Airport in May, and has now expanded to Philadelphia and Fort Lauderdale, with an expected national launch in coming months.
