US Customs Apps Put Travelers' PII at RiskOIG Audit Shows Consumer Applications Inadequately Protected
U.S. Customs and Border Protection has not always protected its Mobile Passport Control applications, making travelers' personally identifiable information vulnerable to exploitation, according to a new report from the Department of Homeland Security's Office of the Inspector General.
CBP, which is responsible for securing travelers' data from cybersecurity threats, has oversight over six MPC apps, which are designed to expedite millions of travelers through CBP's inspection process. The OIG audit, conducted from March 2020 to April 2021, yielded eight recommendations to improve security hygiene.
CBP did not scan 91% of application updates released between 2016 and 2019 as is required to detect vulnerabilities, OIG discovered. Instead, CBP relied on updates from app developers, but the agency was not always notified when updates occurred, according to the report.
Also, CBP did not complete seven security and privacy compliance reviews of the apps, as required by the MPC Privacy Impact Assessment, because it did not obtain necessary information, "had competing priorities, and did not ensure app developers created a required process needed to perform mandatory internal audits," OIG states.
The OIG also found that CBP did not implement specific hardware and software configuration settings on MPC servers to protect them from vulnerabilities as required under Department of Homeland Security policy. CBP "incorrectly believed it could phase in the settings," the report says.
"Unless CBP addresses these cybersecurity vulnerabilities, MPC apps and servers will remain vulnerable, placing travelers' PII at risk of exploitation," the OIG concludes.
More than 10 million travelers used the apps between July 2017 and December 2019, according to the report.
The OIG recommended CBP take eight steps to improve its cyber resiliency:
- Scan all apps prior to release and also scan updated versions;
- Codify the scan processes and define the roles and responsibilities necessary to carry them out; have CBP Office of Information and Technology specialists review all app scan results;
- Conduct required security and privacy compliance reviews, track reviews and centrally store the documentation;
- Ensure the offices receive all necessary information from developers to complete the "requirements traceability matrix" questionnaire;
- Develop a capability to review access logs, define the periodic review timeframe and perform required reviews;
- Have the executive director of the Privacy and Diversity Office complete the required privacy evaluation review;
- Develop a process to conduct internal audits and perform them;
- Adhere to DHS policy and fully implement the Defense Information Systems Agency Security Technical Implementation Guide control categories for the servers supporting the MPC program.
CBP concurred with all eight recommendations.
CBP to Form Oversight Team
In a June memorandum to the OIG, a senior CBP official stated: "In support of our mission, CBP engaged with non-governmental entities in the development of commercial market-based Mobile Passport Control applications to expedite travelers through the primary inspection process.
"Third-party developers created, maintain, and operate the MPC applications, which transmit travelers' personally identifiable information prior to arrival at participating ports of entry. While the security of these applications is ultimately the responsibility of the vendors, CBP recognizes the need for dedicated oversight efforts to continue operations and ensure compliance with security policy and regulations."
CBP says it will form an oversight team in fiscal 2022 that will monitor MPC applications to help ensure the security of travelers' PII.
DOD and DHS Collaboration
The travel app findings come a week after the release of another report suggesting that a greater level of cooperation is needed between the Department of Defense and the Department of Homeland Security to ensure that U.S. critical infrastructure is protected against cyberthreats (see: DOD and DHS Need More Collaboration on Cybersecurity Issues).
That report recommends that DOD and DHS complete obligations outlined in an earlier memorandum - including details of responses to a variety of cyberthreats affecting critical infrastructure.