US customs officials put their country at risk when they were found to have installed a number of personal apps on their work phones, an official reprimand said.
An audit conducted by the U.S. Department of Homeland Security Office of the Inspector General between April and August 2023 found that devices managed by Immigration and Customs Enforcement (ICE) posed a serious security risk to the U.S. government.
The result? In ashes, the Inspector General issued no fewer than six recommendations management alert addressed to the deputy director of ICE.
Government endangered by its own employees
According to the letter, “thousands” of applications had been installed on ICE devices by employees, contractors and other temporary workers, including “applications from companies that were excluded from U.S. government information systems.”
The public version of the letter has some portions redacted, including the inspector general’s mention of applications related to two unknown entities. Given the recent crackdown on some Chinese companies by the US government, it is possible that these two unknown factors could be linked to spyware or malware. However, we can only speculate.
In addition to banned apps and other apps linked to potentially malicious companies, countries or developers, US ICE employees had also started installing third-party applications (we all know the fallout from the recent MOVEit breach), VPNs and third-party messaging apps, of which some with known vulnerabilities.
Ultimately, the Department of Immigration and Customs Enforcement was found guilty of “inadequately managing, monitoring or reviewing mobile applications.”
The first five recommendations addressed to ICE’s Chief Information Officer include: removing prohibited applications; assessing any breaches of sensitive information; introducing a process to assess and mitigate such risks; introducing a policy to ensure that third-party applications on affected devices are up to date; and better aligning ICE and Department of Homeland Security (DHS) policies.
The sixth suggestion is for the DHS Chief Information Security Officer to investigate whether similar issues exist for other DHS agencies.
While some of the recommendations have already been addressed, the report clearly signals the need for government agencies around the world to keep their own policies up to date amid increasing cybersecurity threats.