The cyberattack on the U.S. Customs and Border Protection (CBP) agency last month, identified the need for cyber vigilance everywhere. In the details of the attack, hackers gained access to information collected by CBP. The unauthorized access netted the hackers hundreds of thousands of photos of border crossers and license plate numbers of vehicles. This information belonged to individuals and business who traverse the U.S. – Mexico border. And although most of them are legally using U.S. ports of entry, criminals now have information that could be exploited for gain in the near future.
CBP is a Department of Homeland Security (DHS) organization with a mission that involves ensuring legal immigration and security at our borders. The attack revealed that the Government’s security network security mechanisms haven’t received the same attention as physical security. The CBP hacking incident raises serious questions about privacy and critical personally identifiable information being collected by all government entities. Is the data secure and how does the government know it’s secure?
As most people are aware, turmoil at the southern border has reached an all-time high. The geo-political and partisan activity in Washington, and beyond, has brought a lot of attention to our southern border. Everyone, from pranksters to hacktivist, now see a value in disrupting official processes. Some even focus on bringing negative attention to agencies involved with border protection.
The Trump Administration has prioritized ensuring that migrants who come across the Mexican border, do so legally. Facial-recognition technology and license plate readers are some of the advanced tools being used to identify people crossing border checkpoints. These technologies have been extremely useful and timesaving for law enforcement globally. However, the Government’s use of little-known private contractors to sure-up its security efforts has resulted in immeasurable consequences. Maybe, contractors should be measured with the same vigor as the technology currently being deployed.
The latest cyberattack on CBP revealed that hackers not only gained access to pictures and license plate numbers, but detailed DHS schematics, confidential agreements, equipment lists, budget spreadsheets, internal photos, passwords, and hardware blueprints for security systems as well. I am sure cartels and organized crime groups are very excited about how this information will support their mission. Some of the documents portray a literal road map to equipment that has been installed at the U.S.’s most highly trafficked border gateways. And now, it all can be found for sale on the Dark Web. This CBP hack has introduced a cyber-physical threat that challenges national security. This is ironic, considering the original mission pushing the Government to deploy the information gathering tools in the first place.
So, who should we blame for the security issues at the border? A combination of factors goes into answering this question, but simply put: The Government. You see, federal authorities awarded a surveillance contract to a company called Perceptics and they leaked the data. Perceptics is a small Kentucky based technology firm, whose computer systems appear to have been breached and this is how the CBP data was lost. Though CBP has failed to directly name the subcontractor, it faults the “subcontractor” for violating federal rules after the firm transferred sensitive data onto its own private network. The whole incident magnifies a great issue the federal government has in contracting; small business supply-chain risk management.
We are in no-way saying that small businesses should not have the opportunity to compete for work. We are a small business (Max Cybersecurity LLC). The problem is that limited resources minimizes the cybersecurity programming at smaller business entities. This, in turn, make their networks more vulnerable to hackers than larger businesses who may be able to fund cybersecurity.
In the case of Perceptics, cybersecurity was not a priority and the thought of falling victim to a cyberattack was unfathomable. Ironically, efforts to save money on their part, and a lack of risk management practices, resulted in a large-scale data breach which was costly to all involved.
I believe the government needs mechanisms that reasonably ensure that any company awarded a contract meets basic cybersecurity standards/requirements. If the prime contractor chooses to subcontract, they too should be held accountable for making sure their sub-contractors are using cybersecurity best practices.
So, it is now evident that Perceptics did not have adequate cybersecurity measures in place, nor did the prime or the federal government check adherence to best practices. These failures jeopardized the privacy and potentially the safety of hundreds of thousands of border crossers. It is up to the government to manage the security of information that officials and electronic systems collect daily. Not being cyber vigilant could have long lasting national security consequences.
DHS officials say license plate readers are imperative to identifying, apprehending, and removing individuals who are immigrating illegally. However, it is just as important to manage privacy responsibilities based on the law. Federal authorities should only gather information that is pertinent to accomplishing their mission. And, when information is collected, they should assure it is protected with the same vigor that our borders are protected.