Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Homeland Security Criticized For Potential Privacy Risks

Poor oversight of data mining used in counterterrorism initiatives could leave personal information vulnerable, finds GAO report.

50 Most Influential Government CIOs
Slideshow: 50 Most Influential Government CIOs
(click image for larger view and for slideshow)
The Department of Homeland Security (DHS) does not adequately review the privacy and effectiveness of data-mining systems it uses in counterterrorism efforts, possibly putting personal information at risk, according to a government watchdog agency.

The Government Accountability Office (GAO) evaluated six data-mining systems from the DHS and three of its component organizations--the U.S. Customs and Border Protection, U.S. Immigration and Customs Enforcement, and the U.S. Citizenship and Immigration--and found that none of them had an effective framework in place for proper oversight of the systems, according to a new report by the agency.

Specifically, the GAO found that none of the systems "performed all of the key activities associated with an effective evaluation framework," according to the report.

[DHS is moving aggressively to implement cloud computing. Learn more about its plans: Homeland Security Plans 12 Cloud Services.]

While four of the programs performed most of the requirements for evaluating privacy, only one performed most of those related to executive review and approval, according to the GAO. This inconsistency puts privacy-related information at risk and also affects the effectiveness of the programs themselves, the agency found.

One system in particular--the Immigration and Customs Enforcement Pattern Analysis and Information Collection (ICEPIC)--was found to be especially troublesome because it was given a privacy impact assessment before the system was even completed, according to the GAO.

Officials developed their assessment of ICEPIC before a component called the law Enforcement Information Sharing Service--which allows people's personal information to be shared outside the agency--was put in place, according to the GAO. As a result, multiple law-enforcement agencies have access to people's personal information, but it's not being reported or disclosed, which could put that information at risk.

In the DHS' defense, the GAO said that officials are working to revise the privacy assessment plan to take into account the feature, but that plan is not yet complete.

As one of several recommendations in the report, the GAO advised the DHS to develop "requirements for providing additional scrutiny of privacy protections for the sensitive information systems that are not transparent to the public through privacy impact assessments."

The DHS did not respond immediately to request for comment about the report Monday.

The federal government has ramped up its data-mining efforts recently to improve how it uses the tool, particularly in its review of intelligence information to thwart terrorist activities. The National Counterterrorism Center (NCTC), for example, is developing software called DataSphere that can analyze terrorists' communications networks and travel activities to help discover relationships among them.

Data mining and analytics are also are key to efforts the feds are taking to cut costs, according to the Obama administration's Campaign to Cut Waste. Officials believe that by examining and analyzing existing data they can decide how to prioritize their investments.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...