DHS Watchdog Says CBP's Drone Program Is An Insecure, Possibly Rights-Violating Mess
from the your-tax-dollars-thrown-wildly-into-the-air dept
The CBP has drones. How many, it’s not really sure. It depends on when you ask. Or how you ask. The EFF’s FOIA lawsuit against the agency caused it to suddenly “remember” it had deployed drones 200 more times than it had previously disclosed.
The CBP’s drones are a lending library for US law enforcement agencies. An audit of the program found the CBP’s drones were more often used by others than by the agency owning them, despite this agency being charged with patrolling thousands of miles of US border — something that might be aided by some additional eyes in the skies.
But the eyes were worthless. The Inspector General concluded it was an airborne boondoggle. The CBP wasn’t malicious, just inept. As the IG saw it, the half-billion slated for drone use would be better spent on more personnel and ground-based surveillance.
Nevertheless, the drones continue to fly. When not straying far from the border to aid inland law enforcement agencies, the agency’s unmanned aircraft are still aloft, engaging in surveillance no one can really say for certain is 100% legal. The Inspector General’s latest report [PDF] shows the CBP has done very little to ensure its drone deployments are secure or legally-compliant.
CBP has not ensured effective safeguards for surveillance information, such as images and video, collected on and transmitted from its UAS. CBP did not perform a PTA [Privacy Threshold Analysis] for ISR Systems [Intelligence, Surveillance, Reconnaissance] used in the UAS [Unmanned Aircraft Systems] program to collect data because CBP officials were unaware of the requirement to do so. Failure to include ISR Systems in CBP’s information technology inventory enabled system deployment without CBP Privacy Office oversight. Without a privacy assessment, CBP could not determine whether ISR Systems contained data requiring safeguards per privacy laws, regulations, and DHS policy.
This is what’s going to have to pass as the “good news” in “good news and bad news.” There only appears to be bad news. CBP didn’t implement security controls to safeguard its surveillance systems, including a failure to control access to ground control stations housing collected surveillance footage/data. The long string of screw ups listed in this report are the result of serious structural failure.
These information security deficiencies occurred because CBP did not establish an effective program structure, including the leadership, expertise, staff, training, and guidance needed to manage ISR Systems effectively.
This leaves the CBP’s drone program susceptible to threats both external and internal. Additionally, the lack of a privacy assessment means the CBP can’t say its surveillance doesn’t violate civil liberties or local laws. CBP officials seemed to be entirely unaware of the need to perform an impact assessment prior to deployment. But the officials did agree it was someone else’s fault they didn’t know how to do their job. The IG saw the buck being passed by everyone it spoke to. The final resting place for the oft-passed buck was the outside contractor who set up the ISR system. When in doubt, blame the civilians — a strategy that makes no sense when you’re discussing the lack of compliance with DHS policy and federal regulations.
As the IG sees it, the ISR program operates without authorization or approval. DHS requirements have yet to be met by the CBP, so every one of its hundreds of drone flights have been, at the very least, policy violations.
The CBP also could not provide the IG with a security assessment report for its ISR system, suggesting this has never been done in the program’s half-decade-plus of existence. Then there are other system-critical odds and ends the CBP can’t seem to get a grip on. Unauthorized media devices/USB drives are being plugged into system-critical hardware. Software patches are delivered irregularly and inconsistently. No one appears to be tasked with monitoring system events on ISR systems and a plethora of outdated software is still in use, which means some system-critical software hasn’t been patched in months or years and possibly may never receive another update.
Also described as “inadequate:” personnel management, physical access controls, staffing levels, and systems training.
So far, so government. But this a government agency with access to plenty of funding and advanced tech. It has plenty of tools but uses them poorly. Despite being told its unmanned systems were mostly useless, the CBP continues to pour money on the problems it won’t fix, rather than follow the IG’s last list of recommendations. It has access to plenty of surveillance tech, but won’t provide proper training, perform mandated assessments, or even put together a half-assed organizational chart for its drone operations.
The CBP has shown it can’t be trusted with the stuff that’s given to it to use in its border patrolling efforts. Sadly though, the response from Congress year after year has been to give it more money and stuff to use poorly, unwisely, and possibly illegally.