DHS Watchdog Says CBP's Drone Program Is An Insecure, Possibly Rights-Violating Mess

from the your-tax-dollars-thrown-wildly-into-the-air dept

The CBP has drones. How many, it's not really sure. It depends on when you ask. Or how you ask. The EFF's FOIA lawsuit against the agency caused it to suddenly "remember" it had deployed drones 200 more times than it had previously disclosed.

The CBP's drones are a lending library for US law enforcement agencies. An audit of the program found the CBP's drones were more often used by others than by the agency owning them, despite this agency being charged with patrolling thousands of miles of US border -- something that might be aided by some additional eyes in the skies.

But the eyes were worthless. The Inspector General concluded it was an airborne boondoggle. The CBP wasn't malicious, just inept. As the IG saw it, the half-billion slated for drone use would be better spent on more personnel and ground-based surveillance.

Nevertheless, the drones continue to fly. When not straying far from the border to aid inland law enforcement agencies, the agency's unmanned aircraft are still aloft, engaging in surveillance no one can really say for certain is 100% legal. The Inspector General's latest report [PDF] shows the CBP has done very little to ensure its drone deployments are secure or legally-compliant.

CBP has not ensured effective safeguards for surveillance information, such as images and video, collected on and transmitted from its UAS. CBP did not perform a PTA [Privacy Threshold Analysis] for ISR Systems [Intelligence, Surveillance, Reconnaissance] used in the UAS [Unmanned Aircraft Systems] program to collect data because CBP officials were unaware of the requirement to do so. Failure to include ISR Systems in CBP’s information technology inventory enabled system deployment without CBP Privacy Office oversight. Without a privacy assessment, CBP could not determine whether ISR Systems contained data requiring safeguards per privacy laws, regulations, and DHS policy.

This is what's going to have to pass as the "good news" in "good news and bad news." There only appears to be bad news. CBP didn't implement security controls to safeguard its surveillance systems, including a failure to control access to ground control stations housing collected surveillance footage/data. The long string of screw ups listed in this report are the result of serious structural failure.

These information security deficiencies occurred because CBP did not establish an effective program structure, including the leadership, expertise, staff, training, and guidance needed to manage ISR Systems effectively.

This leaves the CBP's drone program susceptible to threats both external and internal. Additionally, the lack of a privacy assessment means the CBP can't say its surveillance doesn't violate civil liberties or local laws. CBP officials seemed to be entirely unaware of the need to perform an impact assessment prior to deployment. But the officials did agree it was someone else's fault they didn't know how to do their job. The IG saw the buck being passed by everyone it spoke to. The final resting place for the oft-passed buck was the outside contractor who set up the ISR system. When in doubt, blame the civilians -- a strategy that makes no sense when you're discussing the lack of compliance with DHS policy and federal regulations.

As the IG sees it, the ISR program operates without authorization or approval. DHS requirements have yet to be met by the CBP, so every one of its hundreds of drone flights have been, at the very least, policy violations.

The CBP also could not provide the IG with a security assessment report for its ISR system, suggesting this has never been done in the program's half-decade-plus of existence. Then there are other system-critical odds and ends the CBP can't seem to get a grip on. Unauthorized media devices/USB drives are being plugged into system-critical hardware. Software patches are delivered irregularly and inconsistently. No one appears to be tasked with monitoring system events on ISR systems and a plethora of outdated software is still in use, which means some system-critical software hasn't been patched in months or years and possibly may never receive another update.

Also described as "inadequate:" personnel management, physical access controls, staffing levels, and systems training.

So far, so government. But this a government agency with access to plenty of funding and advanced tech. It has plenty of tools but uses them poorly. Despite being told its unmanned systems were mostly useless, the CBP continues to pour money on the problems it won't fix, rather than follow the IG's last list of recommendations. It has access to plenty of surveillance tech, but won't provide proper training, perform mandated assessments, or even put together a half-assed organizational chart for its drone operations.

The CBP has shown it can't be trusted with the stuff that's given to it to use in its border patrolling efforts. Sadly though, the response from Congress year after year has been to give it more money and stuff to use poorly, unwisely, and possibly illegally.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Stephen T. Stone (profile), 1 Oct 2018 @ 3:59am

    [T]he response from Congress year after year has been to give it more money and stuff to use poorly, unwisely, and possibly illegally.

    See also: local police departments and military equipment.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Oct 2018 @ 5:23pm

      Re:

      The last time I visited the CIA, there were some really terrific floral displays in the lobby. I guess it all depends on who's in charge!

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Oct 2018 @ 5:52am

    Trump, as always, has the perfect solution

    Abolish the regulations at issue. Don’t need ‘em. Problem solved.

    reply to this | link to this | view in chronology ]

  • icon
    That One Guy (profile), 1 Oct 2018 @ 5:56am

    'We should care... why again?'

    The long string of screw ups listed in this report are the result of serious structural failure.

    I'm not quite sure that 'screwing up' is the proper description of what's going on, so much as 'displaying indifference to'.

    'Screwing up' implies that they tried but didn't do it right, however from what it sounds like they didn't even get that far, and instead just shrugged off any requirements as something they didn't care about and didn't need to bother with.

    So long as they keep getting plenty of money despite their indifference, why would they spend more effort than they have to?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Oct 2018 @ 6:19am

      Re: serious structural failure

      .- "The long string of screw ups listed in this report are the result of serious structural failure."


      Yup -- serious structural failure in our entire Federal Government.

      These CBP abuses are but minor symptoms of an entirely dysfunctional and scary government power structure. Another dozen Federal agencies are 10 times worse than CBP -- the NSA makes CBP look like choir boys.

      If you can't see the fundamental problem here-- then you can't fix it or defend youself against it.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 Oct 2018 @ 8:04am

        Re: Re: serious structural failure

        does posting pointless garbage like this make you feel smart?

        Especially after this current administration and congress has been voted in the party and group that cry the most about the 'evil federal government' is the party that does everything it can to expand its power and remove any accountability.

        reply to this | link to this | view in chronology ]

  • icon
    JoeCool (profile), 1 Oct 2018 @ 6:15am

    Blame

    The final resting place for the oft-passed buck was the outside contractor who set up the ISR system. When in doubt, blame the civilians -- a strategy that makes no sense when you're discussing the lack of compliance with DHS policy and federal regulations.

    Might as well blame the local drugstore for violating someone's privacy because they sold you the film. How does this make any sense at all? "The guy at Walgreens never said I couldn't sneak into people's houses at night and photograph all their stuff!"

    reply to this | link to this | view in chronology ]

    • identicon
      Valkor, 1 Oct 2018 @ 9:16am

      Re: Blame

      Pet Peeve:
      "Civilians" refers to people not currently in the military. This includes law enforcement.
      Last I checked, the border patrol was not a branch of the armed services.

      reply to this | link to this | view in chronology ]

      • icon
        steell (profile), 1 Oct 2018 @ 9:25am

        Re: Re: Blame

        According to wikipedia:

        "ci·vil·ian
        səˈvilyən/Submit
        noun
        plural noun: civilians
        a person not in the armed services or the police force.
        synonyms: noncombatant, nonmilitary person, ordinary citizen, private citizen; informalcivvy
        "family members and other civilians were quickly evacuated from the post"
        INFORMAL
        a person who is not a member of a particular profession or group, as viewed by a member of that group.
        "I talk to a lot of actresses and they say that civilians are scared of them""

        reply to this | link to this | view in chronology ]

        • identicon
          Valkor, 1 Oct 2018 @ 4:40pm

          Re: Re: Re: Blame

          According to Merriam Webster's Dictionary of Synonyms:

          "Civilian refers to persons who are not members of the armed forces and is used chiefly in contrast to military"

          Police are part of the civil service. They take a civil service test. They enforce civil law, not martial law.

          Do we have a problem with militarization of the police? Maybe we should stop thinking they're the army. Confusing the two is pernicious. I think my new project is to research when law enforcement started getting shoehorned into the formal definition, instead of the informal definition.

          reply to this | link to this | view in chronology ]

          • icon
            JoeCool (profile), 7 Oct 2018 @ 6:37am

            Re: Re: Re: Re: Blame

            According to Webster's DICTIONARY (the actual dictionary, not a book of synonyms), it means:

            1 : a specialist in Roman or modern civil law

            2a : one not on active duty in the armed services or not on a police or firefighting force

            2b : outsider sense 1

            And outsider 1 is:

            1 : a person who does not belong to a particular group

            So civilian meaning someone not in our group IS an acceptable usage according to the dictionary, and is not a recent change like 'literal'. It's been that way for as long as I've been alive.

            reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 1 Oct 2018 @ 10:28am

        Re: Re: Blame

        Make it easier ... just call them minions, everyone else does.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Oct 2018 @ 7:49am

    What kind of security is used to preclude the "taking over" of one of these drones by some leet hackzor group or even a fourteen year old?

    and if this security being used is so good, why not use it to replace known security problems.

    reply to this | link to this | view in chronology ]

  • identicon
    Valkor, 1 Oct 2018 @ 9:21am

    What a summary...

    Seriously, TLA soup in that summary paragraph makes my brain hurt. (Irony intended.)

    Six different initialisms 13 times in four sentences... People have been making fun of this nonsense since the New Deal. Why does it still happen?

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Oct 2018 @ 5:13pm

    CBP: Regulations? We don't need no stinkin' regulations!

    reply to this | link to this | view in chronology ]

  • identicon
    Jason, 2 Oct 2018 @ 8:08am

    CBP and abbreviations

    What does CBP stand for?

    Usually I knock sites because they'll list a title and then the abbreviation, and then not mention the agency at all any more in the article. In that case the abbreviation is unnecessary.

    But here... It's necessary to understand who you're talking about.

    reply to this | link to this | view in chronology ]

    • icon
      The Wanderer (profile), 3 Oct 2018 @ 4:08am

      Re: CBP and abbreviations

      Officially (nowadays) I believe it stands for "Customs and Border Protection", although IIRC they were originally the "Customs and Border Patrol".

      They've been in the news often enough and recently enough that I wouldn't think it really necessary to give the expansion of the initialism - unless you know of another entity whose name is abbreviated the same way, which might result in uncertainty about which is meant?

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Oct 2018 @ 2:37pm

    Cucaracha Border Patrol?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Show Now: Takedown
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.