Cracks in ICE’s access controls increase agency cyber risk, watchdog finds

U.S. Immigration and Customs Enforcement isn’t consistently implementing controls to prevent people from accessing systems and data they aren’t meant to see, according to a Wednesday report from the Department of Homeland Security’s inspector general.

That means, for example, that former employees have retained access to ICE systems after they leave, sometimes for weeks. These weaknesses also leave the department vulnerable to potential hackers, according to the watchdog, while the agency works to enhance its controls with improvements like automation and making new policies.

“ICE’s access control deficiencies increase the risk that unauthorized individuals could gain access to sensitive information, including the personally identifiable information and criminal data that ICE collects to support immigration and law enforcement organizations,” the report said.

ICE has a “multi-layered approach to managing network and IT system access,” the report said, but the agency doesn’t consistently remove access privileges when employees leave or change positions. 

Out of 190 separated personnel that the watchdog looked at, 159 of them had access to ICE systems and information after their last day on the job. Of those, 25 accounts still had access at least 45 days later, if not more.

ICE also didn’t meet requirements for monitoring who had privileged user access meant for security functions or access to service accounts that help run automated tasks like system commands. 

As for why the weaknesses exist, the report points to “insufficient internal controls and oversight of user account management and compliance.”

The process for removing personnel that leave or are transferred, for example, currently depends on supervisors to submit requests for those accounts to be disabled. 

The backup for when that doesn’t happen is for a script to pick up on accounts that haven’t been logged into an ICE system in over 45 days and disable them — although that didn’t happen for the 25 accounts the watchdog found to still have access 45 days or more later.

ICE also lacks a policy or process for tracking what access changes might be needed when people move around within the component, according to the report, which also found delays for ICE remediating critical and high-risk vulnerabilities on domain controllers, servers and workstations within required timeframes.

One critical vulnerability was outstanding by years, as it “should have been remediated by Nov. 15, 2018, but was outstanding at the time of our scan on July 19, 2022,” the report said.

The inspector general report also notes that it found “similar” problems with access controls at two other DHS agencies: U.S. Citizenship and Immigration Service and the Federal Emergency Management Agency.

Another audit of DHS writ large found that the department did not always terminate personal identity verification cards — uncovering thousands of cases of the department not revoking access privileges or destroying PIV cards of separated employees — or withdraw security clearances from separated employees or contractors.

The report pointed to the 2020 SolarWinds hack as a potential danger posed by such access control problems, noting that “the Department of Homeland Security’s critical mission of protecting the homeland makes its systems and networks high visibility targets for attackers who aim to disrupt essential operations or gain access to sensitive information.

“Senior DHS officials’ email accounts were compromised during the 2020 SolarWinds incident. During this cyberattack, external attackers breached cyber defenses to gain access to federal government networks,” it continues. “Once inside the networks, the attackers successfully set up permissions for themselves to access other programs and applications while being undetected.”

The IG issued seven recommendations, and the agency concurred with all of them. 

“ICE currently uses multi-factor authentication, authorizes access to resources and recertifies accounts,” Max Aguilar, acting chief financial officer and senior component accountable official for ICE, wrote in comments included in the report, noting that many of the safeguards mentioned contain manual elements. 

The agency is currently working on new automation capabilities as part of the push to zero trust architecture, including tech to track access rights and inactive accounts, he wrote. ICE is also working on new standards for enterprise account and vulnerability management.