CBP could have better prepared for tech challenges with app, watchdog says
Customs and Border Protection did not adequately prepare for potential technological problems within its CBP One app, a mobile platform designed to help schedule appointments at U.S. ports of entry, according to a Department of Homeland Security inspector general report published this week.
The agency failed to consider major issues with the functionality of the app, including challenges related to language access, appointment availability, and technological infrastructure, DHS’s Office of Inspector General said. CBP may not be using data procured by the app to the best of its advantage, either. And the app includes security vulnerabilities within both “application and its supporting infrastructure operating system,” which could make CBP One susceptible to cyberattacks, the report said.
CBP One has been used to streamline the process of collecting information from people who arrive at the border without a passport or visa to enter the United States, particularly through enabling the scheduling of appointments, certain vetting procedures, and processing at ports of entry.
But amid concerns about border security, CBP One has attracted attention from liberals and conservatives. Both human and immigrant rights groups have raised concerns about the app’s technical and usability limitations, too. Earlier this year, FedScoop reported on how CBP was increasingly leaning into deploying biometric technologies in the app — which has also prompted concerns.
The inspector general said that CBP did not conduct a formal risk assessment before expanding the use of the CBP One app “to meet its new operational objective of scheduling appointments for noncitizens to arrive at the Southwest Border.” The OIG pointed specifically to issues with the biometric technology third-party provider, noting that use of the app far exceeded the number of scans that were originally expected from the contractor. As a result, those at the border received an increased number of error messages.
Another problem was that some individuals were able to make a large number of registrations on the app in order to increase their odds of securing an appointment. Data shared in the report showed that at least 10 individuals, all of whom were either Russian or Armenian, were able to make hundreds of registrations on the app. The inspector general also said that the app could have used some information to identify potentially suspicious activity. For instance, some destination addresses were listed hundreds of times from the same port of entry.
Despite testing, CBP overwhelmed the infrastructure and demand for the app, which also reduced bandwidth and increased the number of error messages, the OIG said. Another challenge was that the app was built with limited functionality, and was primarily limited to English, Spanish, and then later, Haitian-Creole. The report flagged a series of cybersecurity vulnerabilities as well.
CBP concurred with DHS’s three recommendations, which included developing a formalized risk assessment process for mobile application changes, building a way to conduct trend analysis using the data created in the CBP One app, and establishing routine assessments of CBP One applications to deal with vulnerabilities.
