U.S. Customs and Border Protection was not informed that a hacker had stolen a huge cache of sensitive border-surveillance documents until nearly three weeks after the cyberattack was first discovered, according to a new timeline provided Wednesday by the subcontractor Perceptics, raising new questions over a breach that left travelers’ images and license plates open to potential abuse.
Perceptics, the Tennessee-based maker of the U.S. government’s widely used license-plate scanners, offered a timeline of the breach to The Washington Post late Wednesday after a CBP official told Congress that a “significant amount of time” passed before the agency was alerted to the document theft. By that time, the stolen files — including private images, hardware diagrams and other sensitive records detailing the surveillance systems of U.S. border checkpoints — had already been made freely available on a corner of the Internet known as the “dark web.”
Perceptics told The Post that it learned of the breach May 13, immediately contacted a cyber-forensics firm and reported suspicious emails to the FBI within 24 hours. The company said it also notified Unisys, the information-technology giant for whom Perceptics was doing subcontracting work, during an in-person meeting on May 17, and that it was “told that Unisys would notify CBP” because the larger company maintained “communication with CBP for all contractual matters.”
But the CBP said last month it learned that a subcontractor had transferred files onto a network that “was subsequently compromised by a malicious cyberattack” on May 31 — eight days after the British technology news site The Register first reported on the hack. John Wagner, a deputy executive assistant commissioner for CBP’s Office of Field Operations, told the House Homeland Security Committee on Wednesday that CBP, once it became aware of the breach, had asked the contractor “if any of our data was included, and they came back and said yes.” It’s unclear which company he was referring to, and CBP provided no further detail.
Lawmakers and privacy advocates have called the breach a clear symptom of the dangers of the government’s mass gathering of data on the general public using facial-recognition cameras, license-plate scanners and other surveillance equipment.
Confirmation of the delayed disclosure, which was discussed at the committee’s hearing into the federal use of “biometric” technologies such as face-scanning software, could further ratchet up tensions over the government’s reliance on private contractors to help police and monitor the borders.
CBP awarded Unisys the contract in 2016 to upgrade license-plate scanners and other automated-screening equipment along the U.S. border. The multiyear contract was worth more than $229 million, according to Defense Daily. Unisys officials said in a statement they are “aware of the Perceptics cybersecurity incident” but cannot comment further due to an ongoing investigation.
Perceptics, the subcontractor, has worked with CBP for nearly 30 years and says it designed the license-plate scanners used at nearly all of the land border ports of entry along the U.S. borders with Canada and Mexico.
CBP has said the subcontractor violated agency rules by transferring copies of license-plate and traveler images onto its private network, which was then breached. The agency says no CBP systems were compromised.
A hacker linked to the attack, using the pseudonym “Boris Bullet-Dodger,” said in an email exchange with The Post that the breach had given them access to the company’s system for four months, during which they demanded a ransom. That information could not be independently confirmed.
Perceptics was suspended from federal contracting last week by CBP officials citing “evidence of conduct indicating a lack of business honesty or integrity,” records show. The rare punishment will trigger an upcoming administrative hearing, in which a CBP suspension and debarment official will decide whether Perceptics should be placed on a years-long government blacklist.
“We are rapidly investing in additional cybersecurity measures to prevent an event like this from happening again,” the company said in the statement Wednesday.
Federal officials spent much of Wednesday’s hearing defending the facial-recognition systems being deployed at U.S. airports and cruise ports, saying they enhanced traveler security, sped up boarding times and allowed stronger enforcement of immigration laws. Wagner said the nation’s biometric-based travel checkpoint system “will be the envy of the world.”
But the data breach and broader debates about government use of facial-recognition led some lawmakers to question whether the largely unregulated technology would make Americans more vulnerable to privacy invasions or false arrest.
“Frankly, the federal government does not have a great track record securing America’s personal data,” committee chairman Rep. Bennie Thompson (D-Miss.) said.
Lawmakers said newly released records showing how ICE and other agencies had for years requested facial-recognition searches on millions of driver’s license photos, first reported this week by The Washington Post, marked a troubling breach of trust for Americans scanned without their knowledge or consent.
But the hearing also revealed a dividing line in Congress over the appropriateness of facial-recognition surveillance. Rep. Mike D. Rogers (Ala.), the top Republican on the House Homeland Security Committee, said, “I do not believe that anyone has a reasonable expectation of privacy in a government ID photo. Period.”
Lawmakers devoted a large part of the hearing to analyzing the accuracy of facial-recognition software, following criticism that error-prone systems could be dangerous as more police forces use the software for help in identifying suspected criminals and wanted fugitives.
Federal officials defended the systems as highly accurate, and Wagner said the agency’s ongoing assessment of its software showed “no significant error rate attributed to a specific demographic.”
But researchers have often found the opposite, with several major studies showing facial-recognition systems post higher error rates when assessing people with darker skin. A test of 11 commercial facial-recognition systems, published in February as part of a DHS “biometric technology rally,” found that the systems’ efficiency and accuracy were “significantly affected” by a person’s skin color, gender and age.
Critics have contended that even a small error rate could have outsize impact when applied to millions of facial scans, with Rep. Yvette D. Clarke (D-N.Y.) citing concerns over “the cost of the false positive” in terms of people’s health or well-being.
And the systems won’t reach perfection anytime soon: Charles Romine, the director of the Information Technology Laboratory at the National Institute of Standards and Technology, which assesses facial-recognition algorithms, said at the hearing that “it is unlikely that we will ever achieve a point where every single demographic is identical in performance across the board, whether that’s age, race or sex.”
Lawmakers offered no clear vision of what possible facial-recognition regulation would look like. But several said they worried that the software’s powers of mass identification could threaten constitutional rights and lead to more of what Rep. Al Green (D-Texas) called “suspicionless surveillance” of the American public.
“One can only imagine what Mr. J. Edgar Hoover,” the first FBI director, “would have done with this technology. It was Mr. Hoover who surveilled” the Rev. Martin Luther King Jr., Green said. “It’s my job to make sure this kind of technology is not abused.”